[Adopted July 11, 1995 by the OPLIN Board of Trustees]
[Amended December 8, 2006]
The name of the organization shall be the Ohio Public Library Information Network, also known as OPLIN, and its governing authority shall be the OPLIN Board of Trustees.
The purpose of OPLIN shall be to ensure equity of access to electronic information for all Ohio citizens.
Any board of trustees of any public county, township, municipal, school district, county district, regional district, or association library organized under the Ohio Revised Code, or any regional library system chartered by the State Library of Ohio, may choose to participate in OPLIN by notifying the OPLIN Board in writing and agreeing to comply with OPLIN rules and regulations.
The OPLIN Board, as originally established by the 121st GA H. B. 117, has oversight responsibility for the Ohio Public Library Information Network (OPLIN). In exercise of such responsibility, the OPLIN Board shall be governed by these Bylaws, all of which shall be in accordance with State and Federal law.
Members of the OPLIN Board shall carry out its mission in accordance with the strictest ethical guidelines and will ensure that they conduct themselves in a manner that fosters public confidence in the integrity of the Board, its processes, and its accomplishments. Board members must, at all times, abide by protections to the public embodied in Ohio ethics laws as interpreted by the Ohio Ethics Commission and Ohio courts.
The Board shall be appointed by the State Library Board. A Nominations Committee, appointed annually by the OPLIN Board, shall provide to the State Library Board the name of a qualified person to fill each vacancy on the OPLIN Board, based on recommendations from the Ohio public library community.
The Board will meet at least four times per year.
The Chair may call special meetings as required, providing at least 72 hours advance notice and the reason for such special meeting.
At all meetings of the OPLIN Board, six voting members present shall constitute a quorum for the transaction of business.
Order of business at regular meetings of the OPLIN Board shall be established by an approved agenda.
Certain items of business may be approved by consensus as deemed appropriate by the Chair.
Business of the Board may be conducted by the Board as a whole or by committees or task forces, as authorized by the Board. Such groups will be appointed by the Chair and may include Board Members or other individuals as deemed appropriate.
Amendments to these Bylaws and Policies may be proposed at any regular meeting. The proposed amendment shall be made known to members not present and shall be voted on at the next regular meeting. Seven votes are required for passage of any amendment.
All proceedings not specified herein shall be governed by State and Federal law and by Robert's Rules of Order.
OPLIN shall exercise due diligence to ensure that all OPLIN computer and telecommunications systems and services are secure, and that the information contained within those systems and services is protected from unauthorized disclosure, modification or destruction, whether accidental or intentional.
This document outlines a plan to accomplish that goal through implementation of individual policies covering Risk Assessment and Data Classification, Recovery Preparation, Boundary Security, Password Security, Malicious Code Security, Internet Security, Remote Access Security, Portable Computing Security, Intrusion Prevention and Detection, Security Incident Response, Security Notifications, Security Practices, and Security Education and Awareness. In any case where these policies conflict with the Information Technology Security Policies of the Ohio Office of Information Technology (OIT), OIT's policies shall prevail.
OPLIN shall admonish all employees, contractors, temporary personnel and other agents of the state to adhere to these policies.
OPLIN shall annually conduct a risk assessment of system assets, threats, and organizational priorities. The assessment shall be prepared by the OPLIN Director, or a staff member designated by the Director, with input from all staff. This assessment will be reviewed at the end of every fiscal year to ensure that it is current.
The assessment shall be stored in a secure location and shall include current information regarding:
In conjunction with this risk assessment, OPLIN staff shall review the classification of OPLIN data. The data shall be labeled for both confidentiality ("public," "limited access," or "restricted") and criticality ("low," "medium," "high," or "very high"). Any data that could efficiently be replaced rather than protected will also be identified.
Concurrent with this annual assessment, OPLIN shall notify OIT Risk Management Services of the current primary and secondary incident response points of contact, which will typically be the Director and the Technology Projects Manager.
OPLIN shall take the following steps to ensure that critical tools, data and equipment are available to facilitate containment and recovery in the event of a security breach:
OPLIN shall acquire, install, operate and manage a boundary security capability in cooperation with OIT to allow authorized network traffic and deny everything else.
All OPLIN staff using passwords to access OPLIN-operated information technology or to access data in any way related to OPLIN business, including vendor data related to OPLIN accounts, shall use passwords that conform to these requirements:
The following requirements pertain to password administration on OPLIN-operated information technology:
OPLIN shall deploy malicious code security ("anti-virus") capability. Anti-virus software shall be installed and operating properly on all OPLIN-owned, OPLIN-operated or OPLIN-authorized information systems. The anti-virus software shall be configured to:
OPLIN staff must report any malicious code incidents to the Technology Projects Manager (TPM) as soon as possible. The TPM shall maintain a record of malicious code incidents for auditing purposes.
OPLIN shall evaluate its anti-virus software annually and at the same time ensure that each employee receives initial or refresher training on malicious code security, including how to use the anti-virus software selected by OPLIN.
Nothing in this policy shall be construed to require that OPLIN is responsible for installation, maintenance and support of anti-virus software on privately owned computers.
OPLIN shall secure connections to the Internet from OPLIN-controlled assets against unauthorized access and malicious code. Participation in chat rooms, open forum discussion groups or interactive messaging shall be permitted only when organized or approved by OPLIN. An individual approved to participate in any of these forms of communication shall be aware of methods to avoid inadvertent disclosure of sensitive information, as well as practices to avoid that could harm the security of state computer systems and networks.
OPLIN shall permit all staff to access OPLIN servers remotely, but shall ensure that the following conditions are met:
OPLIN shall permit staff use of portable computing devices, either OPLIN-owned or privately owned and authorized for state use. Users of portable computing devices shall adhere to these requirements:
OPLIN shall maintain a capability to prevent and detect successful attempts to breach security measures for the purpose of system intrusions or misuse.
OPLIN shall assess all security incidents to determine the severity of the incident and how it should be handled. Security incidents may be classified as either critical or threatening, and the OPLIN response shall vary accordingly. The OPLIN Technology Projects Manager or the OPLIN Director shall have responsibility for classifying security incidents; these two individuals and the OPLIN Support Center staff shall be responsible for completing responses to incidents.
Threatening incidents do not impact the security of any OPLIN resources that have either been determined to be critical in the annual risk assessment or contain confidential information, and they do not require that any systems be recovered or restored. Such incidents shall be recorded in a secure file and the record shall include: a description of the incident; how the incident was identified; who identified the incident; an inventory of all actions taken, when they were taken and who performed them; and any correspondence associated with the incident. The record shall be retained for at least one (1) year.
Critical incidents impact the security of OPLIN resources determined to be critical in the annual risk assessment or containing confidential information, and/or they require that systems be recovered or restored. These incidents require a more extensive response:
OPLIN shall notify public library users of OPLIN web-based applications, such as the Support Center web page, that:
This notification shall appear at the bottom of the first web page that provides access to the web-based application.
This policy shall not apply to e-mail services supplied to public libraries by OPLIN.
OPLIN shall abide by the policies and procedures of the State Library of Ohio in regard to basic security practices that are not covered elsewhere in this document, such as:
All OPLIN staff shall meet annually to review these policies and the current risk assessment. New OPLIN employees, contractors, and temporary personnel shall also review the policies and risk assessment as part of their orientation to OPLIN. OPLIN staff directly involved with maintenance of OPLIN security capability shall be encouraged to acquire, at OPLIN's expense, appropriate technical training, certifications, formal course work, and/or conferences for information technology security technologies and practices, such as firewalls, wireless devices, routers, switches, virtual private networks, encryption, public key infrastructure, data protection, and audit logging.
Approved by the OPLIN Board on October 12, 2007; minor revisions August 1, 2011 to conform with state policy ITS-SEC-02
Issued March 28, 2000
Approved by the OPLIN Board of Trustees June 9, 2000
The most important thing for you to know is that OPLIN collects no personal information about you when you visit the OPLIN Web site unless you choose to provide that information.
You do not have to give OPLIN any personal information to visit its Web site. OPLIN does not track or permanently record information about individuals and their visits.
Here is how OPLIN handles information about your visit to its Web site.
If all you do is look around the Web site, read text, or download information, OPLIN will gather and store certain information about your visit automatically.
This information does not identify you personally.
OPLIN automatically collects and stores only the following information about your visit:
OPLIN uses this information to help make its site more functional for visitors -- to learn about the number of visitors to its site and the kinds of information they seek.
Browser and operating information allow the OPLIN Web site to take you to the version of site that best conforms to the capabilities of your tools. Visitors using text-only browsers or older versions of graphical browsers go automatically to the OPLIN text-only site.
Search results disclose whether the OPLIN Web site contains the kinds of information its visitors seek and are used for planning future additions to the site. These results are not linked to domain, IP, or browser data.
The OPLIN Web site uses Web "cookies" only when necessary to complete a transaction, and then only temporarily. OPLIN does not use persistent cookies.
If you choose to provide us with personal information -- sending an e-mail to the OPLIN Director or other OPLIN staff members, or using the online contact form -- OPLIN uses that information only to respond to your message and to help get you the information you have requested.
OPLIN only shares the information you give it with other agencies or individuals who may be able to respond to your inquiry or as otherwise required by law. OPLIN does not create individual profiles with the information you provide, nor does it give that information to any private organizations. OPLIN does not collect information for commercial marketing.
Information collected automatically on the OPLIN Web site, as well as e-mail sent to OPLIN, is generally subject to state open record laws except as provided by Ohio or federal law.
Visitors to the Web site receive information from OPLIN only in response to their own requests.
OPLIN does not supervise or control public-access workstations. Be aware that if you send personal information of any kind to any Web site from a public-access workstation, that information very well may remain in the cached files of that workstation and, therefore, open to discovery by other users.
Ohio Public Library Information Network
2323 W. Fifth Ave, Suite 130
Columbus, OH 43204
Phone: (614) 728-5252
OPLIN does not have an organizational policy on public access to OPLIN business records; instead, as an independent agency within the State Library of Ohio, it is governed by the State Library policy.
This policy permits the OPLIN Director to designate eligible employees who manage OPLIN services to work at alternate work locations for all or part of their work week in order to promote general work efficiencies that provide a benefit to OPLIN. Teleworking is not an employee benefit, but an alternate method of meeting the needs of OPLIN. Teleworking is a privilege; therefore OPLIN has the right to reasonably refuse to make teleworking available to any employee and the right to terminate a teleworking arrangement at any time.
OPLIN staff members are all exempt, unclassified employees within the classification Administrative Staff - #99580.
OPLIN is governed by an eleven-member Board of Trustees, appointed by the State Library Board (O.R.C. 3375.65). OPLIN offers Ohio residents fast, free access to the Internet through Ohio's local public libraries, as well as the use of high-quality research databases. The staff of OPLIN provides electronic and in-person technical support to local public library systems. Most of the customer support OPLIN provides is achieved through e-mail and phone contact. Additionally, OPLIN staff will provide on-site technical support, guidance and training for local library staffs.
OPLIN Director has sole discretion to:
A teleworker's duties, obligations, responsibilities, and conditions of employment with OPLIN will be unaffected by the teleworking arrangement. Teleworking assignments do not change the conditions of employment or required compliance with OPLIN policies, rules and procedures. Compliance with State of Ohio laws, rules, and policies is not impacted by an employee's teleworking status. OPLIN ultimately has the authority to determine whether a specific job may be performed effectively from an alternate work location and whether an employee can be effective working from the alternate work location.
Teleworking is not intended to serve as a substitute for child or adult care. If children or adults in need of primary care are in the alternate work location during the employee's work hours, some other individual must be present to provide the care.
An employee's compensation and benefits will not change as a result of teleworking.
The total number of hours that an employee is expected to work will not change, regardless of work location. Generally, these hours will be 8:00AM to 5:00PM Monday through Friday, with a one-hour break for lunch. The teleworking employee must document hours worked as required by OPLIN procedure and policy.
The OPLIN Director shall require the employee to report to the central workplace as needed for work-related meetings or any other events deemed necessary by the OPLIN Director.
While at their alternate work location, the employee shall:
Normally, the state will provide equipment and materials needed by employees to effectively perform their duties while at the alternate work location. At a minimum, the employee shall be provided a portable computing device and a telephony device dedicated to work use; however, the employee may be authorized to use her/his own equipment as authorized by both agency and statewide information technology policies. State-owned equipment may be used only for legitimate state purposes by the authorized employee and only in compliance with applicable state and agency policy. The employee is responsible for protecting state-owned equipment and data from theft, damage and unauthorized use, in accordance with the OPLIN "Information Technology Security Management" policy as well as any other applicable statewide policy. State-owned equipment used in the normal course of employment will be maintained, serviced and repaired by the state. When the employee is authorized to use her/his own equipment, the state will not assume responsibility for the cost of equipment, repair, or service.
The employee shall designate a workspace within the alternate work location. The employee shall maintain this workspace in a safe condition, free from hazards and other dangers to employee and equipment. The employee's supervisor or management at OPLIN will have the authority to view the alternate work site prior to teleworking beginning to ensure the space is compliant with this policy. After teleworking has begun, a teleworker's supervisor may go to the alternate work location during the employee's normal work hours without notice to the employee.
Teleworking is not intended to be used in place of sick leave, Family and Medical Leave, Workers' Compensation leave, or other types of leave. The OPLIN Director may determine whether or not it is appropriate to offer teleworking as an opportunity for partial or full return to work based on OPLIN policy and the criteria normally applied to decisions regarding the approval of teleworking.
OPLIN may be liable for job-related injuries or illnesses to the extent applicable under the State of Ohio's Workers' Compensation laws that occur during the employee's established work hours in their alternate work locations. This liability is limited to injuries resulting directly from work and only if the injury occurs in the designated work location. Any claims will be handled according to the normal procedure for Worker's Compensation claims.
OPLIN assumes no liability for injuries occurring in the employee's home outside the agreed upon work hours. OPLIN is not liable for loss, destruction, or injury that may occur in or to the employee's home. This includes family members, visitors, or others that may become injured within or around the employee's home.
The teleworker, not the OPLIN, shall be responsible for the teleworker's own damages and non-compensable injuries, and for any third party's damages and injuries resulting from the teleworkers failure to comply with all safety and health regulations and any violation of the OPLIN teleworking policy.
OPLIN is not obligated to assume responsibility for operating costs, home maintenance, or other costs incurred by an employee in the use of their home as a teleworking alternate work location. OPLIN may provide a telephone to the employee for business use. If a telephone is not provided, OPLIN may reimburse the employee for business-related long distance calls made from a personal telephone.
The employee must safeguard OPLIN information used or accessed while teleworking. The OPLIN Director must grant permission according to OPLIN procedures for the employee to work on restricted-access information or materials at an alternate work location. The employee must agree to follow the OPLIN "Information Technology Security Management" policy in order to ensure confidentiality and security of data.
Teleworking will be for a fixed period of time, as determined by the Director for each teleworking employee, and continuance shall be subject to satisfactory review upon reaching the end of the fixed period of time.
Work shall be assigned to the employee in the same manner as those who are not teleworking and shall be completed according to agency policies and procedures. During the initial phases of teleworking a weekly schedule of duties, expectations and outcomes will be established and measured.