How Secure is Our Patron Information?
We are often asked the question, “How secure is our patron data?”, and "Is my data kept private?” We realize a simple response of “Very secure” will not satisfy most. We also know that a highly technical (read: boring) response will be difficult to relay to your concerned patrons. It is for this reason, we wrote this article. We hope your patrons will find it both informative, and fun.
Security ≠ Privacy
Before we proceed, we feel it is important to address a common misnomer. Security and Privacy are not interchangeable terms. Security is about mitigating risks to data. Privacy is about using data responsibly. However, privacy exposure may result as a lack of proper security. In that respect, this article will cover the “Shared Responsibility” model. The first half will cover some of the measures we take to ensure your patron data is secure. In the last half, we offer some recommendations for ways you can prevent a breach of privacy.
It is important not to discount expertise and knowledge when it comes to securing data. To provide world-class security, a company requires some of the smartest minds in the world in the fields of networking, systems administration, security, etc. And guess what? They don't work for us - which is why we rely on the experts at AWS (Amazon Web Services).
When it comes to our applications, we follow the AWS best practice of isolating our database servers from our web servers by firewall (within AWS security groups). Should, as an example, a hacker discover a zero-day exploit to gain access to a web server, they would not find any customer data within that machine.
We recommend the following:
SSL encrypts the traffic between a patron's browser and our servers. Our newest applications (SignUp, Spaces, and D!BS sites) provide SSL by default. SSL can be requested at no additional cost for classic applications (Events, Room Reserve) as well.
Our inclusion of SSL by default makes it very easy to simply link to the HTTPS URL on your website. As an example, if the link to your application on your website looks like this: http://libraryname.evanced.info/spaces
Simply update the link to this: https://libraryname.evanced.info/spaces
Do not share staff logins
This is covered in a nice blog post. Also covered, ‘Enable auditing’, and ‘Use strong passwords and change them regularly’.
Limit the fields required to register for a program or event. Only collect data that is absolutely necessary. The less data you collect, the less impact a privacy breach will cause.
|Posted - Wed, Sep 28, 2011 at 3:03 PM. This article has been viewed 9593 times.|
|Online URL: https://kb.demcosoftware.com/article.php?id=141|
Powered by PHPKB (Knowledge Base Software)