Director Briefing - August 7, 2023

Minimum Standards Assurances

OWWL Library System is required to assure the Division of Library Development that all libraries comply with Minimum Standards to receive the final 10% of LLSA. Over the next month, I will be reviewing library websites to document that all information is posted. Remember the following needs to be up-to-date on findable on your site:

1. Bylaws
2. Long-Range Plan
3. Annual Report to the Community
4. Policies
5. Budget

Also, not part of Minimum Standards but just a reminder, Open Meetings Law requires all Board Meeting minutes to be posted within two weeks of your meeting.

First Amendment and Libraries

On July 29, 2023, a judge in Arkansas released an incredible opinion on libraries as protectors of the First Amendment. While we have yet to have a case this significant in New York, there are a lot of things we can learn from this document.

Fayetteville Pub. Library v. Crawford Cnty._ 2023 U.S. Dist. LEXIS 131427.PDF

Here are some highlights…

Librarians—much like doctors and lawyers—are afforded significant professional responsibility and deference with respect to their area of expertise. Just as a licensed physician's mission is "to provid[e] competent medical care, with compassion and respect for human dignity and rights," and a licensed attorney is regarded as "an officer of the legal system and a public citizen having special responsibility for the quality of justice," a professional librarian is tasked with the safeguarding of the public's First Amendment right to receive information by "resist[ing] all efforts to censor library resources."

The vocation of a librarian requires a commitment to freedom of speech and the celebration of diverse viewpoints unlike that found in any other profession. The librarian curates the collection of reading materials for an entire community, and in doing so, he or she reinforces the bedrock principles on which this country was founded. According to the United States Supreme Court, "Public libraries pursue the worthy missions of facilitating learning and cultural enrichment." United States v. Am. Library Ass'n, Inc., 539 U.S. 194, 203, 123S. Ct. 2297, 156 L. Ed. 2d 221 (2003). To fulfill those missions, "public libraries must have broad discretion to decide what material to provide to their patrons." Id. at The librarian's only enemy is the censor who judges contrary opinions to be dangerous, immoral, or wrong.

The public library of the 21st century is funded and overseen by state and local governments, with the assistance of taxpayer dollars. Nonetheless, the public library is not to be mistaken for simply an arm of the state. By virtue of its mission to provide the citizenry with access to a wide array of information, viewpoints, and content, the public library is decidedly not the state's creature; it is the people's. "It is the purpose of the First Amendment to preserve an uninhibited marketplace of ideas in which truth will ultimately prevail . . . . It is the right of the public to receive suitable access to social, political, esthetic, moral, and other ideas and experiences which is crucial here."

OSC Webinar: Management's Responsibility for Internal Controls

On August 2, 2023 I attended the OSC's webinar on Mangement's Responsibility for Internal Controls. The presentation discussed internal controls, risk assessment, and the importance of financial policies. The main theme was that we are working with taxpayer money, and a significant amount of responsibility comes with that.

Here are a few takeaways…

• Five elements of internal controls: 1) Control Environment; 2) Risk Assessment; 3) Control Activities; 4) Communication; and 5) Monitoring.
• Fraud Triangle: Pressure, Rationalization, and Opportunity.
• Passwords can be considered a preventative control (this is a plus for the Systems Access and Confidentiality of Library Records Policy section on password management).
• One good reason for Board-level policy approval is to show everyone that there is buy-in for responsibility and appropriate practices at each level of the organization.
• "Trust" is not an internal control.
• Saying an organization is "small" is never a justification for not having internal controls.
• Libraries were specifically mentioned when reviewing audits. It was said, "...just because it was reported in a Town or School District does not mean it couldn't happen in a Village or Library."

Internal controls are essential to the effective operation of local governments and school districts. This webinar will explain the integrated internal control framework, and discuss how a properly designed internal control system can reduce the likelihood that significant errors or fraud will occur and remain undetected.

Click Here for Presentation Slides

OSC Webinars and Recordings

The recording for this webinar is not up today, but they are usually posted within a week or two.

NYLA Conference 2023

NYLA's 2023 Conference in Saratoga Springs is open for registration. If you plan on attending, I suggest registering ASAP, the hotels fill up fast!

NYLA 2023 Annual Conference & Trade Show

Passwords and Security in OSC Audit

The audit information below was released on July 14, 2023 and details the importance of policies and procedures protecting user account management. The System requires strong passwords to protect patron information. The OSC views this as a top priority as well.

West Hempstead Union Free School District – Nonstudent Network User Account Controls

Key Findings

District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that the Board of Education (Board) and District officials did not:

• Develop and adopt policies and procedures addressing key network user access controls, such as user account management, password security and user account controls.
• Disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago. These accounts include:
• 53 former employee network accounts, and
• 7 network service accounts used for hardware devices and email aliases.

Key Recommendations

• Adopt comprehensive network user account policies and procedures addressing securing user accounts with passwords and adding, disabling and changing user access.
• Periodically review user access for all nonstudent network user accounts and disable user accounts when access is no longer needed.