Security Management Strategies for Protecting Your Library's Network
Ives, David J., Computers in Libraries
The greatest potential threat to LAN security within a library (and within most organizations) is end users, whether they are staff or patrons. This potential threat can become a very real one either through inadvertent or deliberate human actions--actions that may affect not only a specific computer but also other computers or peripherals on the network, the fileserver itself, or even connections physically external to the network per se (e.g., mainframes; client/server systems; Internet nodes).
Deliberate human actions designed to damage the computer network or the organization (the great majority of which are generated by young males) can be attributed to: 1) boredom; 2) the lure of a challenge; 3) greed--for your data or the information that can be gleaned from it; 4) specific anger at the library or at another organization or individual; or 5) generalized anger--frustration or anger at the whole world. It is the end products and effects of these human emotions as well as of the inadvertent actions that a computer security program must prevent or ameliorate.
These end products can be explosive in nature--a sudden obvious or even catastrophic occurrence or sequence of events (e.g., a CPU unit is stolen); they can be delayed--the results of the activity occurring some time after the activity itself (e.g., a computer is infected with a virus that activates only after a certain number of computer reboots); or they can involve stealth--in which the victim may never be aware an event has occurred (e.g., data or program files surreptitiously copied to diskettes or to another computer). Due to the multiplicity of both types of security-breaching activity and their end results, a security program and those charged with its implementation must be ever vigilant.
Because crippling or devastating consequences for a library can result from security-breaching actions, the security program must be robust and enforced unequivocally. The problems that can be caused by lax LAN security cover a broad range of types and severity: stolen equipment or components; vandalized equipment; infection of workstations or the entire network with computer viruses; erased, modified, or corrupted data or program files; stolen local or remote data; and the prevention of use or access to a computer or network by its authorized users.
Security Tools and Procedures
These potential hazards should be kept firmly in mind when configuring both networked library staff and networked patron/public-use computers. Four broad areas of concern for potential security problems can be identified with regard to configuring and installing such computers: hardware, system, network, and user interface.
When taken together, the hardware/software tools and the managerial procedures detailed in "The Four-Tiered Approach to Computer Network Security Management" provide a nearly iron-clad defensive shield for protecting a library's hardware and software, as well as protecting users from the results of inadvertent human error or deliberate attempts at sabotage/vandalism on the part of others. The per-machine cost of these security measures (hardware and software only) can be less than $100; the time involved to install, configure, and verify the security measures usually is less than 15-20 minutes per computer.
Library administrators and systems staff must realize that sizable resources will be required for data security and for security training and technology. Equally valid, however, is the fact that data or equipment that is stolen or vandalized or used for unauthorized purposes represent a sizable loss to an organization in terms of time, effort, and money.
Relatively expensive ($1,000-25,000) and more complicated options, such as an authentication server or a firewall computer to pre-check access rights and to confirm the user's authorization to use any networked computers, are not included here but are certainly appropriate in some circumstances. …