South Central Library System
Security Guidelines
This document is http://www.scls.lib.wi.us/staff/policy/security.html, last
updated June 10, 1996.
The South Central Library System (SCLS), provides internetworked computing
services to libraries in south central Wisconsin. The South Central Automation
division manages the networks through which these services are provided.
Some network services provide authorized users with access to information
that should be considered sensitive or confidential. Because of this sensitivity
and because these shared resources represent a considerable investment of
capital and staff resources, network services are protected in a variety
of ways. To uphold these protections, users are expected to follow the common
sense guidelines presented in this document. A separate document, SCLS
Acceptable Use Policy, describes the rules that users must consider
when accessing network services provided by SCLS.
Authorization versus Access
The reason for security is to limit access to authorized users only. The
authority to access any given network service is granted by SCLS to the
library or by the library (selectively) to staff or patrons. Which network
services you are authorized to access are determined by SCLS and by your
library's local policy. Access to services for which you are not authorized
is prohibited under the SCLS Acceptable Use Policy.
Sensitive Administrative Information
Information about hardware and software configurations, user names, IDs,
login procedures and password controls is confidential. Keep this information
in a safe place where unauthorized users are not likely to find it. Never
intentionally disclose this kind of information or post it in written or
electronic form where unauthorized users might find it.
Passwords
Access to protected services is commonly controlled by requiring the user
to enter a password. If the user knows the password, they are granted access
to the protected service. The easiest way for an unauthorized user to gain
access to a protected service is to guess, steal, or forge the password
of an authorized user.
There are a few simple rules which reinforce the security of a password
protected system:
a) Passwords, either chosen by the user or handed down to the user
by network administrators, should not be easy to guess. Never use information
such as names, addresses, birthdays, license plates, or any simple variation
on guessable personal themes, forward or backward, as a password.
b) Passwords should be at least six characters long, preferably eight
or more. They should contain a mix of letters, numbers and other symbols.
c) Natural language words (in English or any other language) should
not be used by themselves or in pairs.
d) A single password should not be used for access to multiple accounts
or functions, nor shared between more than one user whenever possible. There
is a threshold where this rule bends, relative to the sensitivity of the
function being protected and the convenience of the authorized users. Security
measures should not make it difficult for users to complete the tasks they
are authorized to perform. Shared passwords should be changed frequently,
and especially in the case of staff turnover.
e) Passwords should never be posted in written or electronic form
in locations where unauthorized users might discover or intercept them,
especially at the point of access (your workstation) or in electronic mail.
Points of Access
A point of access is any location where access to network services can be
gained. This includes dumb terminals, smart PCs, dialup modems, and the
telecommunications equipment that enables us to share internetworked services.
Some points of access are restricted to specific services (either by the
configuration of the equipment at that point or by the configuration of
the service). Other points of access are unrestricted and can be used to
access any network service.
Any station which is used to access protected services should itself be
protected. There are a few simple rules which help enforce security at this
level:
a) A staff station capable of accessing protected services should
not be left unattended while it is logged in. A knowledgeable unauthorized
user only needs a few minutes to leverage your privileged access and gain
sensitive information or cause malicious damage.
b) Public access stations should always be logged in to public accounts
during normal open hours. A terminal that is not logged in can be used to
attempt unauthorized access to staff services.
c) Personal computers can be used by knowledgeable unauthorized users
to gain access to privileged information or protected services. Care should
be taken that PCs in public areas are properly protected against unintended
use, and especially against the installation of software not provided by
the library.
Network Administration and Maintenance
Unauthorized users sometimes use a tactic called "social engineering"
to try to gain sensitive information from people instead of from computers.
They may call, or write, or even show up at your desk to give false credentials
and ask questions that might give them some toehold for gaining privileged
access. The key to this tactic is getting you to believe that they are authorized
users or maintenance personnel, deserving of whatever assistance or information
you can give them.
The SCLS Automation division staff are the only people authorized to make
changes in network services, network access controls or equipment configurations.
We will not call your library to ask you questions about your passwords,
login procedures, or equipment configurations unless you have logged a problem
with us. The phone company, Ameritech Library Services (Dynix), or WiscNet
(our Internet access provider) will never call your library to request sensitive
information. If you receive a suspicious call of this nature, you should
report this to SCLS.
If there is any question in your mind that the person on the phone or standing
in your library is not who they claim to be, should not be doing what they
are doing or asking the questions they are asking, you should do whatever
is necessary to confirm their credentials, including calling SCLS directly.e)
Passwords should never be posted in written or electronic form in locations
where unauthorized users might discover or intercept them, especially at
the point of access (your workstation) or in electronic mail.