Hi, With Marshall's permission, I am forwarding the survey below to the development mailing list for folks to collectively work on a response to. To make it easier to do so, I've started a Google doc for folks to edit:
https://docs.google.com/document/d/1RgTnQOITvm3B_yzBOTfAuPZgDZig7xQ3N7Euib8rONc/edit?usp=sharing Regards, Galen ---------- Forwarded message ---------- From: Marshall Breeding <[email protected]> Date: Mon, Nov 10, 2014 at 11:15 AM Subject: Questionaire regarding Patron Privacy and Security To: Galen Charlton <[email protected]> Galen, Here is the questionnaire on patron privacy and security. Can you either respond or direct it toward the best person or group that can? Much appreciated, -marshall As you know, libraries are increasingly concerned with protecting the privacy of their patrons and in strong security. For an upcoming panel for CNI I have been charged with gathering data regarding how library management systems handle patron privacy and security. It would be great if I could have responses by November 21, 2014. Could you provide responses for the Evergreen? You are the one that comes to mind among those in the Evergreen community, but if there is someone else that you think should respond, please let me know. I really appreciate your help. I am interested in gathering some information regarding the current capabilities or options that systems offer today, looking forward to further progress in this arena toward more secure treatment of patron-related transactions. Given increasing concerns, I would expect that each company is working on providing a more secure environment. This data initially will be used for a briefing at the upcoming CNI Fall 2014 Membership Meeting, December 8-9, 2014: http://www.cni.org/events/membership-meetings/upcoming-meeting/fall-2014/project-briefings-breakout-sessions/ I also anticipate that this information would be helpful for other discussions, presentations, or reports. In addition to information provided by the developers of systems, I may also work with systems administrators of the various products for their perspectives on these security-related capabilities and options. I would greatly appreciate it if you could have your technical or product managers provide responses to these specific questions. It would also be helpful to have any additional comments or perspective whether these seem to be the best areas of concern regarding patron privacy, if there are alternative strategies that you are pursuing. I would also be interested to hear whether this topic has been raised also by your customers or users through enhancement requests or other product roadmap priorities. Does your online catalog or discovery interface: • Enforce encryption through SSL for all transactions involving patron activity • Offer the library an option to enable SSL for all transactions involving patron activity • Enforce encryption for specific pages or transactions involving patron details or login credentials • Offer the library an option to enable SSL for specific pages or transactions involving patron details or login details Does your client or interface for delivering functionality to library personnel: • Enforce encryption through SSL or other encryption mechanisms for all transactions • Offer the library an option to enable SSL or other encryption mechanisms for all transactions • Enforce encryption for specific pages or transactions involving patron details • Enforce Encryption for specific pages involving authentication of library personnel accounts • Offer the library an option to enable SSL for specific pages involving patron details • Offer the library an option to enable SSL or other encryption mechanisms for specific pages involving authentication of library personnel • Enforce encryption for transactions involving institutional financial data (acquisitions, patron fines, etc) • Offer the library an option to enable SSL or other encryption mechanisms for financial transactions How does your platform or system deal with the security of the storage of specific types of data: • Does your system store patron passwords or PINs as unencrypted text • Does your system store patron passwords or PINs as salted hash or similar mechanisms • Does your system encrypt patron details as they are recorded and stored? Are logs or other system files that include patron search or reading behaviors encrypted? Describe any other security measures in place that protect patron privacy as it is transmitted over local networks or the Internet from interception by any third party. One specific scenario that has been a topic of concern involves the presentation of e-book discovery and lending transactions via library catalogs or discovery interfaces. Describe any integration with third party organizations that could potential expose patron details, search, or reading patterns and measures that you have provided to strengthen privacy and security. Do the APIs allow or require encryption in requests or responses that include patron-related data? What limitations to security impact your system imposed by the APIs or protocols managed by external or third-part products? Would your company be interested in a standardized specification for the treatment of patron or financial data, similar to the way that PCI provides a compliance framework for e-commerce transactions? I really appreciate your help with this project. Please confirm that you will be able to respond and let me know if you have any questions or concerns. -marshall Marshall Breeding http://www.librarytechnology.org [email protected] http://twitter.com/mbreeding http://www.linkedin.com/in/breeding http://scholar.google.com/citations?user=NnvfJ5cAAAAJ -----Original Message----- From: Galen Charlton [mailto:[email protected]] Sent: Monday, November 10, 2014 1:12 PM To: Marshall Breeding Subject: ILS & patron privacy survey Hi, Chris Cormack mentioned that you had sent a survey for him to respond to on behalf of the Koha project. I'm not sure if you've sent it to the Evergreen project yet, but if not, please send either to [email protected] or to the open-ils-dev mailing list. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
