Policies Governing OPLIN
Ohio Public Library Information Network Bylaws
[Adopted July 11, 1995 by the OPLIN Board of Trustees]
[Amended December 8, 2006]
Article I: Name of the Organization and Its Governing Authority.
The name of the organization shall be the Ohio Public Library Information Network, also known as OPLIN, and its governing authority shall be the OPLIN Board of Trustees.
Article II: Purpose of the Organization.
The purpose of OPLIN shall be to ensure equity of access to electronic information for all Ohio citizens.
Article III: Participation in the Organization.
Any board of trustees of any public county, township, municipal, school district, county district, regional district, or association library organized under the Ohio Revised Code, or any regional library system chartered by the State Library of Ohio, may choose to participate in OPLIN by notifying the OPLIN Board in writing and agreeing to comply with OPLIN rules and regulations.
Article IV: Purpose and Authority of the OPLIN Board.
The OPLIN Board, as originally established by the 121st GA H. B. 117, has oversight responsibility for the Ohio Public Library Information Network (OPLIN). In exercise of such responsibility, the OPLIN Board shall be governed by these Bylaws, all of which shall be in accordance with State and Federal law.
Article V: Membership on the OPLIN Board.
Section A: Composition.
- Eleven members, herein also referred to as Board Members, shall be selected from the staff and past or present Boards of Trustees of Ohio public libraries.
- The OPLIN Executive Director and the State Librarian or his/her designee shall serve as ex-officio Board Members. Other ex-officio Board Members may be appointed at the discretion of the OPLIN Board of Trustees.
Section B: Duration of Membership.
- The term of service for Board Members is three years, commencing on July 1. Initial staggered terms of one, two, and three years will be established to commence on July 11, 1995, with replacement by full three-year terms thereafter.
- In the event that an individual Board Member becomes unable to complete his/her term, that term will be completed by a replacement proposed by the OPLIN Board to the State Library Board, consistent with Article V, Section E.
- Board Members may serve no more than two consecutive full terms.
Section C: Good Faith Service.
Members of the OPLIN Board shall carry out its mission in accordance with the strictest ethical guidelines and will ensure that they conduct themselves in a manner that fosters public confidence in the integrity of the Board, its processes, and its accomplishments. Board members must, at all times, abide by protections to the public embodied in Ohio ethics laws as interpreted by the Ohio Ethics Commission and Ohio courts.
Section D: Rights and Privileges.
- Each Board Member may cast one vote on any issue presented to the OPLIN Board. Ex-Officio Board Members are not eligible to vote.
- Attendance is not transferable. If a Board Member is unable to participate in a majority of the regular Board meetings during any fiscal year, the State Library Board should be notified to seek a replacement as prescribed in Article V, Section E, unless the OPLIN Board votes to excuse the absences due to mitigating circumstances.
- Any Board Member or ex-officio Board Member may bring issues to the attention of the Board by submitting said issues to the Board Chair and the Executive Director for placement on the Board agenda.
Section E: Selection of Members of the Board.
The Board shall be appointed by the State Library Board. A Nominations Committee, appointed annually by the OPLIN Board, shall provide to the State Library Board the name of a qualified person to fill each vacancy on the OPLIN Board, based on recommendations from the Ohio public library community.
Article VI: Officers of the OPLIN Board.
Section A: Officers.
- The officers of the OPLIN Board will be Chair, Vice Chair, Secretary and Treasurer.
- Election of officers shall be conducted at the first Board meeting immediately following July 1.
Section B: Vacancies.
- Upon resignation of the Chair, the Vice Chair will immediately become Chair.
- Vacancy of the Vice Chair, Secretary, or Treasurer position will be filled by special election at the next Board meeting.
Section C: Duties of Officers.
- The Chairperson of the OPLIN Board will preside at all meetings, approve the Board meeting agenda for dissemination to the Board, appoint all committees, chair the Executive Committee, and perform other duties delegated by the Board to the presiding officer.
- The Vice Chair will, in the absence of the Chairperson, perform the duties of presiding officer of the Board.
- The Secretary will be responsible for monitoring the accuracy and completeness of Board records, will certify and sign minutes and any other official documents adopted by the Board, and will act as presiding officer in the absence of the Chair and Vice Chair.
- The Treasurer will be responsible for monitoring the receipt of budgetary and other financial documents and records from the State Library Fiscal Services, and will act as presiding officer in the absence of other officers.
Article VII: Meetings of the OPLIN Board.
Section A: Regular Meetings.
The Board will meet at least four times per year.
Section B: Special Meetings.
The Chair may call special meetings as required, providing at least 72 hours advance notice and the reason for such special meeting.
Section C: Quorum.
At all meetings of the OPLIN Board, six voting members present shall constitute a quorum for the transaction of business.
Section D: Order of Business.
Order of business at regular meetings of the OPLIN Board shall be established by an approved agenda.
Article VIII: Voting by the OPLIN Board.
Section A: Motions and Resolutions.
- Voting on motions and resolutions shall be conducted in accordance with Robert's Rules of Order.
- If there is a quorum present, a simple majority of votes by Board Members present and voting shall be required for adoption of most motions or resolutions. Seven votes shall be required for passage of motions amending Board Bylaws or Policies.
Section B: Consensus.
Certain items of business may be approved by consensus as deemed appropriate by the Chair.
Article IX: Committees of the OPLIN Board.
Section A: Committees.
Business of the Board may be conducted by the Board as a whole or by committees or task forces, as authorized by the Board. Such groups will be appointed by the Chair and may include Board Members or other individuals as deemed appropriate.
Section B: Executive Committee.
- The Executive Committee of the Board will consist of the officers of the Board and one additional Board member to be designated by the Board Chair. The OPLIN Executive Director will be an exofficio member of the Executive Committee.
- The Executive Committee is responsible for reviewing all OPLIN budget proposals and expenditures and monitoring the overall operation as deemed appropriate by the Chair.
Article X: Amendments to These Bylaws.
Amendments to these Bylaws and Policies may be proposed at any regular meeting. The proposed amendment shall be made known to members not present and shall be voted on at the next regular meeting. Seven votes are required for passage of any amendment.
Article XI: Procedures.
All proceedings not specified herein shall be governed by State and Federal law and by Robert's Rules of Order.
Information Technology Security Management
Information Technology Security Management
Ohio Public Library Information Network (OPLIN)
OPLIN shall exercise due diligence to ensure that all OPLIN computer and telecommunications systems and services are secure, and that the information contained within those systems and services is protected from unauthorized disclosure, modification or destruction, whether accidental or intentional.
This document outlines a plan to accomplish that goal through implementation of individual policies covering Risk Assessment and Data Classification, Recovery Preparation, Boundary Security, Password Security, Malicious Code Security, Internet Security, Remote Access Security, Portable Computing Security, Intrusion Prevention and Detection, Security Incident Response, Security Notifications, Security Practices, and Security Education and Awareness. In any case where these policies conflict with the Information Technology Security Policies of the Ohio Office of Information Technology (OIT), OIT's policies shall prevail.
OPLIN shall admonish all employees, contractors, temporary personnel and other agents of the state to adhere to these policies.
Risk Assessment and Data Classification
OPLIN shall annually conduct a risk assessment of system assets, threats, and organizational priorities. The assessment shall be prepared by the OPLIN Director, or a staff member designated by the Director, with input from all staff. This assessment will be reviewed at the end of every fiscal year to ensure that it is current.
The assessment shall be stored in a secure location and shall include current information regarding:
- the nature of the information and the systems;
- the business purpose;
- the operating environment;
- the existing protections;
- the impact of a security breach; and
- the likelihood of a breach occurring.
In conjunction with this risk assessment, OPLIN staff shall review the classification of OPLIN data. The data shall be labeled for both confidentiality ("public," "limited access," or "restricted") and criticality ("low," "medium," "high," or "very high"). Any data that could efficiently be replaced rather than protected will also be identified.
Concurrent with this annual assessment, OPLIN shall notify OIT Risk Management Services of the current primary and secondary incident response points of contact, which will typically be the Director and the Technology Projects Manager.
[top of document]
OPLIN shall take the following steps to ensure that critical tools, data and equipment are available to facilitate containment and recovery in the event of a security breach:
- System back-ups. OPLIN shall create and maintain trusted system, data and application back-ups. Back-ups shall be tested semi-annually to maintain a high confidence of a successful recovery. Back-ups shall be created on a regular and frequent basis and securely maintained.
- System and application software versions. OPLIN shall maintain verified copies of all critical system and application installation software. OPLIN shall ensure the system and application software versions and security related patches are current and securely maintained.
- Configuration redundancy. Redundant configurations can facilitate the recovery of information technology systems or assets while preserving evidence of a compromised information technology asset. OPLIN shall assess the value and need for maintaining redundant system configurations; mission-critical systems shall have redundant configurations.
[top of document]
OPLIN shall acquire, install, operate and manage a boundary security capability in cooperation with OIT to allow authorized network traffic and deny everything else.
- Servers and firewalls shall be configured specifically to limit access to ports and services required to support OPLIN business processes.
- Servers and firewalls shall enable activity logging using a common, standardized network time source to monitor attempted probes, attacks or intrusions, including all repeated attempts from non-authorized entities to breach the boundary.
- Strong authentication appropriate to the data being protected shall be used to limit access to systems.
- A demilitarized zone (DMZ) shall be used to isolate World Wide Web services and external e-mail entry points, and to hide vulnerable systems and information from the Internet.
[top of document]
All OPLIN staff using passwords to access OPLIN-operated information technology or to access data in any way related to OPLIN business, including vendor data related to OPLIN accounts, shall use passwords that conform to these requirements:
- Composition. Passwords shall be composed of both upper and lower case letters and shall include at least one number or special character.
- Length. Passwords shall be at least eight (8) characters in length, except for administrative passwords on systems that are publicly accessible, which shall be at least twelve (12) characters in length.
- Aging. Passwords shall be changed at least once every two (2) months.
- History. Passwords shall not be re-used for a period of six months.
- Uniqueness. Staff shall not intentionally choose a password identical to the password of another staff person. Each staff member shall have their own individual password for accessing OPLIN-operated information technology.
- Transmission. Passwords to OPLIN-operated information technology shall not be transmitted electronically in clear text.
The following requirements pertain to password administration on OPLIN-operated information technology:
- Administration privileges. Passwords and password administration on each OPLIN server or network device shall be managed by the OPLIN Director and the OPLIN Technology Projects Manager (TPM), or other OPLIN staff person designated by the Director. Passwords shall grant the minimum system privileges necessary to complete assigned tasks.
- System lockout. The password administrator(s) shall, where possible, set each server and device to suspend the access of any user who exceeds three unsuccessful attempts at entering a password. After the password administrator(s) confirms that the attempts were actually initiated by an authorized staff person, the system lockout can be reset.
- Storage. The password administrator(s) shall maintain and safeguard system password files in a manner to prevent unauthorized access. Password files will be backed-up to facilitate recovery from system failures, security breaches, disasters, accidents and like events with the potential to affect systems. All password backup files shall be stored on media in a locked storage location.
- Deactivation. The TPM or back-up shall deactivate passwords of employees, contractors, temporary personnel and other agents of the state who have terminated or transferred to other work units within one (1) week of the termination or transfer. Passwords that have been compromised maliciously or by accident shall be deactivated within one (1) day of discovery of the compromise. Inactive user IDs shall be deactivated after six (6) months of no activity.
- Default passwords. Default application and system passwords shall be reset before deployment of any system or application.
[top of document]
Malicious Code Security
OPLIN shall deploy malicious code security ("anti-virus") capability. Anti-virus software shall be installed and operating properly on all OPLIN-owned, OPLIN-operated or OPLIN-authorized information systems. The anti-virus software shall be configured to:
- Check daily for updates and begin installing all updates immediately.
- Scan in real time for malicious code in all attachments and downloaded files from e-mail, web-sites, and instant messaging transmitted from both the Internet and intranet.
- Check all removable media such as diskettes and CD-ROM for malicious code.
- Check all system assets for malicious code at least monthly.
OPLIN staff must report any malicious code incidents to the Technology Projects Manager (TPM) as soon as possible. The TPM shall maintain a record of malicious code incidents for auditing purposes.
OPLIN shall evaluate its anti-virus software annually and at the same time ensure that each employee receives initial or refresher training on malicious code security, including how to use the anti-virus software selected by OPLIN.
Nothing in this policy shall be construed to require that OPLIN is responsible for installation, maintenance and support of anti-virus software on privately owned computers.
[top of document]
OPLIN shall secure connections to the Internet from OPLIN-controlled assets against unauthorized access and malicious code. Participation in chat rooms, open forum discussion groups or interactive messaging shall be permitted only when organized or approved by OPLIN. An individual approved to participate in any of these forms of communication shall be aware of methods to avoid inadvertent disclosure of sensitive information, as well as practices to avoid that could harm the security of state computer systems and networks.
[top of document]
Remote Access Security
OPLIN shall permit all staff to access OPLIN servers remotely, but shall ensure that the following conditions are met:
- All remote users shall be authenticated by a user-ID and password conforming to OPLIN Password Security requirements; passwords that are transmitted shall be encrypted.
- The remote connection shall be secured against unauthorized access and malicious code.
- Remote access shall not provide the user with more system privileges than they would otherwise have.
- Wireless access to OPLIN servers shall use the wireless encryption standard currently approved by OIT.
- Remote access host servers shall be protected in accordance with the OPLIN Boundary Security requirements.
[top of document]
Portable Computing Security
OPLIN shall permit staff use of portable computing devices, either OPLIN-owned or privately owned and authorized for state use. Users of portable computing devices shall adhere to these requirements:
- Physical security. OPLIN and users shall protect state-owned and state-authorized portable computing devices, removable storage components and removable computer media from unauthorized access. Such devices shall not be left unattended without employing adequate safeguards such as cable locks, restricted access environments or lockable cabinets. When possible, portable computing devices, computer media and removable components shall remain under visual control while traveling. OPLIN shall maintain an inventory for all OPLIN-owned, privately owned and contractor-owned portable devices authorized for work use with state systems.
- Operation and maintenance. The OPLIN Technology Projects Manager is authorized to prepare portable devices for use on state computer, network or telecommunications systems. Portable computing devices shall be equipped with anti-virus software and shall be maintained with appropriate security patches and updates. The user is responsible for any personal software added to the device and must ensure that all such software is properly licensed. OPLIN-owned portable computing devices shall be returned to the OPLIN TPM or Director when the user's employment or contract terminates; the user is responsible for removing all non-state data and software. All state data and software shall be recovered, deleted and securely overwritten as appropriate from privately owned and contractor-owned portable computing devices when the user's employment or contract terminates or when the portable computing device is no longer authorized for official state business.
- Password control. Whenever possible, access to portable computing devices and to device system settings shall be protected by passwords conforming to the OPLIN Password Security requirements.
- Lost and stolen devices. Loss or theft of a portable computing device, either OPLIN-owned or privately owned and authorized for state use, shall be reported to both the OPLIN TPM and the OPLIN Director within three (3) days of the loss.
[top of document]
Intrusion Prevention and Detection
OPLIN shall maintain a capability to prevent and detect successful attempts to breach security measures for the purpose of system intrusions or misuse.
- Implementation of intrusion prevention and detection capabilities. OPLIN shall deploy intrusion prevention and detection capabilities compatible with OPLIN's infrastructure, policies and resources to prevent unauthorized use, anomalies or attacks on computer, network or telecommunications systems. In addition, intrusion detection capabilities shall be in place to provide information relating to unauthorized or irregular behavior on any OPLIN computer, network or telecommunication system. The OPLIN Technology Projects Manager and the staff of the OPLIN Support Center shall be trained to interpret and maintain agency intrusion prevention and detection capabilities.
- Monitoring, review and detection. OPLIN staff shall review information technology security audit logs and intrusion prevention and detection system alerts on a regular basis to determine if a successful intrusion or other type of security incident has occurred. Designated OPLIN staff shall continuously monitor OPLIN Internet connections for suspicious activity during business hours. Web and e-mail server access logs shall be reviewed weekly for suspicious activity. OPLIN staff shall also work with OIT staff to identify suspicious activity on OPLIN Internet connections provided to public libraries and shall work with OIT staff to determine the nature of the suspicious activity and take all necessary steps to end any activity that is illicit.
- Alarms and alerts. Any increase in network activity that clearly and significantly exceeds normal activity for a given time of day and day of week shall be considered suspicious until further review determines otherwise. Any pattern of repeated attempts by unauthorized users to access protected areas of web and e-mail servers shall be considered suspicious until further review determines otherwise.
- Incident response. Any detected incident of successful intrusion shall be recorded according to the requirements of the OPLIN Security Incident Response policy.
[top of document]
Security Incident Response
OPLIN shall assess all security incidents to determine the severity of the incident and how it should be handled. Security incidents may be classified as either critical or threatening, and the OPLIN response shall vary accordingly. The OPLIN Technology Projects Manager or the OPLIN Director shall have responsibility for classifying security incidents; these two individuals and the OPLIN Support Center staff shall be responsible for completing responses to incidents.
Threatening incidents do not impact the security of any OPLIN resources that have either been determined to be critical in the annual risk assessment or contain confidential information, and they do not require that any systems be recovered or restored. Such incidents shall be recorded in a secure file and the record shall include: a description of the incident; how the incident was identified; who identified the incident; an inventory of all actions taken, when they were taken and who performed them; and any correspondence associated with the incident. The record shall be retained for at least one (1) year.
Critical incidents impact the security of OPLIN resources determined to be critical in the annual risk assessment or containing confidential information, and/or they require that systems be recovered or restored. These incidents require a more extensive response:
- Incident evidence file. OPLIN staff shall create an evidence file to log and maintain an inventory of all actions taken, action timestamps and correspondence associated with a security incident. If appropriate, OPLIN staff shall also create a forensic back-up file of affected systems. The security incident evidence file(s) shall be securely maintained and safeguarded throughout the incident response actions to ensure that evidence is not altered or lost. At the completion of the incident response actions a copy of the file(s) shall be sent to OIT and the passage of this evidence shall be documented.
- Incident containment. OPLIN staff shall, as required to contain the security breach: ensure that redundant systems and data have not been compromised; monitor system and network activity; disable access to compromised shared file systems; disable specific compromised system services; change passwords or disable compromised accounts; temporarily shut down the compromised or at risk systems; and disconnect compromised or at risk systems from the network.
- Incident elimination. OPLIN staff shall eliminate unauthorized access and remove unauthorized modifications prior to returning compromised systems to service. Elimination methods may include, but are not limited to: changing passwords on compromised systems; disabling compromised accounts; reinstalling compromised systems from trusted back-ups; identifying and removing an intruder's access methods such as backdoors; installing system patches for known weaknesses or vulnerabilities; reinstalling system user files from trusted versions; reinstalling system settings from trusted sources; reinstalling system start-up routines from trusted versions; and adjusting firewall or intrusion detection system technologies to detect access and intrusion methods.
- Recovery. OPLIN staff shall evaluate and determine when to return compromised systems to normal operations. Access to compromised system assets shall be limited to authorized personnel until the security incident has been contained and root cause of the incident eliminated. Once that is done, systems may be restored and OPLIN staff shall validate the restored systems through system or application regression tests, user verification, penetration tests, vulnerability testing and test result comparisons.
- Lessons learned. In order to reduce the possibility for similar incidents and thereby enhance its overall information technology security posture, OPLIN staff shall convene a post-incident analysis and review meeting within three to five days of completing the incident recovery. This review will assess the effectiveness of the security response system and determine how these procedures might be expanded or improved.
[top of document]
OPLIN shall notify public library users of OPLIN web-based applications, such as the Support Center web page, that:
- The system is designated for official state use.
- Access to the system may be logged.
- System activity may be monitored and logged.
- Users shall comply with OPLIN information technology policies.
- Users shall have no expectation of personal privacy unless explicitly stated.
- Illegal or unauthorized attempts to access the system and information could lead to criminal penalties and civil liability.
This notification shall appear at the bottom of the first web page that provides access to the web-based application.
This policy shall not apply to e-mail services supplied to public libraries by OPLIN.
[top of document]
OPLIN shall abide by the policies and procedures of the State Library of Ohio in regard to basic security practices that are not covered elsewhere in this document, such as:
- Disposal, servicing, and transfer of information technology equipment.
- Staff use of Internet, e-mail and other information technology resources.
- Storage and retention of electronic records.
[top of document]
Security Education and Awareness
All OPLIN staff shall meet annually to review these policies and the current risk assessment. New OPLIN employees, contractors, and temporary personnel shall also review the policies and risk assessment as part of their orientation to OPLIN. OPLIN staff directly involved with maintenance of OPLIN security capability shall be encouraged to acquire, at OPLIN's expense, appropriate technical training, certifications, formal course work, and/or conferences for information technology security technologies and practices, such as firewalls, wireless devices, routers, switches, virtual private networks, encryption, public key infrastructure, data protection, and audit logging.
Approved by the OPLIN Board on October 12, 2007; minor revisions August 1, 2011 to conform with state policy ITS-SEC-02
Issued March 28, 2000
Approved by the OPLIN Board of Trustees June 9, 2000
The most important thing for you to know is that OPLIN collects no personal information about you when you visit the OPLIN Web site unless you choose to provide that information.
You do not have to give OPLIN any personal information to visit its Web site. OPLIN does not track or permanently record information about individuals and their visits.
Here is how OPLIN handles information about your visit to its Web site.
Information Collected and Stored Automatically
If all you do is look around the Web site, read text, or download information, OPLIN will gather and store certain information about your visit automatically.
This information does not identify you personally.
OPLIN automatically collects and stores only the following information about your visit:
- The Internet domain (for example, "earthlink.net" if you use a private Internet access account such as EarthLink or "yourschool.edu" if you connect from a university's domain) and IP address (a number automatically assigned to your computer whenever you surf the Web) from which you access the OPLIN Web site
- The type of browser and operating system you use
- The date and time you visit
- The topics you view
- If you linked to the OPLIN Web site from another Web site, the address of that Web site
- If you search the OPLIN Web site, the search words or phrases you use and the results of the search
How OPLIN Uses This Information
OPLIN uses this information to help make its site more functional for visitors -- to learn about the number of visitors to its site and the kinds of information they seek.
Browser and operating information allow the OPLIN Web site to take you to the version of site that best conforms to the capabilities of your tools. Visitors using text-only browsers or older versions of graphical browsers go automatically to the OPLIN text-only site.
Search results disclose whether the OPLIN Web site contains the kinds of information its visitors seek and are used for planning future additions to the site. These results are not linked to domain, IP, or browser data.
The OPLIN Web site uses Web "cookies" only when necessary to complete a transaction, and then only temporarily. OPLIN does not use persistent cookies.
If You Send Personal Information to OPLIN
If you choose to provide us with personal information -- sending an e-mail to the OPLIN Director or other OPLIN staff members, or using the online contact form -- OPLIN uses that information only to respond to your message and to help get you the information you have requested.
OPLIN only shares the information you give it with other agencies or individuals who may be able to respond to your inquiry or as otherwise required by law. OPLIN does not create individual profiles with the information you provide, nor does it give that information to any private organizations. OPLIN does not collect information for commercial marketing.
All Information Subject to Open Record Laws
Information collected automatically on the OPLIN Web site, as well as e-mail sent to OPLIN, is generally subject to state open record laws except as provided by Ohio or federal law.
Receiving Information from OPLIN
Visitors to the Web site receive information from OPLIN only in response to their own requests.
Links to Other Sites
OPLIN does not supervise or control public-access workstations. Be aware that if you send personal information of any kind to any Web site from a public-access workstation, that information very well may remain in the cached files of that workstation and, therefore, open to discovery by other users.
Ohio Public Library Information Network
2323 W. Fifth Ave, Suite 130
Columbus, OH 43204
Phone: (614) 728-5252
OPLIN does not have an organizational policy on public access to OPLIN business records; instead, as an independent agency within the State Library of Ohio, it is governed by the State Library policy.