Information Security Policy

CHAPTER 5

SECURITY ASPECTS. PROCEDURE FOR ENSURING INFORMATION SECURITY WHEN CONCLUDING CONTRACTS WITH THIRD–PARTY ORGANIZATIONS

The aspects of ensuring information security shall be taken into account when entering into contracts with third-party organizations.

It is necessary to sign obligations on non-disclosure of information, the distribution and (or) provision of which is restricted (confidentiality agreement), which may become known to them in the course of fulfilling contractual obligations with the third parties’ representatives when entering into contracts with them. These agreements should be concluded with representatives of third-party organizations before they are granted access to the assets.

In order to implement information security measures in case of termination of contractual relations with representatives of third–party organizations that were granted access to assets, it is necessary to determine and bring to their attention the requirements for legal liability and the terms of contracts (contracts, agreements) that remain in force for a certain period after the termination of the contractual relationship.

Managers of third-party organizations are responsible for informing representatives of third-party organizations whose contractual relations are terminated.

Specific responsibilities for ensuring information security and responsibility for its violation must necessarily be included in contractual relations with third-party organizations.

Representatives of third-party organizations should be familiar with the procedure for providing information security either by conducting a verbal briefing by authorized officials responsible for providing information security, or by familiarizing themselves with individual excerpts from the Library's local legal acts, including documented information in the field of providing information security to the Library's IT-system network.

Representatives of third-party organizations must comply with all established information security measures.

CHAPTER 13

SECURITY ASPECTS. PROCEDURE FOR HANDLING DATA CARRIERS

The procedure for the proper use and destruction of information is defined in order to prevent its unauthorized disclosure, modification, deletion or destruction, stored on information carriers, including removable information carriers, and the occurrence of information security incidents.

Employees and representatives of third-party organizations are prohibited from connecting personal data carriers, including removable ones, both for the performance of their official duties and for personal use within the Library’s borders.

When working with information, distribution and/or provision of which is restricted, employees and representatives of third-party organizations should use only specially designed labeled official information carriers, including removable ones.

Employees and representatives of third-party organizations are prohibited from using official data carriers, including removable ones, for personal purposes.

Copying of any information transferred using official storage information carriers, including removable ones, should be performed only after the procedure of full anti-virus control of the information carrier.

At least once a year, as part of an internal security audit, a full inventory of service data carriers, including removable ones, is conducted to check their availability and operability.

22. Destruction of data carriers, including removable ones, used during operation and storage, is also carried out in the following cases:

22.1. the data carrier was damaged or disabled;
22.2. upon data carrier’s storage period expiration, which is defined by the manufacturer;
22.3. at the expiration of the storage media service life specified by the manufacturer.

The security of official data carriers, as well as the leakage of information whose distribution and (or) provision is prohibited, recorded on this data carrier, to whom this data carrier is allocated, are the responsibility of employees or representatives of third-party organisations.

Control over the use of information carriers, including removable ones, and organization of work on their destruction (if necessary) is entrusted to the authorized official responsible for providing information security.

Unscheduled inspections of conformity with the rules for the use and destruction of data carriers may be conducted, if needed, at the initiative of the head responsible for IT and information security concerns.

Library visitors have the right to use their personal data carriers within the Library. In this case, the data carriers should be used only after a full anti-virus control procedure has been carried out, which is performed either by the user himself ( when a user makes copy on a data carrier by itself), or by an employee (when a library’s employee makes a copy for a user's data carrier).

Detailed procedures for handling information carriers are provided in the Library's local legal acts.

CHAPTER 14

SECURITY ASPECTS. PROCEDURE FOR A REMOTE WORK AND USE OF MOBILE DEVICES

Employees and representatives of third-party organizations should take special precautions to avoid compromising information or causing information security incidents when using mobile devices (laptops, tablets, and mobile phones).

It is forbidden to connect mobile devices (laptops, except for official ones, mobile phones, pocket personal computers, and etc.) by employees and representatives of third-party organizations to the assets.

All official laptops intended for access to the assets shall be accounted for in accordance with the accepted inventory accounting scheme in Libraries.

23. When using official laptops, make sure that all necessary information security measures are implemented on this device:
23.1. anti-malware tools are installed and configured (antivirus software is activated, malware detection feature databases are updated);
23.2. cryptographic data protection tools are installed and configured (if a secure data transmission channel is needed);
23.3. the built-in tools for organizing access differentiation (login password, etc.) are configured.
24. When using official laptops, make sure that this device does not have any:
24.1. tools for setting up remote access (if this is not provided for by the nature of the intended use of the official laptop);
24.2. means that can be used to implement actions to overcome the protection information means;
24.3. tools that can be used to collect information about the existing information infrastructure (if this is not provided for by the nature of the intended use of the official laptop);
24.4. other means that may have a negative impact on the information infrastructure;
24.5. information that is critical and that the person receiving the device does not have access rights to because of their job responsibilities.

Library readers can carry and use laptops within the permitted areas, halls, and rooms of the Library with Internet access, including the web portal and personal account: laptops are connected to a segment with Internet access that is physically isolated from other Library LAN systems.

Authorized persons shall inform Library visitors about the basic safety rules for using mobile devices as part of the information security briefing and the rules for staying on the Library's territory.

Remote work with assets is possible only after the technical and cryptographic security measures are implemented.