9.3 - SirsiDynix Symphony System Security

Introduction

Data security in any library management system is of paramount importance, and both SirsiDynix and Libraries Victoria take the security of our systems very seriously. As a hosted service managed by SirsiDynix, security of the LMS data is contracted to SirsiDynix, who provide a full suite of services and infrastructure to maintain data integrity and security. In addition, every Library using the Libraries Victoria database is responsible for how their staff and contracted suppliers access data, especially user data, in the LMS.

9.3.1 - SirsiDynix Security White Paper

A detailed paper outlining of SirsiDynix's security protocols and services is available on the SirsiDynix Support Centre. Links to related articles covering Corporate Security policies, Disaster Recovery, Auit Management, Controlled Access plan, and much more, can also be found on this page.

SirsiDynix Security White Paper

9.3.2 - Libraries Victoria Security Protocols

Security of library patron data is paramount for any library system, and as a consortium of many library services comprising a single database with a combine patron membership of close to 1 million users, the importance of sound and consistent protocols across Libraries Victoria to ensure that security cannot be overstated.

The security risks that can be controlled and minimized by libraries and their staff relate to how libraries interact with the LMS and the user data available to them. Consistent management of staff access, including the control of passwords, User Access policy levels, and the types of features and tools different staff make use of, is essential to ensuring data security. If just one library has a lax approach to user access that is inconsistent with the agreed protocols they potentially put all consortium members’ data at risk.

User Password Policies

All Passwords will be encrypted and masked once saved for added security, including public/patron Passwords. Staff do not need to see patron Passwords except at the time of registration.
1. Once all Passwords policies are configured with the masked Password setting a Secure User Passwords report is to be run to secure all current Passwords in the system.
2. If a patron registers using the online registration forms they get to choose their own Passwords. New users should be encouraged, wherever possible, to register using the Online Registration form for their library, as this ensures the security of their password.
3. If a user forgets their Passwords they can reset it using the “Forgot my Passwords” option in Enterprise, so long as they have an email address on their record. If a user has no email address, or the library has not enabled the Forgot my Passwords feature in Enterprise, staff can still change their Passwords on their behalf in any staff client.
All Staff level Password policies must be configured with the following settings at a minimum:
1. No less than 6 characters, with at least 1 uppercase letter, 1 lowercase letter, and 1 numeric character.
2. 5 failed attempts before lockout.
3. Lockout for at least 1 hour (note, administrators can manually unlock a locked user prior to the lockout expiry).
4. Failed attempts to be forgotten after 24 hours.
Supervisor level Passwords to have the following minimum settings:
1. No less than 10 characters, with at least 1 each uppercase, lowercase, numeric and special character.
2. 3 failed attempts before lockout.
3. Lockout for at least 1 hour.
4. Failed login attempts to be forgotten after 24 hours.
Local Administrator level Passwords to have the following minimum settings:
1. No less than 16 characters, with at least 1 each of uppercase, lowercase, numeric and special characters.
2. 3 failed attempts before lockout.
3. Lockout for at least 1 hour.
4. Failed login attempts to be forgotten after 24 hours.
Shared/generic staff logins should have their Passwords changed whenever any staff member who knows the Password leaves the organisation. Individual staff login accounts must be deleted as soon as the staff member leaves the organisation.
All the above protocols should apply to all staff client interfaces – Symphony, BLUEcloud Central, BLUEcloud Analytics, BC Mobile CMS and Enterprise Administration.

User Access Levels

Every User Access policy is assigned a User Level, of which there are five:

EXTENDED PUBLIC level is used for non-staff members using the system who are not a part of the core public group primarily served by the library. Staff-only information does not display to users of this level, and shadowed items do not display. This User Level was primarily used for access to the legacy eLibrary OPAC gateway, and is now largely redundant.
PUBLIC level is used for non-staff users in the library’s core service group and is assigned to registered patrons as well as task card records. Staff-only information does not display to users of this level, and shadowed items do not display to these users. Public users only have access to their own record.
STAFF level is used for library employees who need to see fields such as Item ID and Staff Comments and need to search for shadowed items. STAFF-level users may modify user access levels and profiles of PUBLIC and EXTENDED PUBLIC-level user records.
SUPERVISOR level is intended for use by library staff supervisors. Users with this level may modify user access levels of STAFF, PUBLIC, or EXTENDED PUBLIC-level user records. Staff-only information displays for users of this level, and shadowed items display for these users.
SYSTEM ADMINISTRATOR level is the highest level, and is intended only for the SirsiDynix Symphony administrator. Users of this level may modify the user access of any user record, including that of other SYSTEM ADMINISTRATOR level records. Staff-only information displays for users of this level, and shadowed items display for these users.

System Administrator account Levels

Due to the ability of the System Administrator level to be able to edit the User Access of any user their library has user maintenance rights to, including another One Card library’s system administrator and supervisor accounts, all local Admin User Access policies are to be assigned Supervisor level.

Only the Libraries Victoria System Administrator team and SirsiDynix support, should have access to a System Administrator level account.

In addition, each library must only ever have one generic Admin account (at Supervisor level) for purposes of making configuration changes. If a library wishes to have individual logins for other administrators/supervisors, they will be assigned a different "Supervisor" User Access policy, and not be given access to Configuration wizards.

Library User Record Security

The management of Library membership records are governed by Federal and State legislation, and it is the responsibility of all member Libraries within the Libraries Victoria Consortium to ensure correct procedures are implemented by their staff in the collection and maintenance of PII (Personally Identifiable Information) of their users.

Libraries Victoria have adopted the attached Privacy Policy in relation to the collection, maintenance and removal of Library Patron PII.