I recently wrote a blog post about password security in library subscribed databases based on an RFP by a state agencecy subject to public disclosure laws. The results were very revealing, but it covered only a small set of vendors.
I would be very interested to learn of RFPs for library automation software, ebook delivery platforms, etc. subject to similar public disclosure rules that asked questions relevant to privacy and security in libraries.
Contact me on or off list.
A data breach has taken place at the National Archives, the latest in a string at major U.S. agencies.
Details on the breach were scarce Wednesday, though the incident was confirmed to The Hill by National Archives Acting Inspector General James Springs.
Several officials at the agency acknowledged the breach but would not disclose details.
Edit: The original article was updated late in the day yesterday with the above quote removed. It’s unclear what actually happened other than a very suspicious YouTube video: http://www.washingtontimes.com/news/2015/feb/26/national-archives-hacked-investigators-kick-into-h/
Libraries have unique cyber security risks in relation to their interaction with public data and the private thoughts of their patrons. Developing and delivering a risk management program that addresses every cyber security issue or concern in an environment with limited IT resources is not only impractical to implement, but impossible to maintain—librarians should instead prioritize and focus on high probability cyber risks to guide their cyber defense efforts.
The field of journalism, which also aims to disseminate unbiased information to the public, provides us with an excellent case study. Most in the field are not especially technology experts, however, even the most prominent journalism companies in the country have faced threats.
For example, in 2013 Chinese hackers obtained the passwords of every New York Times employee while at the same time, the U.S. Justice Department surreptitiously obtained phone records of Associated Press employees. In response to these threats, journalists have been forced to learn how to use public key cryptography, Tor, and other methods to protect their sources. Similarly, in 2015 the DC Public Library began an outreach and education program to teach patrons how to use these tools.
Software tools and training may work well for individuals, but they’re not 100% effective. Establishing clear policies and procedures based on a cyber risk management assessment framework like OCTAVE Allegro help mitigate cyber risks and reduce harm in the event of an attack.
But first, library staff members or 3rd party consultants must step in to identify problem areas. To put it another way—you can’t patch a system without first looking for holes.
If you would like to hear more about cyber risk management for libraries, please comment and/or subscribe! This is the first post in a series about cyber risk management by Chris Markman and I’d love to hear your feedback. Thanks!