Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology DBTA/Unisphere
PRIVACY/COOKIES POLICY
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research



Vendors: For commercial reprints in print or digital form, contact LaShawn Fugate (lashawn@infotoday.com)

Magazines > Computers in Libraries > January/February 2022

Back Index Forward

SUBSCRIBE NOW!
Vol. 42 No. 1— Jan/Feb 2021
FEATURE

Top Recommendations for Updating Your Library’s IT Security Plan
by H. Frank Cervone


As the threats related to information security increase, our approaches to security issues must be adapted.
A lmost 2 years after the beginning of the pandemic, a lot has changed in the way we work and live. One of the most significant changes in terms of IT and security is the rapid shift of many employees to remote working environments. For many, this means working from home (WFH) full-time; for others, it entails working in a hybrid scenario in which the work environment may shift from a traditional office location to a remote location.

Because of this shift, the IT infrastructure in most organizations has had to quickly adapt to changing needs. In the WFH context, the scope of an organization’s network has inherently expanded to include the remote networks where workers are now located. By definition, this expansion intrinsically increases the potential areas of security exposure for the organization. At the same time, all of this is occurring in an environment in which information security issues in general have been rapidly escalating. Considering a recent study indicating that 78% of organizations had experienced at least one significant security exposure in the past year, the urgency to adapt security plans to address a changing environment is high (Osterman Research 2019).

Another issue for libraries and information agencies is that many of the services we provide are outside of our direct control. Information resources and enterprise systems have moved from in-house to being hosted in the cloud and managed by third-party entities. Not only do we need to consider the potential impact these externally hosted systems might have on our network, we also need to plan for how a security incident in these external vendor networks could impact our operations.

An additional issue we need to consider is that societal expectations related to security and privacy are also rapidly changing. While people often espouse the need for a high level of privacy, many people think nothing of having a device in their home that controls the various appliances within it. Regardless of what particular device is used, they all collect a voluminous amount of detailed data related to our day-to-day habits and preferences, and people are more than willing to provide that information (Rao 2018). At the same time, providing this detailed information does not correspond with a willingness to have it used for other purposes (Ikeda 2020). Balancing these conflicting sets of expectations poses complex questions on how to meet the needs of our public while maintaining security and privacy.

Minimize the Highest Network Security Exposure

When thinking about network and IT security in general, we need to distinguish between the potential for exposure and the severity of the exposure’s impact. For example, we could have a commonly occurring issue that has a relatively low impact on overall security. In this scenario, the bigger issue might be the amount of staff time needed to address the related remediation. Conversely, a rarely occurring issue that has a major impact on system availability needs to be addressed to avoid catastrophic consequences. Dealing with these differing categories of problems will require multiple approaches involving a wide variety of stakeholders.

Nonetheless, there is one source of network exposure that is pervasive across all types of organizations: email (Spadafora 2020). The majority of security exposures (such as credential stealing and data exposure) occur because of a phishing email. Unlike in the past, phishing emails have become sophisticated and often take advantage of trusted relationships (such as emails from an address that appears to be that of a co-worker). There are many different issues that can result from phishing emails, including the following:

  • Computers being infected with malware, which can be used to infect other computers on the network
  • Sensitive or confidential information being accidentally leaked
  • User accounts being compromised due to information being provided related to a bogus request

Recommendation: If you do not already have one, implement a security training program or information campaign. Focus on awareness of what constitutes a phishing email, since this is the greatest source of exposure.

Dealing With Vendor Systems

With the rapid growth of outsourced systems, ensuring the integrity and security of systems that vendors provide to the library is a critical component of overall network security. As a result of significant security obligations in industries such as healthcare and finance, as well as other areas of critical infrastructure, a number of security protocols and standards have been established. While libraries and information agencies have not traditionally focused on the implementation of these standards, we should. Any good practice related to IT is a good practice for libraries, regardless of its origin.

In the cloud computing realm, the current standard is to meet System and Organization Controls version 2 (SOC 2) audit requirements. “A SOC 2 audit report provides detailed information and assurance about a service organisation’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria),” according to IT Governance Ltd. (2021). Successfully passing a SOC 2 audit helps ensure that your vendor both securely manages your organization’s data and protects the privacy of that data. While SOC 2 compliance is not easy to establish, it is generally considered a minimal requirement for cloud-hosted systems.

Recommendation: Ask your vendors to provide evidence of a SOC 2 audit to ensure the security and privacy of information entrusted to them. If the vendor does not have a SOC 2 audit, you should ask it to provide evidence of meeting the controls that we should implement in our internal systems.

Ensuring Integrity of Internal Systems

A big advantage of internal systems is that we can directly control and manage the environment. However, that is also one of the disadvantages because it now becomes the responsibility of the organization to put together a program that ensures compliance with legal and regulatory obligations. The difference between the two is significant, as legal obligations apply to all organizations, whereas regulatory obligations only apply to organizations in specific industries.

For example, PCI (payment card industry) Data Security Standard (DSS) is a regulatory requirement because it only applies to an organization that processes, stores, or transmits credit card information. If your organization does not accept credit card payments, it is not a concern. Conversely, the Personal Information Protection Act (PIPA) in Illinois is a legal requirement because it applies to all organizations operating in the state. It requires them to notify any Illinois resident affected by a computer system breach involving unencrypted personal information.

Recommendation: Libraries and other information organizations should work toward meeting the requirements in broadly applicable security standards (such as NIST SP 800-53 and ISO/IEC 27001). See the sidebar on page 7 for more information.

At this point, you may be saying to yourself, “There is no way we can implement the NIST or ISO standards in our current environment.” You would not be alone in this feeling. Nonetheless, getting started in implementing good practices doesn’t require doing everything at once. Incremental improvements are better than doing nothing at all.

Bad Practices to Avoid

At a minimum, a starting point could be to use a critical-few approach to risk management, wherein the focus is given to a few of the most imperative issues that could compromise the security of a network or information system. Using this model, the Cybersecurity and Infrastructure Security Agency (CISA) has begun developing a list of bad practices (cisa.gov/BadPractices) that organizations should avoid. These include practices that are risky and dangerous, but are often accepted because of higher-priority issues, a dearth of resources, or some other lack of commitment to addressing the issues. CISA urges that all organizations should engage in urgent conversations to address technology bad practices. They include the following:

  • Using unsupported (or end-of-life) software. This is a dangerous practice and significantly elevates the risk to the organization. It is especially significant in technologies that are accessible from the internet (i.e., servers running outdated open source software versions or web server technology that has been deprecated).
  • Use of known, fixed, or default passwords and credentials. There is no excuse in today’s environment to allow this practice to continue in any context.
  • Using single-factor authentication for remote or administrative access to systems supporting critical infrastructure or operations. This issue is remediated by implementing two-factor authentication for all administrative services or sensitive data access functions.

Recommendation: At a minimum, address the current CISA bad practices for all information systems in the organization.

Some Other Things to Address

As the threats related to information security increase, our approaches to security issues must be adapted. For example, since the 1990s, we’ve used IP-based authentication to provide access to subscription-based information resources. While this authentication can provide a good level of privacy to the end user, it is also increasingly susceptible to spoofing and other untoward actions. As a result, federated authentication (such as via OpenAthens or InCommon) is more of the norm rather than the exception. If your library has not already done so, you should investigate what options are available to you to embrace a federated security model.

Along with this federated model, you should plan on migrating to a role-based access-control (RBAC) approach rather than an individual or one-off access-control approach. Many organizations still apply security controls based on a specific individual rather than the role that person is fulfilling. Because the one-off approach is extremely difficult to manage and audit, good security practice is driving a move to the role-based model. It’s more transparent, as it is easier to determine the permissions a group has rather than having to individually evaluate each person.

Finally, ensure that audit logs are on for all systems. In the event of a major security incident, part of your response will involve trying to determine what happened. There is no way to do this if you do not have audit logs that document what activity occurred and when. Ideally, these audit logs will be stored on servers that are distinct from the systems they are logging. That is, the audit logs for server A should be collected outside of server A to ensure that they are available if server A should become nonfunctional.

The security environment is constantly evolving, and our response to that needs to evolve as well. Security and privacy are something that should be top of mind within your library. Resources should be devoted—even if they are only modest—to implementing and improving security practice. Good practice guidance is available through several agencies (such as CISA), so there is no need to reinvent the wheel. Taking advantage of what is already available, even if it’s not specifically focused on libraries, will significantly increase your ability to secure your environment as well as ease the journey to good information security practices.

Essential Security Standards to Adopt

NIST SP 800-53 —This defines control standards and provides guidelines to architect and manage information security systems. While it was originally intended for federal agencies, it has been widely adopted as a means for implementing information security controls across industries. The NIST controls are defined into families that address a broad range of issues in the information security realm. Families include access control (AC), audit and accountability (AU), awareness and training (AT), configuration management (CM), contingency planning (CP), identification and authentication (IA), incident response (IR), and maintenance (MA). As can be seen, the scope of the standard extends well beyond traditional technical issues to address the broader realm of information management.

ISO/IEC 27001 —While NIST SP 800-53 focuses on specific controls to be put into place, ISO/IEC 27001 is more of a framework that helps an organization implement processes that allow them to certify their information security management processes. The two standards are complimentary, with NIST SP 800-53 centering on what to do, whereas ISO/IEC 27001 focuses on how to do it within an organization.

Resources

Ikeda, S. (2020, Aug. 21). “Consumer Privacy Concerns Vary With Location, Social Circumstances; Expectations of Privacy Do Not Necessarily Mirror Offline Models.” CPO Magazine . Retrieved Oct. 3, 2021, from cpomagazine.com/data-privacy/consumer-privacy-concerns-vary-with-location-social-circumstances-expectations-of-privacy-do-not-necessarily-mirror-offline-models.

IT Governance Ltd. (2021). “SOC (System and Organization Controls) 2 Audits.” Retrieved Oct. 7, 2021, from itgovernance.co.uk/soc-reporting.

Osterman Research (2019). “Addressing the Top 10 Security Issues Organizations Face.”

Rao, S. (2018, Sept. 12). “In Today’s Homes, Consumers Are Willing to Sacrifice Privacy for Convenience.” The Washington Post . Retrieved Oct. 3, 2021, from washingtonpost.com/lifestyle/style/in-todays-homes-consumers-are-willing-to-sacrifice-privacy-for-convenience/2018/09/11/5f951b4a-a241-11e8-93e3-24d1703d2a7a_story.html.

Spadafora, A. (2020, June 10). “Email Is Still the Biggest Security Risk Around Today.” TechRadar. Retrieved Oct. 5, 2021, from techradar.com/news/email-is-still-the-biggest-security-risk-around-today.

Additional Resources

ISO/IEC 27001 Information Security Management. iso.org/isoiec-27001-information-security.html

The Cybersecurity and Infrastructure Security Agency’s Ransomware Information. cisa.gov/stopransomware

The FBI’s Ransomware Resources. fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware

The PCI Security Standards Council’s Document Library. pcisecuritystandards.org/document_library

NIST’s Security and Privacy Controls for Information Systems and Organizations. csrc.nist.gov/publications/detail/sp/800-53/rev-5/final


H. Frank CervoneH. Frank Cervone (M.S.Ed., Ph.D.) is the executive director for information services and the college information security officer for the school of public health at the University of Illinois – Chicago. He also is a lecturer at SJSU iSchool, where he teaches courses related to health informatics, social network analysis, and research methods. Cervone's prior experience includes more than 25 years of leadership in libraries and information agencies developing systems and services that have helped advance teaching, learning, and research in higher-education environments.