Cybersecurity Policy

The Cuyahoga Falls Library recognizes its responsibility to safeguard its data, information technology (IT), and IT resources to ensure availability, confidentiality, and integrity. As such the Library adopts a cybersecurity program that aligns with Ohio Revised Code section 9.64.

Cybersecurity Program

The Library will implement a program that is generally accepted as a best practice for cybersecurity, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Center for Internet Security (CIS) Controls. This program may include, but is not limited to, the following components:

  • Identify and address the critical functions and cybersecurity risks of the Library.
  • Identify the potential impacts of a cybersecurity breach.
  • Specify mechanisms to detect potential threats and cybersecurity events.
  • Specify procedures for the Library to establish communication channels, analyze incidents, and take actions to contain cybersecurity incidents.
  • Establish procedures for the repair of infrastructure impacted by a cybersecurity incident and the maintenance of security after the incident.

In addition to the program, the Library will maintain cybersecurity insurance when it is available and fiscally practicable.

Staff Training

The Library will annually require at least one hour of cybersecurity training for all employees. At minimum, the training shall satisfy the requirements of RC 9.64, but the Library may offer and/or require additional training for employees corresponding to the duties of their job description.

 

Disaster Recovery Plan

The Library will maintain a Disaster Recovery Plan as part of its emergency procedures to provide guidelines for restoring IT services and ensure minimal disruption to Library operations in the event of a disaster, such as hardware failure, cyberattack, natural disaster, or data loss.

Incident Reporting

Upon discovering a cybersecurity or ransomware incident, Library Administration shall notify:

  • The Executive Director of Ohio Homeland Security within the Ohio Department of Public Safety as soon as possible, but not later than seven (7) days after discovering the incident.
  • The Ohio Auditor of State as soon as possible but not later than thirty (30) days after discovering the incident.
  • The Library’s Board of Trustees as soon as practicable.

Ransomware Demands

The Library shall not pay or otherwise comply with a ransom demand.

Public Records Exemption

Records, documents, or reports related to the Library’s cybersecurity program and framework, as well as reports of cybersecurity incidents or ransomware incidents, are not considered public records under RC 9.64 and 149.43. Records identifying cybersecurity-related software, hardware, goods, and services that are being considered for procurement, have been procured, or are being used by the Library, including vendor name, product name, project name, or project description, constitute “security records” and are exempt from the requirements to produce those records in response to a public records request according to RC 9.64 and 149.433.

Approved by the Cuyahoga Falls Library Board of Trustees April 21, 2026