Documente Academic
Documente Profesional
Documente Cultură
Published by:
http://www.sagepublications.com
Additional services and information for Journal of Librarianship and Information Science can be found at:
Email Alerts: http://lis.sagepub.com/cgi/alerts
Subscriptions: http://lis.sagepub.com/subscriptions
Reprints: http://www.sagepub.com/journalsReprints.nav
Permissions: http://www.sagepub.com/journalsPermissions.nav
77676
Article
Roesnita Ismail
Abstract
This study proposes an instrument to assess the current information system security status in libraries. The instrument is based on
a model named LISSAM (library information systems security assessment model), which comprises five components: technological
security foundation, information security policy, procedures and control, administrative tools, methods, and awareness creation. The
instrument was pilot-tested with 50 respondents responsible for information systems or information technology in their libraries. All
components received Cronbach alpha scores of <0.60 and were found to be reliable and acceptable. Findings revealed that over 95%
of libraries have a high level of technological implementation but 54% scored poorly on organizational measures, especially on the
lack of security policies, procedures, and user training. High scores on technological implementation were found to be correlated to
sufficient financial support and early information and computer technology adoption.
Keywords
Countermeasures, information systems, information systems security, libraries, Malaysia, organizational measures, security practices,
technological measures
Introduction
A sound information system security (ISS) practice
encompasses the technical and non-technical safeguards to
minimize vulnerabilities associated with a variety of
threats. In libraries, information systems (IS) are widely
used to deliver services and collections to local and remote
patrons. Moreover, connecting a library to the outside
world via the Internet has changed the type of risks faced
associated with and the controls used to secure the services
the IS support (Gupta and Sharman, 2008; Guttman and
Roback, 1995; Scarfone, et al., 2008; Westby and Allen,
2007 ).
However, little is known about actual ISS practices
within library settings; very few research-based papers
could be located. Thus, it is difficult to ascertain whether
the library sector is lacking or adequate in ISS management. Newby (2002) highlighted that ISS is often underappreciated in libraries and this is surprising since
information is a librarys core business; he stressed that
information systems are like buildings which require consistent maintenance in order to avoid inevitable decay due
to interactions with the environment. This study attempts
to propose an instrument to assess current ISS status in
233
Objectives
This exploratory study aims to formulate an instrument to
assess the current ISS status in Malaysian libraries and to
pilot-test it for reliability. The instrument specifically
assesses the extent of IS safeguarding measures in a library
in terms of technological and organizational measures (security policy, procedures and controls, tools and methods and
awareness creation activities). The geographic context of this
pilot study is selected Malaysian public and special libraries.
Methodology
This exploratory study involves two phases. The first phase
involves formulating an ISS assessment model that comprises components that formed the basis for the development of a survey questionnaire to assess the implementation
status of ISS in Malaysian academic libraries. The second
phase involves piloting the survey questionnaire to determine its reliability, validity, and acceptability as an assessment instrument. The study uses a convenient sampling
method to pilot the questionnaire in selected public and
special libraries based on the minimum selection criteria,
that is, each of these libraries must have an automated
library system, provide Internet access, and also provide
online services. The respondent sample consisted of 110
individuals responsible for the IS or information technology (IT) in the selected libraries. Each questionnaire booklet was attached with an introductory letter which explained
the research objectives, instructions, and definitions of key
terminologies, together with a self-addressed stamped
envelope. Follow-up telephone calls and reminders via
emails were made to increase the response rate. The findings were analysed from 50 usable returned questionnaires.
Respondents came from 10 (20%) public libraries and 40
(80%) special libraries.
234
235
Hardware security
Soware security
Workstaon security
Physical and environmental security
Very High
High
- Server security
- Data security
- Network security
Medium
Low
Very Low
Technological
Measures
Awareness Creation
Organizational Measures
Implementation Status
236
Status
1
2
Not Implemented
Only some part has been implemented
3
4
3i
Low
High
Presence
0
3
6
11
16
0
11
21
41
61
0
3
7
13
19
0
6
12
23
34
0
7
13
26
38
0
9
17
33
49
0
6
12
23
34
0
42
83
166
2
5
10
15
20
10
20
40
60
80
2
6
12
18
25
5
11
22
33
45
6
12
25
37
50
8
16
32
48
65
5
11
22
33
45
41
82
165
247
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
248
330
Very High
237
Low
High
Presence
0
8
16
31
46
0
5
9
16
23
0
3
7
13
19
0
6
12
23
34
7
15
30
45
60
4
8
15
22
30
2
6
12
18
25
5
11
22
33
45
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
Very Low
Low
Medium
High
Very High
238
Presence of
organizational measures Overall assessment
Very high
Poor
90
91 130
High
Needs improvement
131 160
0 80
Good
Poor
81 120
Medium
Needs improvement
121 160
0 70
71 110
111 160
Low
Needs improvement
Good
60
61 100
101 160
Very low
Good
Poor
Poor
Needs improvement
Good
50
Poor
51
90
Needs improvement
91 160
Good
Components
Cronbachs Alpha
1.0
2.0
3.0
4.0
5.0
Technological Component
Information Security Policy
Procedures and Controls
Administrative Tools and Methods
Awareness Creation
0.682
0.844
0.671
0.705
0.755
Total
0.769
239
Very low
Low
Medium
High
Very high
Total
Hardware Security
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
4
8.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
0
.0%
16
32.0%
22
44.0%
12
24.0%
14
28.0%
5
10.0%
34
68.0%
15
30.0%
22
44.0%
28
56.0%
34
68.0%
35
70.0%
40
80.0%
15
30.0%
35
70.0%
8
16.0%
0
.0%
4
8.0%
1
2.0%
5
10.0%
1
2.0%
0
0.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
Software Security
Workstation Security
Network Security
Server Security
Data Security
Physical Security
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Count
%
Very low
Low
Medium
High
Very high
Total
0
.0%
0
.0%
0
.0%
0
0%
0
0%
0
0%
6
12.0%
0
.0%
8
16.0%
25
50.0%
37
74.0%
37
74.0%
36
72.0%
25
50.0%
7
14.0%
13
26.0%
6
12.0%
0
.0%
0
.0%
0
.0%
50
100.0%
50
100.0%
50
100.0%
50
100.0%
Table 8. Overall status of ISS practices in Malaysian special and public libraries.
Overall status of ISS practices
Type of Libraries
Special library
Total
Public library
Count
% within Column
18
45.0%
5
50.0%
23
46.0%
Count
% within Column
20
50.0%
5
50.0%
25
50.0%
Count
% within Column
2
5.0%
0
.0%
2
4.0%
Count
% within Column
40
100.0%
10
100.0%
50
100.0%
240
References
Al-Salihy W, Ann J and Sures R (2003) Effectiveness of information systems security in IT organizations in Malaysia. In:
Proceedings of 9th Asia-Pacific conference on communication, Penang, Malaysia, 2124 Sept 2003, Vol.2, pp. 716720.
IEEE.
241
Author biographies
Roesnita Ismail is a lecturer at the Faculty of Science and
Technology, Universiti Sains Islam Malaysia (USIM). She
received her BSc (Hons) (2001) in Information Studies from
MARA University of Technology, Malaysia, and her MLIS
(2005) and PhD (2012) in Information Science from the
University of Malaya. She was awarded the best dissertation
from the Librarians Association of Malaysia in 2006. Her areas
of research interests include information security issues in
libraries, e-resources, organization of information and e-records
management.
Awang Ngah Zainab is a professor teaching on the Master of
Library and information Science programme offered at the
Faculty of Computer Science and Information Technology,
University of Malaya since 1994. She received her BA (Hons)
(1976) and MA(1978) from the University of Wales, UK, MSci
(1991) and and PhD (2001) in Information Science from
Loughborough University, UK. She was awarded the J.D. White
Memorial Prize for her dissertation from Loughborough
University in 1991. Her area of research interests includes digital
libraries, collection development, scholarly communications and
bibliometrics. She publishes widely in national and international
journals. She is also the chief editor of the Malaysian Journal of
Library and Information Science and an editorial member of the
Journal of Library and Information Science and The Electronic
Library.
242
Appendix 1
Search strategy.
Search Component
Search terms
Information security
OR
Information systems security
OR
Computer security
Threat
OR
Breach
OR
Vulnerability
OR
Risk
OR
Impact
Countermeasures
OR
Controls
OR
Safeguard measures
OR
Practices
OR
Protection mechanism
Academic Libraries
OR
University libraries
OR
Special Libraries
OR
Public libraries
Malaysia
Combinations of
search terms
A+B+C+D+E
A+B+D+E
A+B+D
A+B
A+C+D+E
A+C+D
A+C
A+D+E
A+D
1) English language only
2) 10 years limit (20022011)
3) NOT libraries at primary or secondary schools, therefore NOT school libraries
1) Focus on types of information security threats in libraries
2) Focus on types and level of information security measures deploy in libraries.
Limiters
Selection Criteria
Malaysia-Specific
International
Library databases
Relevant websites
243
Cronbach Alpha
0.783
b)
1.5
1.6
1.7
1.8
Cronbach Alpha
0.878
0.846
0.832
0.899
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
c)
1.21
1.22
1.23
1.24
Software Security
Anti-spyware software to detect and remove any spyware threats.
Anti-phishing solutions to prevent phishing attacks.
Cleanup software to erase files or settings left behind by a user.
Desktop security software at application level and operating level to monitor,
restrict usage, or disable certain features of the workstations.
Distribution agents to automate the process of installing an application or
updates to workstations on a network.
ID management software to automate administrative tasks such as resetting
user passwords and enabling users to reset their own passwords.
Menu replacement software to replace the standard windows desktop
interfaces and to provide control on timeouts, logging, and browsing activities.
Multi-user operating systems and application software to allow concurrent
access by multiple users of a computer.
Periodical automatic debugging and tests to remove any defects from newly
developed software or hardware components.
Rollback software to keep track and record any changes made to the
computers and allow the system to be restored to its original state from any
chosen point in time.
Single sign on system for user authentication and authorization to access all
computers and systems without the need to enter multiple passwords.
Spam-filtering software to automatically detect unwanted spam e-mails from
reaching users inboxes.
Systems recovery to rebuild, repair the library computer systems after a
disaster or crash.
Timer software to control the amount of time a patron can use a workstation.
User entrance log to record and monitor user logs, which are regularly
analyzed.
Web-filtering software to prevent access to inappropriate materials or sites.
Total Score (b)
Score
Workstation Security
All office productivity software and browsers for the workstations/laptops are
configured to receive updates in a timely manner.
An application firewall is used for mobile laptops that connect to the librarys
LANs.
The computers BIOS are secured in order to create a secure public access
computer.
User identification and authentication are required before logging into the
librarys workstations, laptops screensavers, library network, or campus
network.
Score
0.780
0.764
0.710
0.829
0.712
0.713
0.806
0.877
0.877
0.798
0.841
0.835
0.777
0.812
0.733
Cronbach Alpha
0.705
0.710
0.849
0.702
244
Appendix 2 (Continued)
1.25
d)
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
e)
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
f)
1.45
1.46
1.47
0.760
Network Security
Antivirus software and desktop security software to receive regular updates to
protect the internal network from any security breaches.
Digital signatures are used to assure the authenticity of any electronic
documents sent via the librarys network (e.g., use of passwords, private key
encryption, public key encryption, or digital certificates)
Firewall to protect the internal network from external threats.
Firewall with virtual private network (VPN) capabilities is installed for remote
and wireless access connections.
Limitation of connection time is performed via configuration routines to
control and restrict access to the librarys high-risk applications or databases.
Public and staffs local area networks (LANs) are physically separated by means
of separate cabling for each network to provide alternative circuit.
Server segregation/perimeter network (DMZ) by using firewalls and some
other network access control devices to separate systems that are at a
relatively high risk from unsecured network.
The network is segmented with a router to increase the bandwidth available
to each user and reduce the congestions or collisions of the librarys network.
Wireless security products to secure the library wireless network. (Use of
default passwords on wireless access points, network ID, wireless intrusion
detection systems, wired equivalency protocol (WEP) encryption, MAC
address filtering, or virtual private networking (VPN).)
Total Score (d)
Score
Server Security
Antivirus software on servers and antivirus definition files are kept up-to-date.
Authentication systems to prevent unauthorized access to the librarys server.
Fault tolerance is implemented to ensure if one system fails, then there is a
backup system that immediately takes over.
Firewalls to protect the library network from unwarranted intrusions.
Intrusion-detection software and host-auditing software are installed to
monitor the servers or computers for signs of intrusion.
Regular backups of the data, hard copy of server hardware specifications,
installation information, installation software, and passwords are regularly
updated and stored at an offsite location.
Server logs are reviewed periodically by using a log file monitor utility to
monitor any signs of intrusion or security violations.
The file system in a server is restricted access to the directory structure using
file or directory permissions.
The library servers operating systems (OS) and applications are hardened to
protect from any vulnerabilities.
The server is placed in a secure location, such as in a lockable cage, a locked
room, and with environmental controls.
Total Score (e)
Score
Data Security
Attributes for each removable media application in the library are properly
recorded and the media are kept from accessing, running, or transferring data
to the library workstations and network from any unauthorized devices. (USB
thumb drives, tapes, CDs, DVDs, disks, drives, etc.)
Combination of authentication systems to restrict access to library data and
resources based on a variety of access rights (user identification, passwords, or
biometrics system)
Disposing of unused media and sensitive media are properly managed to
maintain an audit trail.
Score
Cronbach Alpha
0.667
0.719
0.819
0.810
0.783
0.810
0.770
0.695
0.656
Cronbach Alpha
0.845
0.829
0.894
0.928
0.898
0.859
0.907
0.878
0.751
0.634
Cronbach Alpha
0.917
0.672
0.776
(Continued)
245
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
g)
1.60
1.61
1.62
1.63
1.64
1.65
1.66
1.67
1.68
2.0
2.1
2.2
Enforced path is created between a user terminal and other library services to
reduce the risk of unauthorized access.
Event logging or log management software to ensure the library computer
security records are stored in sufficient detail for an appropriate period of
time. (Records for security incidents, policy violations, fraudulent activities, and
operational problems.)
Fraud detection and prevention measures to control fraudulent activity and
disclosure of information. (Use of address verification system/AVS, proprietary
encryption, internal intrusion detection system, multiple login monitoring,
password verification on transactions, or data access controls.)
Public key infrastructure (PKI) to secure the exchange of personal data via the
library network and Internet. (Use of public and private cryptography key pair.)
RFID tags to manage and secure the library collection as well as to track
attendance and prevent unauthorized access into the library building.
Systematic approaches conducted in-house or outsourced to a service
provider to address the librarys vulnerabilities (vulnerability discovery,
prioritization, remediation, dynamic protection, verification, and customized
reporting).
Use of cryptography techniques, hardware and software tokens, and single
sign on systems to control data access to the librarys internal and remote
computer systems.
Use of password protection for user accounts, antivirus software, firewalls,
wireless network protections, intrusion-detection systems, and Internet
Protocol Virtual Private Networks/IP VPNs to ensure data inserted and sent
from one end of a transaction arrives unaltered at the other end.
Vital librarys business information or records are regularly backed up.
(Inventory records, patrons data, library databases, production servers, and
critical network components and backup media.)
Web access management systems to manage and validate user access to
devices, applications, and library systems (e.g., authentication management,
single sign-on convenience, audit, or reporting systems).
Total Score (f)
0.646
0.606
0.869
0.921
0.803
0.867
0.817
0.869
0.826
0.790
Score
Score
Cronbach Alpha
0.770
0.648
0.666
0.822
0.815
0.878
0.785
0.911
0.825
0.682
Cronbach Alpha
0.849
0.880
246
Appendix 2 (Continued)
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
3.0
3.1
3.2
3.3
3.4
3.5
3.6
4.0
4.1
4.2
4.3
4.4
4.5
0.983
0.904
0.925
0.943
0.971
0.941
0.900
0.912
0.899
0.960
0.844
Score
Score
Cronbach Alpha
0.932
0.793
0.876
0.913
0.917
0.671
Cronbach Alpha
0.712
0.956
0.640
0.758
0.721
0.705
(Continued)
247
5.9
Awareness Creation
All staff and patrons at various levels are made aware of their responsibilities
with regard to protecting the librarys Information Systems security and
trained to report any security breach incidences.
All staff and patrons at various levels receive appropriate information security
training and education.
All staff and patrons at various levels receive regular updates on the library
Information Systems policies and procedures.
Information security awareness training has become mandatory to all staff and
patrons at various levels.
Risk-assessment approach exists and follows a defined process that is
documented.
Staff and patrons at various levels are trained to monitor and handle the
librarys Information Systems on their own.
There are a balanced set of key performance indicators (KPIs) and metrics
used to provide real insight into the effectiveness of security awareness
programs.
There is positive support and commitment from the top management to
coordinate the implementation of Information Systems security controls
in your library (e.g., via allocation of budget, strong interest, and active
involvement).
Threats that could harm and adversely affect critical operations of your library
Information Systems security are identified and updated regularly.
TOTAL
Score
Cronbach Alpha
0.775
0.793
0.762
0.811
0.663
0.748
0.789
0.836
0.809
0.755