Library Privacy Checklist for Data Exchange Between Networked Devices and Services
This checklist is intended to help all libraries take practical steps to improve privacy practices. It can help all libraries implement the principles laid out in the Library Privacy Guidelines for Data Exchange Between Networked Devices and Services.
Priority 1 actions are steps all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions are as important as Priority 1 actions. They help protect user privacy, but may be more difficult for libraries to implement. This is because each library may or may not have the capacity to do Priority 2 or 3, depending on:
- differing technical expertise
- available resources
- organizational structure
Regardless of these factors, libraries can use Priority 2 and Priority 3 actions as talking points with third parties and vendors. These third parties and vendors may have the resources and expertise to help the library implement these actions.
Priority 1 Actions
- Establish minimum security practices for devices and services.
- Change any default passwords.
- Disable remote access to the superuser account (i.e. root or administrator).
- Keep all software up-to-date using a secure and verified source.
- Require authentication for all client connections to services that allow access to user information.
- Limit clients to only the access they need, i.e. the least privilege model.
- Enable mutual authentication of server and client if supported.
- Use a secure authentication standard such as oauth when feasible.
- Implement a logging policy for devices and services that covers rotation and retention, types of data collected, and the implications on user privacy.
Priority 2 Actions
- Harden security on devices and services.
- Disable any extraneous services that are running on devices.
- Limit administrative privileges to authorized individuals through user access controls or the sudo program.
- Require a unique password for each instance of a service.
- Implement and enforce a strong password policy that specifies password length, formation, and duration. Consider using randomly generated passwords.
- Encrypt data communications between client applications and server applications that may include user information.
- Configure services when possible to require encryption by default, i.e. do not allow unencrypted connections.
- If services do not support encryption (e.g. SIP2), use an encrypted transport such as SSH tunnel or a VPN.
- Encrypt sensitive data at rest (i.e. data warehouses, archives, tapes, offsite backups, etc).
- Store passwords in applications using up-to-date best practices for encryption (i.e. hashed and salted).
Priority 3 Actions
- All remote access (including SSH) should be through secure keys not passwords.
- Keys should be no less than 2048 bit, 4096 bit is preferable.
- Do not allow deprecated or insecure ciphers.
- Ensure private keys are secure (use subkeys and keep master keys very safe).
- Rotate keys regularly and be ready to revoke them in case of compromise.
- Review the protocols employed by devices and services. Protocols should:
- Be standard, established, and open.
- Not be deprecated due to security concerns.
- Support data integrity including origin authentication, non-repudiation of origin, non-repudiation of receipt, and verification of payload using cryptographic signature or a hash.
- Verify security of devices and services by using penetration testing tools.
Resources
Centre for the Protection of National Infrastructure. Password Guidance: Simplifying Your Approach
Burr, W. E., Dodson, D. F., & Elaine, M. (2011). Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. Electronic authentication guidelines. NIST Special Publication, 800-63.
Chandramouli, R., Iorga, M., & Chokhani, S. (2014). Cryptographic key management issues and challenges in cloud services. In Secure Cloud Computing (pp. 1-30). Springer New York.
Hoeper, K. & Chen, L. (2009). Recommendation for EAP Methods Used in Wireless Network Access Authentication
Jakimoski, K. (2016). Security Techniques for Data Protection in Cloud Computing. International Journal of Grid and Distributed Computing, 9(1), 49-56.
Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication, 800(144), 10-11.
National Center for Education Statistics (Ed.). (n.d.). Chapter 6: Maintaining a Secure Environment, Weaving a Secure Web Around Education: A Guide to Technology Standards and Security.
Peng, C., Kesarinath, G., Brinks, T., Young, J., & Groves, D. (2009). Assuring the Privacy and Security of Transmitting Sensitive Electronic Health Information. AMIA Annual Symposium Proceedings, 2009, 516–520.
Singhal, A., Winograd, T., & Scarfone, K. (2007). Guide to secure web services. NIST Special Publication, 800(95), 4.
Tysowski, P. (2016). OAuth Standard for User Authorization of Cloud Services. Encyclopedia of Cloud Computing, 406-416
Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020.