[Adopted July 11, 1995 by the OPLIN Board of Trustees]
[Amended December 8, 2006]
The name of the organization shall be the Ohio Public Library Information Network, also known as OPLIN, and its governing authority shall be the OPLIN Board of Trustees.
The purpose of OPLIN shall be to ensure equity of access to electronic information for all Ohio citizens.
Any board of trustees of any public county, township, municipal, school district, county district, regional district, or association library organized under the Ohio Revised Code, or any regional library system chartered by the State Library of Ohio, may choose to participate in OPLIN by notifying the OPLIN Board in writing and agreeing to comply with OPLIN rules and regulations.
The OPLIN Board, as originally established by the 121st GA H. B. 117, has oversight responsibility for the Ohio Public Library Information Network (OPLIN). In exercise of such responsibility, the OPLIN Board shall be governed by these Bylaws, all of which shall be in accordance with State and Federal law.
Members of the OPLIN Board shall carry out its mission in accordance with the strictest ethical guidelines and will ensure that they conduct themselves in a manner that fosters public confidence in the integrity of the Board, its processes, and its accomplishments. Board members must, at all times, abide by protections to the public embodied in Ohio ethics laws as interpreted by the Ohio Ethics Commission and Ohio courts.
The Board shall be appointed by the State Library Board. A Nominations Committee, appointed annually by the OPLIN Board, shall provide to the State Library Board the name of a qualified person to fill each vacancy on the OPLIN Board, based on recommendations from the Ohio public library community.
The Board will meet at least four times per year.
The Chair may call special meetings as required, providing at least 72 hours advance notice and the reason for such special meeting.
At all meetings of the OPLIN Board, six voting members present shall constitute a quorum for the transaction of business.
Order of business at regular meetings of the OPLIN Board shall be established by an approved agenda.
Certain items of business may be approved by consensus as deemed appropriate by the Chair.
Business of the Board may be conducted by the Board as a whole or by committees or task forces, as authorized by the Board. Such groups will be appointed by the Chair and may include Board Members or other individuals as deemed appropriate.
Amendments to these Bylaws and Policies may be proposed at any regular meeting. The proposed amendment shall be made known to members not present and shall be voted on at the next regular meeting. Seven votes are required for passage of any amendment.
All proceedings not specified herein shall be governed by State and Federal law and by Robert's Rules of Order.
OPLIN shall exercise due diligence to ensure that all OPLIN computer and telecommunications systems and services are secure, and that the information contained within those systems and services is protected from unauthorized disclosure, modification or destruction, whether accidental or intentional.
This document outlines a plan to accomplish that goal through implementation of individual policies covering Risk Assessment and Data Classification, Recovery Preparation, Boundary Security, Password Security, Malicious Code Security, Internet Security, Remote Access Security, Portable Computing Security, Intrusion Prevention and Detection, Security Incident Response, Security Notifications, Security Practices, and Security Education and Awareness. In any case where these policies conflict with the Information Technology Security Policies of the Ohio Office of Information Technology (OIT), OIT's policies shall prevail.
OPLIN shall admonish all employees, contractors, temporary personnel and other agents of the state to adhere to these policies.
OPLIN shall annually conduct a risk assessment of system assets, threats, and organizational priorities. The assessment shall be prepared by the OPLIN Director, or a staff member designated by the Director, with input from all staff. This assessment will be reviewed at the end of every fiscal year to ensure that it is current.
The assessment shall be stored in a secure location and shall include current information regarding:
In conjunction with this risk assessment, OPLIN staff shall review the classification of OPLIN data. The data shall be labeled for both confidentiality ("public," "limited access," or "restricted") and criticality ("low," "medium," "high," or "very high"). Any data that could efficiently be replaced rather than protected will also be identified.
Concurrent with this annual assessment, OPLIN shall notify OIT Risk Management Services of the current primary and secondary incident response points of contact, which will typically be the Director and the Technology Projects Manager.
OPLIN shall take the following steps to ensure that critical tools, data and equipment are available to facilitate containment and recovery in the event of a security breach:
OPLIN shall acquire, install, operate and manage a boundary security capability in cooperation with OIT to allow authorized network traffic and deny everything else.
All OPLIN staff using passwords to access OPLIN-operated information technology or to access data in any way related to OPLIN business, including vendor data related to OPLIN accounts, shall use passwords that conform to these requirements:
The following requirements pertain to password administration on OPLIN-operated information technology:
OPLIN shall deploy malicious code security ("anti-virus") capability. Anti-virus software shall be installed and operating properly on all OPLIN-owned, OPLIN-operated or OPLIN-authorized information systems. The anti-virus software shall be configured to:
OPLIN staff must report any malicious code incidents to the Technology Projects Manager (TPM) as soon as possible. The TPM shall maintain a record of malicious code incidents for auditing purposes.
OPLIN shall evaluate its anti-virus software annually and at the same time ensure that each employee receives initial or refresher training on malicious code security, including how to use the anti-virus software selected by OPLIN.
Nothing in this policy shall be construed to require that OPLIN is responsible for installation, maintenance and support of anti-virus software on privately owned computers.
OPLIN shall secure connections to the Internet from OPLIN-controlled assets against unauthorized access and malicious code. Participation in chat rooms, open forum discussion groups or interactive messaging shall be permitted only when organized or approved by OPLIN. An individual approved to participate in any of these forms of communication shall be aware of methods to avoid inadvertent disclosure of sensitive information, as well as practices to avoid that could harm the security of state computer systems and networks.
OPLIN shall permit all staff to access OPLIN servers remotely, but shall ensure that the following conditions are met:
OPLIN shall permit staff use of portable computing devices, either OPLIN-owned or privately owned and authorized for state use. Users of portable computing devices shall adhere to these requirements:
OPLIN shall maintain a capability to prevent and detect successful attempts to breach security measures for the purpose of system intrusions or misuse.
OPLIN shall assess all security incidents to determine the severity of the incident and how it should be handled. Security incidents may be classified as either critical or threatening, and the OPLIN response shall vary accordingly. The OPLIN Technology Projects Manager or the OPLIN Director shall have responsibility for classifying security incidents; these two individuals and the OPLIN Support Center staff shall be responsible for completing responses to incidents.
Threatening incidents do not impact the security of any OPLIN resources that have either been determined to be critical in the annual risk assessment or contain confidential information, and they do not require that any systems be recovered or restored. Such incidents shall be recorded in a secure file and the record shall include: a description of the incident; how the incident was identified; who identified the incident; an inventory of all actions taken, when they were taken and who performed them; and any correspondence associated with the incident. The record shall be retained for at least one (1) year.
Critical incidents impact the security of OPLIN resources determined to be critical in the annual risk assessment or containing confidential information, and/or they require that systems be recovered or restored. These incidents require a more extensive response:
OPLIN shall notify public library users of OPLIN web-based applications, such as the Support Center web page, that:
This notification shall appear at the bottom of the first web page that provides access to the web-based application.
This policy shall not apply to e-mail services supplied to public libraries by OPLIN.
OPLIN shall abide by the policies and procedures of the State Library of Ohio in regard to basic security practices that are not covered elsewhere in this document, such as:
All OPLIN staff shall meet annually to review these policies and the current risk assessment. New OPLIN employees, contractors, and temporary personnel shall also review the policies and risk assessment as part of their orientation to OPLIN. OPLIN staff directly involved with maintenance of OPLIN security capability shall be encouraged to acquire, at OPLIN's expense, appropriate technical training, certifications, formal course work, and/or conferences for information technology security technologies and practices, such as firewalls, wireless devices, routers, switches, virtual private networks, encryption, public key infrastructure, data protection, and audit logging.
Approved by the OPLIN Board on October 12, 2007; minor revisions August 1, 2011 to conform with state policy ITS-SEC-02
Issued March 28, 2000
Approved by the OPLIN Board of Trustees June 9, 2000
The most important thing for you to know is that OPLIN collects no personal information about you when you visit the OPLIN Web site unless you choose to provide that information.
You do not have to give OPLIN any personal information to visit its Web site. OPLIN does not track or permanently record information about individuals and their visits.
Here is how OPLIN handles information about your visit to its Web site.
If all you do is look around the Web site, read text, or download information, OPLIN will gather and store certain information about your visit automatically.
This information does not identify you personally.
OPLIN automatically collects and stores only the following information about your visit:
OPLIN uses this information to help make its site more functional for visitors -- to learn about the number of visitors to its site and the kinds of information they seek.
Browser and operating information allow the OPLIN Web site to take you to the version of site that best conforms to the capabilities of your tools. Visitors using text-only browsers or older versions of graphical browsers go automatically to the OPLIN text-only site.
Search results disclose whether the OPLIN Web site contains the kinds of information its visitors seek and are used for planning future additions to the site. These results are not linked to domain, IP, or browser data.
The OPLIN Web site uses Web "cookies" only when necessary to complete a transaction, and then only temporarily. OPLIN does not use persistent cookies.
If you choose to provide us with personal information -- sending an e-mail to the OPLIN Director or other OPLIN staff members, or using the online contact form -- OPLIN uses that information only to respond to your message and to help get you the information you have requested.
OPLIN only shares the information you give it with other agencies or individuals who may be able to respond to your inquiry or as otherwise required by law. OPLIN does not create individual profiles with the information you provide, nor does it give that information to any private organizations. OPLIN does not collect information for commercial marketing.
Information collected automatically on the OPLIN Web site, as well as e-mail sent to OPLIN, is generally subject to state open record laws except as provided by Ohio or federal law.
Visitors to the Web site receive information from OPLIN only in response to their own requests.
OPLIN does not supervise or control public-access workstations. Be aware that if you send personal information of any kind to any Web site from a public-access workstation, that information very well may remain in the cached files of that workstation and, therefore, open to discovery by other users.
Ohio Public Library Information Network
2323 W. Fifth Ave, Suite 130
Columbus, OH 43204
Phone: (614) 728-5252
OPLIN does not have an organizational policy on public access to OPLIN business records; instead, as an independent agency within the State Library of Ohio, it is governed by the State Library policy.