Cyber Security Policy

Date Adopted: March 16, 2026

Resolution No. 260316-10

Cyber security is defined as the administrative, technical, or physical safeguards the Stow-Munroe Falls Public Library (“library”) uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle confidential customer or staff information (“confidential information”).

The library will take every reasonable precaution to ensure that any confidential information that is kept by the library for any purpose is safeguarded from unauthorized access. The library has a responsibility to ensure that the accessing, handling, sharing and disposing of confidential information complies with the Privacy Policy of the Stow-Munroe Falls Public Library, the Confidential Information Rules for the CLEVNET System, the CLEVNET Cyber Security Policy, and the Ohio Revised Code Chapter 1347. Within the credit card holder data environment, the library will also comply with the latest revision of the Payment Card Industry Data Security Standards (PCI DSS).

This policy covers all electronic information resources in the library. It applies equally to network servers, workstations, both staff and public access, network equipment, telecommunications equipment, and peripherals, such as printers, within the library. The policy applies to all library staff, volunteers, and contract workers using the library’s computer resources.

Roles and Responsibilities

Under the guidance of the Library Director and the staff of CLEVNET, the Information Systems Manager will be designated to oversee the library’s information security program. They will address potential risks to the security, confidentiality, and integrity of confidential information that could result in a compromise. The Information Systems Manager must ensure that the following standards are met on every computing system, equipment, or network with access to confidential information:

  • Secure computing systems, equipment, and networks with confidential information
  • Restrict physical and login access to authorized users
  • Maintain up-to-date software patches and anti-virus software
  • Ensure and maintain complete system backups
  • Enable and use host-based firewalls if available
  • Perform regular security scans on computing systems, equipment, and networks
  • Provide training, or at least written training materials, to all staff, volunteers, and contract workers in the appropriate use of the network, awareness of the possible effects of misuse or unauthorized use of computer resources, and the consequences of any unauthorized use.

Authorized Users

Authorized users may be staff members, volunteers, and contract workers. They are responsible for confidential information in their custody. Maintaining the confidentiality, integrity, availability, and regulatory compliance of confidential information stored, processed, or transmitted at the library is a requirement of all authorized users. All authorized users with access to confidential information will:

  • Be assigned a unique user ID and initial password according to established procedures to gain access to network resources. Users must not share or disclose unique user IDs/passwords unless the user ID is already designated as a departmental “shared” user ID/password.
  • Notify their manager and Information Systems Manager immediately if confidential information, passwords, or other system access control mechanisms are lost, stolen, or disclosed or suspected of being lost, stolen, or disclosed.
  • Restrict physical access to laptop computers when the user is physically away from the computer by locking the door or using security cables or devices.
  • Secure all staff computers by using a screen saver or built-in lock feature when the user physically walks away from the workspace.
  • Maintain possession or control of mobile devices to the extent possible to reduce the risk of theft and unauthorized access.
  • Secure computers and mobile devices with passwords and/or two-factor authentication for highly sensitive information.
  • Use secure methods to transfer confidential information. CLEVNET-provided email systems are enabled with encryption capabilities on demand.
  • Not intentionally damage, alter, misuse any library owned or maintained computing systems, equipment, or networks.

Library Managers

Library managers, with guidance or direction from the Information Systems Manager, are ultimately responsible for ensuring that this Information Security policy and individual responsibilities are clearly communicated to staff and are adequately followed. Specific responsibilities of library managers include:

  • Ensuring staff understand the danger of malicious software, how it is generally spread, and the technical controls used to protect against it.
  • Informing the Information Systems Manager and the Director of the change in status of staff, volunteers, or contract workers who use the library computer resources. This could include a position change (providing greater or more restricted access privileges) or termination of library employment.

General Policies

  • The Information Systems Manager and CLEVNET IT are responsible for maintaining the security of the computer. All authorized users of the system are responsible for following all policies and procedures in this policy.
  • Server security shall be exclusively controlled by the Information Systems Manager and CLEVNET IT. Access to server security mechanisms by all other users without prior authorization shall be considered unauthorized access.
  • All users must be authenticated to the network before accessing network resources.
  • Users may not log into library resources with the intention of providing access to any other user, including staff members, volunteers, or contract workers.
  • Use of network hardware or software such as traffic monitors/recorders and routers shall be restricted to network management or a designated administrator.
  • Security training shall be integrated into existing library training programs such as orientation programs for new employees or volunteers, in the use of computers, software, and network information resources.
  • Incident logs and subsequent security reports will be generated and reviewed on a regular basis.

Enforcement

When users fail to comply with this policy, confidential information that is stored, processed, or transmitted on the Stow-Munroe Falls Public Library network may be exposed to the unacceptable risk of loss of confidentiality, integrity, or availability. Violations of security guidelines and procedures established to support this policy will be promptly investigated and could result in disciplinary action up to and including termination of employment or termination of rights to use the computer resources.

Breach of Security

Any actual or suspected security breaches involving confidential information must be reported immediately to the Information Systems Manager, the Director and CLEVNET IT. Incident response procedures will be initiated to identify the suspected breach, remediate the breach, and notify appropriate parties.

Ransom Payments

Ransom payments must be approved by the Board of Trustees before being transmitted if library data or software is held for ransom by an external entity.