Information Security, Risk, and Getting in One’s Own Way

Maru demonstrating how certain information security measures can ultimately backfire and put the organization at risk if the measures add too many barriers for the user to go about their work. Source – https://twitter.com/rpteixeira/status/1176903814575796228

Let’s start this week’s Cybersecurity Awareness Month post with a phrase that will cause some of you to scream into the void and others to weep at your work desk quietly:

Admin privileges on work computers.

Rationing admin privileges on work computers is one example of an information security practice that both protects and puts data at risk. Limiting the worker’s ability to install a program on their work computer reduces the chances of the system falling to a cyberattack via malware. It also reduces the chances of critical operations or process failure if an app downloaded without IT support breaks after an OS update or patch. On the other hand, limiting admin privileges can motivate some workers to work around IT, particularly if IT has consistently denied requests for privileges or installing new tools or if the request process resembles something that only a Vogon would conceive of.  These workarounds put data at risk when staff work around IT to use third-party software with which the library has no contractual relationship or vendor security oversight. No contractual relationship + no evaluation of third-party privacy policies or practices = unprotected data.

IT is often their own worst enemy when it comes to information security. Staff don’t like barriers, particularly ones they see as arbitrary or prevent them from doing their jobs. Each information security policy or practice comes with a benefit and a cost in terms of risk. Sometimes these practices and standards have hidden costs that wipe out any benefit they offer. In the example of computer admin privileges, restrictions might lead workers to use personal computers or use third-party applications that the organization hasn’t vetted.  We have to calculate that risk with the benefit of reducing the chances of malware finding its way into the system.

The benefit-cost calculation comes back to the question of barriers, particularly what they are, how your policies and processes contribute to them, and the solutions or workarounds to navigate those barriers. Answering this question requires us to revisit the risk equation of calculating the cost or impact of a threat exploiting a vulnerability and how one can address the risk. By eliminating one risk through the barrier of disallowing admin privileges for staff computers, the organization accepts the multitude of risks that come with staff using personal devices or third-party applications or systems to work around the barrier.

Some barriers (for example, requiring authentication into a system that stores sensitive data) are necessary to reduce risk and secure data. The hard part comes in determining which barriers will not cost the organization more in the long run. In the case of admin privileges, we might consider the following options:

  • Creating two user accounts for each staff person: a regular account used for daily work and one local administrator account used only to install applications. The delineation of accounts mitigates the risk of malware infecting the local computer if the staff person follows the rules for when to use each account. The risk remains if the staff person uses the same password for both accounts or uses the admin account for daily work. Password managers can limit risks associated with reused passwords.
  • Creating a timely and user-friendly process for requesting and installing applications on work computers. This process has many potential barriers that might prevent staff from using the process, including:
    • long turnaround times for requests
    • lack of transparency with rejected requests (along with lack of alternatives that might work instead)
    • unclear or convoluted request forms or procedures (see earlier Vogon reference)

These barriers can be addressed through careful design and planning involving staff. Nevertheless, some staff will interpret any request process as a significant barrier to complete their work.

Each option has some interruptions to staff workflow; however, these barriers can be designed so that the security practices are not likely to become a risk within themselves. We forget at times that decisions around information security also need to consider the impact these decisions will have on the ability of staff to perform their daily duties. It’s easy to get in our own way if we forget to center the end-user (be it patrons or fellow library workers) in what we decide and what we build. Keeping the risk trade-offs in mind can help make sure we don’t end up tripping ourselves up trying to protect data one way, only to have it unprotected in the end.

A Short Reflection on Uncertainty and Risk

A white woman standing with her back to the beach in front of waves coming to shore. A yellow sign in the foreground has an illustration of a shark and states "Shark sighted today - enter water at own risk".
Photo by Lubo Minar on Unsplash

We made it! We’re coming to you from our new server home. We’re still settling in, so please let us know if you come across something that isn’t quite working on the website. If you are one of our email subscribers and find this post in your spam box, you can add newsletter@ldhconsultingservices.com to your contacts list to help prevent future emails from being banished to the spam folder.

Now that the dust has settled, we regret to inform you that summer is almost over. Schools are back in session, summer reading programs are wrapping up for the season, and a new batch of LIS students are starting their first semester of library school. We also regret to inform you that the pandemic is still hanging in there, adding its own layer of stress and uncertainty on top of everything else.

Uncertainty is hard to plan for, even in non-pandemic times. Libraries with plans for phasing back in-building services find themselves changing those plans daily to keep up with changes in health ordinances, legal regulations, and parent organizational mandates. We find ourselves back in the first few months of the pandemic, scrambling to figure out what to do. Then again, we haven’t stopped scrambling throughout the pandemic to find ways to provide patrons services that won’t put both patrons and library workers at risk.

Risk assessment and management are exercises in dealing with uncertainty. We like to have neat solutions to neat problems; risk management tells us that problems are much messier and are less likely to be solved with neat solutions. Take, for example, four common responses used in determining how to manage risk:

  • Accept – Choosing to accept the risk, usually done in cases where the cost of the realized risk is less than the cost in addressing the risk
  • Transfer – Shifting the risk to another party (another person, group, or tool) who is better situated to manage the risk
  • Mitigate – Adding checks or controls to limit risk in a particular situation
  • Eliminate – Changing something to remove or avoid the risk

Some of you might be surprised that the last response, eliminate, is not the primary goal in risk management. This is partly due to the level of control we have in the situation that presents the risk. We cannot eliminate some risks due to, well, pandemic, while others are unavoidable due to the nature of our work – where we work, operational needs, external needs/pressures, and so on. In those instances where we cannot entirely eliminate the risk, we can still have some control over our response to the risk, particularly with mitigating or transferring the risk.

While we cannot eliminate all risks in our libraries around the pandemic’s uncertainty, we can still work toward identifying and managing risks that we have more control over, including those risks around patron privacy. Here are a few resources to get you started on managing patron data privacy risks:

By focusing on risks that we are better situated to address through transference, mitigation, and elimination, we can avoid the inertia that comes with being overwhelmed by risks we have less control over. It might seem like arranging the deckchairs on the Titanic, but living with so much uncertainty in such a short time can short-circuit our ability to identify and manage risk, particularly when we are not trained to manage risk during long periods of heightened uncertainty. If you find yourself at that point, you can take advantage of the start of the fall season by resetting the privacy risk management button by making a list of privacy risks outside your control and risks that you or your library are better able to manage. You might not be able to identify all the risks in one sitting, and that’s okay. If you are struggling to identify risks that you or your library can manage, revisit the earlier resources to help you through the process.

Managing risk requires accommodating uncertainty and variations of the same risk. Risk likelihoods and severity can change without notice. Risks also have different severity, harms, and likelihoods for different people – what might be a low harm risk for one person might be a risk that has more significant harms for another. Risk management strategies help wrangle this uncertainty by providing some structure in responding to the uncertain nature of risk. While we can’t eliminate uncertainty, we can be better prepared to manage uncertainty in parts of our lives, such as our work that affects patron privacy.

A Forced Exercise in Risk Management

A mustached adult white man leaning back in his office chair holding a beer. Text overlay "well that escalated quickly"
Image Source: https://knowyourmeme.com/photos/353279-that-escalated-quickly

When we asked readers last week about library discussions around campus or organization mandates requiring COVID-19 vaccinations, we expected that libraries would have time to plan to adjust to the mandate. Responses from last week indicated as such. The consensus was various employee groups meeting and discussing who must be vaccinated and how workplaces can confirm vaccination status.

Then Thursday came around, and the CDC escalated things a tiny bit with their new mask guidelines. And by “a tiny bit,” we mean “blowing away any incremental steps in loosening mask guidelines and went straight to a free-for-all mask honor system.”

Britney Spears grimacing while listening to a contestant on a popular singing competition show.
Yikes.

This sudden decision took many businesses and organizations – libraries included – by surprise. Most planned for a multi-month phased reduction in mask requirements, but here we are. After a year of struggling to get even the most reluctant patrons to mask up in the library, library workers now face several conundrums including dealing with patrons who refuse to follow library mask requirements based on the CDC announcement and libraries required by their parent organization to check for vaccination status for patrons going maskless in the library.

Libraries that can still require masks for everyone regardless of vaccination status can bypass the privacy issues around checking patron vaccination status. The libraries relying on local or state mask mandates to enforce their own can’t rely on them, though, given how quickly some state and local governments are dropping their mask mandates. While the CDC said that only fully vaccinated people can be maskless in most public spaces, the lifting of state and local mask mandates when many places haven’t reached the 50% vaccination mark (such as Washington State at the time of the announcement) turns this privacy issue into a privacy and health issue for both patrons and library workers. What we have is the privacy risks discussed last week now compounded by health risks presented with the new guidelines.

Managing risk is rarely a clear-cut process. Reducing one risk could inadvertently create or increase the chances for another risk. Keeping a detailed access log of who logs into a particular electronic resource through a proxy server can aid in investigations and quicker resolutions to issues around systematic unauthorized content harvesting, but this mitigation comes at the cost of privacy through increased collection and retention of detailed patron data, increasing the risk of improper reuse of this data through the library or third parties (such as creating user profiles for targeted marketing or reselling this data to fourth parties) or through a data breach or leak. Risk management is a process of checks and balances where one needs to consider the consequences of choosing risk management strategies and avoiding a “min-max” outcome with unaddressed risk.

Libraries who want or are now required by their organization to enforce CDC guidelines in their libraries now face the issue of suddenly needing to manage the risks around checking the vaccination status of maskless patrons. The US has not widely adopted a vaccine passport system (which has privacy issues), and fake vaccination cards abound. We listed the issues around contact tracing in libraries in a previous post, and all of those privacy concerns apply to libraries required to check vaccination status. The equitable service issues also apply, but it is compounded with health risks. Library workers who are still waiting to be vaccinated or cannot get vaccinated for medical reasons are stuck in limbo alongside patrons in the same situations.

These risks around privacy, service, and health would have been easier to manage through a gradual phasing out of mask mandates. Unfortunately, we are in the timeline where that isn’t happening. Requiring masks mitigates the privacy and health risks until the local population reaches a vaccination threshold where the health risks are at acceptable levels for both patrons and library workers. Libraries mitigated equitable service risks created by mask requirements by offering free masks to patrons or making alternative service arrangements for patrons who medically cannot wear a facial covering. This sudden turnabout from the CDC makes this strategy more fraught with risk. It creates a new type of service issue in the form of maskless patrons claiming vaccination status, which then creates new privacy and health issues alongside additional service issues for those who do not want to or cannot prove their vaccination status.

Some libraries that can no longer mandate masks for all might go with an honor system and allow patrons to go maskless without proving their vaccination status. That avoids the privacy and ethical risks involved in checking vaccination status but, depending on local population vaccination levels, the policy could increase the health risks to both unvaccinated patrons and library workers. It’s also an equitable service risk for patrons wanting to use the physical library but at the same time are not fully vaccinated due to medical reasons or are still waiting to start/complete their vaccination schedule.

This is all to say that there’s no good way to address the chaos created by the CDC last Thursday. We’re 14 months into the pandemic, and the pandemic fatigue settling in at the start of the year has grown at a rapid pace. Libraries – like other service and retail industries – are stuck in the middle of this, struggling with a public who are tired, confused, and ready to be done with all of this back and forth with guidelines and restrictions. Any decisions around COVID-19 policies at the library, including masks and vaccination checks, need to balance the privacy, equity, and health risks while acknowledging how that decision will impact library workers’ morale and safety.

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

Just Published! Library Data Risk Assessment Guide

Welcome to this week’s Tip of the Hat!

To build or to outsource?

Building an application or creating a process in a library takes time and resources. A major benefit of keeping it local, though, is that libraries have the greatest control over the data collected, stored, and processed by that application or system. Conversely, a major drawback of keeping it local is the sheer number of moving parts to keep track of in the building process. Some libraries have the technical know-how to build their own applications or have the resources to keep a process in house. Keeping track of privacy risks is another matter. Risk assessment and management must be addressed in any system or process that touches patron data, so how can libraries with limited privacy risk assessment or management experience make sure that their local systems and processes mitigate patron privacy risks?

Libraries have a new resource to help with privacy risk management! The Digital Library Federation’s Privacy and Ethics in Technology Working Group (formerly known as the Technologies of Surveillance Working Group) published “A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems“. This 28-page guide provides best practices and practical strategies in conducting a data risk assessment, including:

  • Classifications of library user data and privacy risk
  • A table of common risk areas, including probability, severity, and mitigation strategies
  • Practical steps to mitigate data privacy risks in the library, ranging from policy to data minimization
  • A template for readers to conduct their own user data inventory and risk assessment

This guide joins the other valuable resources produced by the DLF Privacy and Ethics in Technology Working Group:

The group also plans to publish a set of guidelines around vendor privacy in the coming months, so be sure to bookmark https://wiki.diglib.org/Privacy_and_Ethics_in_Technology and check back for any updates!

A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Threat, Vulnerability, or Risk?

Welcome to this week’s Tip of the Hat!

“Animal, plant, or mineral?” Most folks can, with a healthy amount of confidence, say that something is one of those three, as well as explain the differences between the three categories. It’s also a fun game to keep younger kids occupied for your next long trip.

Today we are going to introduce a variation of the game for us adults – “Threat, vulnerability, or risk?” Information privacy and security use these three terms with assessing the protection of data and other organizational assets, as well as potential harms to those assets and the organization. Many people use these terms interchangeably in daily conversations surrounding Infosec and privacy. There are differences between the three, though! To understand what it means when someone says “threat” instead of “vulnerability”, we will go over some definitions to help you differentiate between the three terms:

A Threat is a potential scenario that can cause damage or loss to an organizational asset. You might have heard the term threat actor, which refers to a specific someone or something that could be responsible for creating said harm to the organization. Note well that you do not have to demonstrate malicious intent to be a threat actor. Sometimes threat actors do not act out of malicious intent but are still a threat due to them exploiting a vulnerability in the organization.

Vulnerability refers to the weakness in any system or structure that a threat can use to cause harm to the organization. People focus on technical vulnerabilities; however, the non-technical vulnerabilities, aka your fellow humans and organizational structures, are as important to identify as your technical vulnerabilities.

Risk is the potential of damage or loss resulting from a threat taking advantage of a vulnerability. Many use an equation to calculate the amount of risk of a particular scenario: Risk = Threat x Vulnerability x Cost, with Cost being the potential impact on the target by a threat.

Let’s explore these terms further with our library hat on:

What can be considered a threat?

  • Untrained/undertrained staff not following law enforcement request procedures
  • A staff member gains unauthorized access to sensitive systems or data, and modifies, exports, or deletes data to inflict harm or for their gain
  • A data breach of a vendor-hosted database

What can be considered a vulnerability?

  • Lack of access to regular privacy training and resources for staff
  • Lax or lack of system user access policies and procedures
  • Lack of or insufficient vendor privacy and security practices
    Improper collection and storage of sensitive data by systems

What are the possible types of risk in any given scenario?

  • Legal – possible legal action due to noncompliance with applicable local, state, federal, or international regulations surrounding particular types of data
  • Reputational – “The Court of Public Opinion”; loss of patron trust; loss of trust in the vendor
  • Operational – the inability to perform critical tasks and duties to ensure uninterrupted access to core services and resources

By knowing the differences between threat, vulnerability, and risk, you can better assess the scenarios that can put your organization at higher risk of legal, reputational, or operational harm. You can also proactively mitigate these risks by addressing the vulnerabilities that can be exploited by the threats you can identify. Take some time this week to walk through the “Threat, vulnerability, or risk?” game with your colleagues, and you might be surprised by what you will find about your organization.