Information/Cybersecurity (“Security”) Policy

In accordance with ORC § 9.64, Clermont County Public Library has implemented a Cybersecurity Program designed to reflect its size, services, and operational needs.  This program supports the protection of Library systems, data, and services while ensuring continued access for staff and guests.

1. Cybersecurity Responsibility

The Library Board of Trustees has designated the Director as responsible for the development of the Cybersecurity Program. Authority for overseeing cybersecurity for the Clermont County Public Library may be delegated by the Director to the Information Services Manager, who may designate a qualified individual to serve as the Cybersecurity Lead for purposes of this policy.  Unless stated otherwise, the Cybersecurity Lead is responsible for ensuring organizational compliance and coordinating all activities necessary to meet the requirements of this policy.

2. Annual Policy Review

This Security policy shall be reviewed on an annual basis as part of the organization’s governance and risk management process and revised as necessary to maintain alignment with applicable regulatory, audit, and National Institute of Standards and Technology (NIST) cybersecurity framework requirements.

3. Security Awareness and Training

All employees shall complete Security Awareness Training upon employment and at least once per year.  The duration and content of the training shall be sufficient to ensure appropriate, role-based security awareness and knowledge.

4. Asset Inventory

An inventory of all computers, servers, network equipment, and critical software assets, including software-as-a-service (SAAS) applications, shall be maintained as a continually updated Information Services Asset Inventory Record.  The inventory shall be updated on an ongoing basis as equipment or systems are added, modified, or made obsolete; and reviewed at least annually to ensure accuracy, completeness, and alignment with organizational risk management practices.

5. Data Classification and Protection

The Library shall maintain a Records Retention Schedule that governs the classification, ownership, handling, retention, and secure disposal of data associated with Library operations.  Data management practices shall be based on data sensitivity, privacy, and confidentiality obligations applicable to public libraries, Ohio public records laws as defined by Ohio Revised Code 149.43 and applicable case law, applicable records retention schedules, contractual requirements, organizational retention standards, and the Library’s Critical Systems List and Recovery Priority Matrix, which identifies systems and data requiring heightened protection or prioritized recovery.  Documentation shall be reviewed and updated at least annually, or more frequently when significant legal, operational, or technological changes occur that could impact this safeguard. 

6. Vulnerability and Patch Management

Computer systems, software, and other technology assets shall be maintained with security patches and updates.  Vulnerability remediation timelines shall generally align with the vendor or manufacturer recommendations and be prioritized according to the assessed severity of the vulnerability.

7. Password Management

Employees are responsible for ensuring that password standards are followed for all systems and accounts under their authority.  Passwords must meet organizational requirements as established and maintained by the Information Services (IS) Department.  Employees shall update their passwords in accordance with these standards and any required update schedules.

8. Network Security Controls

Network security controls shall be implemented and maintained to protect Library networks, systems, and data from unauthorized access. 

9. Anti-Malware Protection

Anti-malware protections, including antivirus software or equivalent security controls, shall be installed, enabled, and actively maintained on all Library-managed computers and devices.  Exceptions for specialized systems or devices that cannot support standard anti-malware protections shall be documented, approved, and mitigated through equivalent security controls.

The Library shall establish, maintain, and implement an Incident Response and Contingency Plan to address cybersecurity incidents and operational disruptions.  The Plan shall be retained as part of the Library’s official cybersecurity documentation and maintained in both digital and printed formats to support availability during incidents.

Cybersecurity program documents, incident reports, and security procurement records are not public records.  Any records, documents, or reports related to the Cybersecurity Program and framework, and the reports of a cybersecurity incident or ransomware incident are not public records under section 149.43 of the Ohio Revised Code.

A record identifying cybersecurity-related software, hardware, goods, and services that are being considered for procurement, have been procured, or are being used by the Library, including the vendor name, product name, project name, or project description, is a security record under section 149.433 of the Ohio Revised Code.