Eric Delozier of Penn State presented Many Users, One Computer, and Access to Web Services: Information Technology Risk Management in Libraries. I arrived a bit late, so I’m starting where I came in:
Liability issues: without adequate protection, patrons’ personal files and information might be lost or stolen; systems can be damaged.
Causes for loss:
- Hardware failure such as CPU or disk drives
- Environmental causes such as fire
- Software causes, either malware or software flaws
- Losses caused by user behavior: can be intentional or unintentional, by patrons or staff
After identifying risks, identify the potential consequences and the likelihood or frequency of occurrence. See Jacobson, Robert V., “Risk Assessment and Risk Management” in Computer Security Handbook, 2002, Wiley & Sons.
Risk mitigation: try to prevent losses, but also plan for recovery.
Hardware prevention & control measures include locks and alarms; software measures used at Eric’s institution include disk wiping (DBAN), backup and recovery (Ghost), integrity/restoration (Deep Freeze), malware detection (Symantec Antivirus), software updates (Microsoft Update), authenticationand authorization (Kerberos, borrower database), rights and permissions management (Active Directory), printing controls (Uniprint). Some software and policies are mandated universitywide; others are specific to the library. Administrative controls include policies, such as codes of conduct, and end-user agreements.
A new concept for me was the idea that risk management might include transferring responsibility to someone else. An example Eric gave was having the campus computing department take over responsibility for library computer issues after hours.
Risk management plan: have an overall policy and goals; assess risks; decide on objectives and the actions to meet each objective (such as objective “recover files and folders,” action “obtain and install backup and recovery software”).
Evaluate the results of your risk management process. In addition to quantitative measures like cost and frequency of incidents, also use feedback, suggestions, comments from patrons and staff.
Eric closed by urging everyone to consider getting some disk-wiping software.
Q & A
A lively discussion ensued about keeping logs of patron activity. Eric’s institution has a universitywide requirement for each student’s login to a computer on campus be recorded, so the library doesn’t have a choice to wipe logs. Public librarians in the audience want the logs to be wiped as often as possible to protect patron privacy, but also find they do get subpoenas and have to turn over computers to the police. One librarian mentioned she specifically has to budget for extra computers so they will be available if the police take some away.