The purpose of this policy is listed below:
- Provide accountability and authority related to information security at the Forsyth County Public Library (FCPL)
- Establish FCPL's information security management framework
- Safeguard the usability, reliability, integrity, confidentiality, and security of FCPL's information technology infrastructure, resources, and computer systems and the information and data accessed, stored, and transmitted therein
This policy shall govern all access to and uses of FCPL's information technology infrastructure, resources, and computer systems and the information and data accessed, stored, and transmitted therein. This policy also governs the use of data or information produced or stored by or for FCPL. This policy is supported by related policies, practice statements, standards, guidelines, procedures, and documentation where necessary.
Authority and Procedures
The Assistant Director for Information Technology or a designee has the authority to implement the information security policy and to establish and enforce information technology practice statements, standards, guidelines, and procedures to accomplish the following:
- Ensure this policy is followed in all departments
- Provide staff with instructions related to information security
- Ensure a strong internal controls environment in support of information security
While FCPL always strives to align its practices with both legal requirements and auditing and industry standards, practices must balance these standards with logistical and budgetary concerns. FCPL specifically strives to align its information security practices with the Payment Card Industry Data Security Standard, applicable laws and regulations, applicable governmental accounting standards, and best information security practices promoted by the Georgia Public Library Service, national library professional organizations, and the University System of Georgia.
At a minimum, information technology practice statements, standards, guidelines, or procedures created in support of the information security policy shall cover the following areas:
- Requirements to build and maintain a secure network
- The protection of cardholder data
- Vulnerability management
- Access control measures
- Network monitoring and testing
- Information security awareness and responsibilities of employees and contractors
The Assistant Director for Information Technology or a designee shall maintain an Information Security section on the staff website for the purpose of organizing and distributing to all FCPL staff the information technology practice statements, standards, guidelines, and any procedures that apply to all staff. Supporting documentation and procedures for use only by specific staff or departments shall be appropriately secured elsewhere. Managers in each department are responsible for ensuring that department-specific information technology-related procedures are properly documented and that staff under their supervision have access to and instruction in department-specific procedures required to support FCPL's information security policy.
The information security policy and its supporting documents shall be reviewed by the Assistant Director for Information Technology or one or more designees at least annually or following substantial changes to the information technology infrastructure and updated as needed to address new needs, emerging threats, and security trends.
A security awareness program shall be developed and implemented to make all employees aware of the importance of information security. Employees shall be required to periodically acknowledge that they have reviewed and understand FCPL's information security policy and its supporting documents.
In the absence of a published FCPL information technology practice statement, standard, or procedure that addresses a specific situation related to information security, the Assistant Director for Information Technology shall be consulted. The Assistant Director for Information Technology will consult the Forsyth County Public Library Operations Policy Manual; the Forsyth County Public Library Personnel Policy Manual; Payment Card Industry Data Security Standard; applicable laws and regulations; applicable governmental accounting standards; best information security practices promoted by the Georgia Public Library Service, national library professional organizations, and the University System of Georgia; other members of the FCPL management team; and the FCPL Board of Trustees as appropriate for guidance in determining the best course of action.
In the event that it is not possible to adhere to a published Forsyth County Public Library practice statement or standard, a written justification for non-compliance must be prepared by the non-compliant party, acknowledged by the Assistant Director for Information Technology and approved by the Library Director. Any compensating controls designed to offset the effects of non-compliance shall also be documented. Documentation of such justification for non-compliance and compensating controls shall be retained for reference during future information security audits.
Compensating controls are procedures, settings, or other measures that are put into place to help minimize the risks associated with failing to implement a requirement stated in the Information Security Policy and its supporting documents. Compensating controls should be used when FCPL cannot meet a requirement explicitly as stated in a practice statement or standard, due to legitimate technical or documented business constraints.
Guidelines provide staff and contractors with suggested best practices to be followed where possible.
Information Security means protecting data; information; computers and related electronic, storage, or communication devices; and information infrastructure from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information technology infrastructure is the physical hardware and software used to interconnect computers and related electronic, storage, and communication devices with users. Infrastructure includes the transmission media, including telephone lines, cable television lines, and satellites and antennas, and also the routers, aggregators, repeaters, and other devices that control transmission paths. Infrastructure also includes the software used to send, receive, and manage the signals that are transmitted. In short, the information technology infrastructure includes everything that supports the flow and processing of information.
Practice statements describe FCPL's information security practices and outline expectations of staff or contractors at a broad level.
Procedures document steps to be followed in order to carry out job-related tasks in a manner that complies with information technology practice statements and standards.
Standards provide benchmarks for use in information technology-related decision-making. Standards outline the ideal set of characteristics that should exist in an information technology-related product, service, practice, procedure, or other entity in order to best ensure FCPL's ability to create and maintain an information technology infrastructure, resources, and computer systems that maximize usability, reliability, data integrity, confidentiality, and security while supporting legal, auditing, and industry standards compliance.
Any employee or contractor found to have violated the requirements of the Information Security Policy as outlined in supporting practice statements, standards, guidelines, and procedures may be subject to disciplinary action, up to and including termination of employment or contract.
Approved on 9/21/2010
Implemented on 10/1/2010