Cybersecurity Policy
The Cybersecurity Policy ensures compliance with ORC § 9.64 and defines how the Putnam County District Library (PCDL) prepares for, detects, responds to, and recovers from cyber security incidents. It seeks to ensure this security, integrity, and confidentiality of PCDL’s data systems and networks. It protects them from unauthorized access, cyber-attacks and other threats. This policy applies to all employees, volunteers, contractors, systems and data managed by the PCDL.
Responsibility
The Director in conjunction with the Technology Coordinator are designated as the individuals responsible for overseeing the cybersecurity program for the PCDL. Both individuals are responsible for ensuring organizational compliance and coordinating the necessary activities to comply with this policy. Comprehensive oversight is provided by the Library Director and Board of Trustees.
Compliance and Review
This policy will be reviewed annually by the PCDL Board of trustees and updated as required by law, organizational needs or changes in technology.
Reponsibilities
All staff members are required to do the following:
1. Complete security awareness training through the PCDL’s collaboration with Ohio Persistent Cyber Improvement (O-PCI) at least once per year. The duration and content of the training will be sufficient to provide necessary role-based knowledge.
2. Promptly report any suspicious activity or security breaches
3. Avoid opening unknown email attachments or clicking on questionable links
Asset Inventory
An inventory of all computers, servers, network equipment, and important software, including software-as-a –service applications, will be maintained by the Technology Coordinator in conjunction with the Director. The inventory will be updated when significant changes occur and when new systems are added. The inventory will be reviewed for accuracy at least once per year.
Access Controls
The PCDL will utilize the Principle of Least Privilege (PoLP) protocol. This protocol will help protect library technology including networks, equipment and access to resources. This asserts that users and applications are granted access only to the data and operations they require to perform their jobs, helping to reduce the attack surface of an application and the impact of a security breach should one occur.
Data Classification and Protection
The PCDL will establish and maintain a documented data management process. Data sensitivity, data ownership, handling of data, data retention limits, and disposal requirements will be included in this documentation. The review of this documentation will occur annual or when significant changes occur which could impact protection.
It is to be noted that the PCDL will also maintain records in accordance to the Record Retention Policy.
Vulnerability and Patch
Computer systems, software, and other assets will be kept up to date with security patches. The Technology Coordinator will manage all updates and patching for public access and staff computers where necessary. Vendors will be contacted to update their infrastructure when required or when the Director or Technology Coordinator recognize an issue.
Password Management
All staff members are provided with a library email address. Passwords must be complex, change regularly and must not be shared. In the event of an email breach, the Technology Coordinator and/or Director should be notified immediately.
Newtork and Security Controls
Network security measures are implemented to prevent unauthorized access. The PCDL will maintain the following:
1. Firewalls on internet connections.
2. If wireless is needed, the used of a separate and secure wireless network will be used for official business.
3. Default passwords on all network equipment will be changed on a regular basis
4. If remote connections are made, VPN encryption will be used.
5. Software and systems will be updated regularly to address sensitive data.
6. PCDL public access Wi-Fi should never be used for accessing sensitive data.
7. Remote access will be limited to only those who need it.
Anti-Malware Protection
Anti-malware protection will be installed on all computers used within the PCDL.
Incident Response
An incident response and contingency plan will be maintained to address cybersecurity events. The Director and/or Technology Coordinator, as members of the Cyber Anticipation & Resiliency Team (CART), will be responsible for identifying mission essential functions (MEFs), which are the critical operations and services that the library must continue to provide, even during a cyber incident. The CART will create procedures for detecting, reporting, and escalating incidents that occur.
The plan will include will be:
1. Reviewed and updated annually or after any major event.
2. Tested for functionality at least once per year.
3. Official Cybersecurity documentation will be retained with other cybersecurity documentation In both a digital and printed format.
If a cybersecurity incident or ransomware incident occurs, the PCDL will do the following:
1. Notify the Department of Public Safety/Ohio Homeland Security as soon as possible, but not later than 7 days after discovering the incident.
2. The Ohio Auditor of State as soon as possible, but not later than thirty (30) days after discovering the incident.
3. Notify the PCDL Board of Trustees
4. Notify legal teams, if determined necessary.
Third Party Management
All vendors that provide services to the PCDL will be required to comply with cybersecurity standards. Periodic reviews will be conducted to ensure vendors are meeting the required levels of security.
Compliance and Review
This policy will be reviewed annually and updated to reflect changes in technology, law and organizational needs.
Effective 06/23/2026