Policies regarding Ohio public library use of OPLIN services

Procedures and Guidelines for Ohio public libraries

Public usage policies for Ohio public libraries

Every Ohio public library that offers Internet access to the public via the Ohio Public Library Information Network (OPLIN) has a written policy in place that states the terms of that access. Each local library board has the privilege and responsibility of spelling out policy for the communities they serve. If you have compliments, questions or concerns about individual library policies, those should be addressed to your local public library. You can find contact information by clicking here.

OPLIN's only requirement is that the library meet the condition of our enabling legislation (122-HB215 - effective June 30, 1997) that it "shall adopt policies that control access to obscene and illegal materials." If you already have approached the local library director and board with concerns about local policy, and do not believe your concerns have been addressed, please contact OPLIN here to issue a formal complaint. OPLIN will require documentation, such as board minutes, that demonstrate that your concerns have already been raised at the local level.

Information Technology Security Management

Information Technology Security Management

Ohio Public Library Information Network (OPLIN)

OPLIN shall exercise due diligence to ensure that all OPLIN computer and telecommunications systems and services are secure, and that the information contained within those systems and services is protected from unauthorized disclosure, modification or destruction, whether accidental or intentional.

This document outlines a plan to accomplish that goal through implementation of individual policies covering Risk Assessment and Data Classification, Recovery Preparation, Boundary Security, Password Security, Malicious Code Security, Internet Security, Remote Access Security, Portable Computing Security, Intrusion Prevention and Detection, Security Incident Response, Security Notifications, Security Practices, and Security Education and Awareness. In any case where these policies conflict with the Information Technology Security Policies of the Ohio Office of Information Technology (OIT), OIT's policies shall prevail.

OPLIN shall admonish all employees, contractors, temporary personnel and other agents of the state to adhere to these policies.

Risk Assessment and Data Classification

OPLIN shall annually conduct a risk assessment of system assets, threats, and organizational priorities. The assessment shall be prepared by the OPLIN Executive Director, or a staff member designated by the Director, with input from all staff. This assessment will be reviewed at the end of every fiscal year to ensure that it is current.

The assessment shall be stored in a secure location and shall include current information regarding:

• the nature of the information and the systems;
• the business purpose;
• the operating environment;
• the existing protections;
• the impact of a security breach; and
• the likelihood of a breach occurring.

In conjunction with this risk assessment, OPLIN staff shall review the classification of OPLIN data. The data shall be labeled for both confidentiality ("public," "limited access," or "restricted") and criticality ("low," "medium," "high," or "very high"). Any data that could efficiently be replaced rather than protected will also be identified.

Concurrent with this annual assessment, OPLIN shall notify OIT Risk Management Services of the current primary and secondary incident response points of contact, which will typically be the Executive Director and the Technology Projects Manager.

[top of document]

Recovery Preparation

OPLIN shall take the following steps to ensure that critical tools, data and equipment are available to facilitate containment and recovery in the event of a security breach:

• System back-ups. OPLIN shall create and maintain trusted system, data and application back-ups. Back-ups shall be tested semi-annually to maintain a high confidence of a successful recovery. Back-ups shall be created on a regular and frequent basis and securely maintained.
• System and application software versions. OPLIN shall maintain verified copies of all critical system and application installation software. OPLIN shall ensure the system and application software versions and security related patches are current and securely maintained.
• Configuration redundancy. Redundant configurations can facilitate the recovery of information technology systems or assets while preserving evidence of a compromised information technology asset. OPLIN shall assess the value and need for maintaining redundant system configurations; mission-critical systems shall have redundant configurations.

[top of document]

Boundary Security

OPLIN shall acquire, install, operate and manage a boundary security capability in cooperation with OIT to allow authorized network traffic and deny everything else.

• Servers and firewalls shall be configured specifically to limit access to ports and services required to support OPLIN business processes.
• Servers and firewalls shall enable activity logging using a common, standardized network time source to monitor attempted probes, attacks or intrusions, including all repeated attempts from non-authorized entities to breach the boundary.
• Strong authentication appropriate to the data being protected shall be used to limit access to systems.
• A demilitarized zone (DMZ) shall be used to isolate World Wide Web services and external e-mail entry points, and to hide vulnerable systems and information from the Internet.

[top of document]

Password Security

All OPLIN staff using passwords to access OPLIN-operated information technology or to access data in any way related to OPLIN business, including vendor data related to OPLIN accounts, shall use passwords that conform to these requirements:

• Composition. Passwords shall be composed of both upper and lower case letters and shall include at least one number or special character.
• Length. Passwords shall be at least eight (8) characters in length.
• Aging. Passwords shall be changed at least once every three (3) months.
• History. Passwords shall not be re-used for a period of six months.
• Uniqueness. Staff shall not intentionally choose a password identical to the password of another staff person. Each staff member shall have their own individual password for accessing OPLIN-operated information technology.
• Transmission. Passwords to OPLIN-operated information technology shall not be transmitted electronically in clear text.

The following requirements pertain to password administration on OPLIN-operated information technology:

• Administration privileges. Passwords and password administration on each OPLIN server or network device shall be managed by the OPLIN Executve Director and the OPLIN Technology Projects Manager (TPM), or other OPLIN staff person designated by the Executive Director. Passwords shall grant the minimum system privileges necessary to complete assigned tasks.
• System lockout. The password administrator(s) shall, where possible, set each server and device to suspend the access of any user who exceeds three unsuccessful attempts at entering a password. After the password administrator(s) confirms that the attempts were actually initiated by an authorized staff person, the system lockout can be reset.
• Storage. The password administrator(s) shall maintain and safeguard system password files in a manner to prevent unauthorized access. Password files will be backed-up to facilitate recovery from system failures, security breaches, disasters, accidents and like events with the potential to affect systems. All password backup files shall be stored on media in a locked storage location.
• Deactivation. The TPM or back-up shall deactivate passwords of employees, contractors, temporary personnel and other agents of the state who have terminated or transferred to other work units within one (1) week of the termination or transfer. Passwords that have been compromised maliciously or by accident shall be deactivated within one (1) day of discovery of the compromise. Inactive user IDs shall be deactivated after six (6) months of no activity.
• Default passwords. Default application and system passwords shall be reset before deployment of any system or application.

[top of document]

Malicious Code Security

OPLIN shall deploy malicious code security ("anti-virus") capability. Anti-virus software shall be installed and operating properly on all OPLIN-owned, OPLIN-operated or OPLIN-authorized information systems. The anti-virus software shall be configured to:

• Check daily for updates and begin installing all updates immediately.
• Scan in real time for malicious code in all attachments and downloaded files from e-mail, web-sites, and instant messaging transmitted from both the Internet and intranet.
• Check all removable media such as diskettes and CD-ROM for malicious code.
• Check all system assets for malicious code at least monthly.

OPLIN staff must report any malicious code incidents to the Technology Projects Manager (TPM) as soon as possible. The TPM shall maintain a record of malicious code incidents for auditing purposes.

OPLIN shall evaluate its anti-virus software annually and at the same time ensure that each employee receives initial or refresher training on malicious code security, including how to use the anti-virus software selected by OPLIN.

Nothing in this policy shall be construed to require that OPLIN is responsible for installation, maintenance and support of anti-virus software on privately owned computers.

[top of document]

Internet Security

OPLIN shall secure connections to the Internet from OPLIN-controlled assets against unauthorized access and malicious code. Participation in chat rooms, open forum discussion groups or interactive messaging shall be permitted only when organized or approved by OPLIN. An individual approved to participate in any of these forms of communication shall be aware of methods to avoid inadvertent disclosure of sensitive information, as well as practices to avoid that could harm the security of state computer systems and networks.

[top of document]

Remote Access Security

OPLIN shall permit all staff to access OPLIN servers remotely, but shall ensure that the following conditions are met:

• All remote users shall be authenticated by a user-ID and password conforming to OPLIN Password Security requirements; passwords that are transmitted shall be encrypted.
• The remote connection shall be secured against unauthorized access and malicious code.
• Remote access shall not provide the user with more system privileges than they would otherwise have.
• Wireless access to OPLIN servers shall use the wireless encryption standard currently approved by OIT.
• Remote access host servers shall be protected in accordance with the OPLIN Boundary Security requirements.

[top of document]

Portable Computing Security

OPLIN shall permit staff use of portable computing devices, either OPLIN-owned or privately owned and authorized for state use. Users of portable computing devices shall adhere to these requirements:

• Physical security. OPLIN and users shall protect state-owned and state-authorized portable computing devices, removable storage components and removable computer media from unauthorized access. Such devices shall not be left unattended without employing adequate safeguards such as cable locks, restricted access environments or lockable cabinets. When possible, portable computing devices, computer media and removable components shall remain under visual control while traveling. OPLIN shall maintain an inventory for all OPLIN-owned, privately owned and contractor-owned portable devices authorized for work use with state systems.
• Operation and maintenance. The OPLIN Technology Projects Manager is authorized to prepare portable devices for use on state computer, network or telecommunications systems. Portable computing devices shall be equipped with anti-virus software and shall be maintained with appropriate security patches and updates. The user is responsible for any personal software added to the device and must ensure that all such software is properly licensed. OPLIN-owned portable computing devices shall be returned to the OPLIN TPM or Director when the user's employment or contract terminates; the user is responsible for removing all non-state data and software. All state data and software shall be recovered, deleted and securely overwritten as appropriate from privately owned and contractor-owned portable computing devices when the user's employment or contract terminates or when the portable computing device is no longer authorized for official state business.
• Password control. Whenever possible, access to portable computing devices and to device system settings shall be protected by passwords conforming to the OPLIN Password Security requirements.
• Lost and stolen devices. Loss or theft of a portable computing device, either OPLIN-owned or privately owned and authorized for state use, shall be reported to both the OPLIN TPM and the OPLIN Director within three (3) days of the loss.

[top of document]

Intrusion Prevention and Detection

OPLIN shall maintain a capability to prevent and detect successful attempts to breach security measures for the purpose of system intrusions or misuse.

• Implementation of intrusion prevention and detection capabilities. OPLIN shall deploy intrusion prevention and detection capabilities compatible with OPLIN's infrastructure, policies and resources to prevent unauthorized use, anomalies or attacks on computer, network or telecommunications systems. In addition, intrusion detection capabilities shall be in place to provide information relating to unauthorized or irregular behavior on any OPLIN computer, network or telecommunication system. The OPLIN Technology Projects Manager and the staff of the OPLIN Support Center shall be trained to interpret and maintain agency intrusion prevention and detection capabilities.
• Monitoring, review and detection. OPLIN staff shall review information technology security audit logs and intrusion prevention and detection system alerts on a regular basis to determine if a successful intrusion or other type of security incident has occurred. Designated OPLIN staff shall continuously monitor OPLIN Internet connections for suspicious activity during business hours. Web and e-mail server access logs shall be reviewed weekly for suspicious activity. OPLIN staff shall also work with OIT staff to identify suspicious activity on OPLIN Internet connections provided to public libraries and shall work with OIT staff to determine the nature of the suspicious activity and take all necessary steps to end any activity that is illicit.
• Alarms and alerts. Any increase in network activity that clearly and significantly exceeds normal activity for a given time of day and day of week shall be considered suspicious until further review determines otherwise. Any pattern of repeated attempts by unauthorized users to access protected areas of web and e-mail servers shall be considered suspicious until further review determines otherwise.
• Incident response. Any detected incident of successful intrusion shall be recorded according to the requirements of the OPLIN Security Incident Response policy.

[top of document]

Security Incident Response

OPLIN shall assess all security incidents to determine the severity of the incident and how it should be handled. Security incidents may be classified as either critical or threatening, and the OPLIN response shall vary accordingly. The OPLIN Technology Projects Manager or the OPLIN Executive Director shall have responsibility for classifying security incidents; these two individuals and the OPLIN Support Center staff shall be responsible for completing responses to incidents.

Threatening incidents do not impact the security of any OPLIN resources that have either been determined to be critical in the annual risk assessment or contain confidential information, and they do not require that any systems be recovered or restored. Such incidents shall be recorded in a secure file and the record shall include: a description of the incident; how the incident was identified; who identified the incident; an inventory of all actions taken, when they were taken and who performed them; and any correspondence associated with the incident. The record shall be retained for at least one (1) year.

Critical incidents impact the security of OPLIN resources determined to be critical in the annual risk assessment or containing confidential information, and/or they require that systems be recovered or restored. These incidents require a more extensive response:

• Incident evidence file. OPLIN staff shall create an evidence file to log and maintain an inventory of all actions taken, action timestamps and correspondence associated with a security incident. If appropriate, OPLIN staff shall also create a forensic back-up file of affected systems. The security incident evidence file(s) shall be securely maintained and safeguarded throughout the incident response actions to ensure that evidence is not altered or lost. At the completion of the incident response actions a copy of the file(s) shall be sent to OIT and the passage of this evidence shall be documented.
• Incident containment. OPLIN staff shall, as required to contain the security breach: ensure that redundant systems and data have not been compromised; monitor system and network activity; disable access to compromised shared file systems; disable specific compromised system services; change passwords or disable compromised accounts; temporarily shut down the compromised or at risk systems; and disconnect compromised or at risk systems from the network.
• Incident elimination. OPLIN staff shall eliminate unauthorized access and remove unauthorized modifications prior to returning compromised systems to service. Elimination methods may include, but are not limited to: changing passwords on compromised systems; disabling compromised accounts; reinstalling compromised systems from trusted back-ups; identifying and removing an intruder's access methods such as backdoors; installing system patches for known weaknesses or vulnerabilities; reinstalling system user files from trusted versions; reinstalling system settings from trusted sources; reinstalling system start-up routines from trusted versions; and adjusting firewall or intrusion detection system technologies to detect access and intrusion methods.
• Recovery. OPLIN staff shall evaluate and determine when to return compromised systems to normal operations. Access to compromised system assets shall be limited to authorized personnel until the security incident has been contained and root cause of the incident eliminated. Once that is done, systems may be restored and OPLIN staff shall validate the restored systems through system or application regression tests, user verification, penetration tests, vulnerability testing and test result comparisons.
• Lessons learned. In order to reduce the possibility for similar incidents and thereby enhance its overall information technology security posture, OPLIN staff shall convene a post-incident analysis and review meeting within three to five days of completing the incident recovery. This review will assess the effectiveness of the security response system and determine how these procedures might be expanded or improved.

[top of document]

Security Notifications

OPLIN shall notify public library users of OPLIN web-based applications, such as the Support Center web page, that:

• The system is designated for official state use.
• Access to the system may be logged.
• System activity may be monitored and logged.
• Users shall comply with OPLIN information technology policies.
• Users shall have no expectation of personal privacy unless explicitly stated.
• Illegal or unauthorized attempts to access the system and information could lead to criminal penalties and civil liability.

This notification shall appear at the bottom of the first web page that provides access to the web-based application.

This policy shall not apply to e-mail services supplied to public libraries by OPLIN.

[top of document]

Security Practices

OPLIN shall abide by the policies and procedures of the State Library of Ohio in regard to basic security practices that are not covered elsewhere in this document, such as:

• Disposal, servicing, and transfer of information technology equipment.
• Staff use of Internet, e-mail and other information technology resources.
• Storage and retention of electronic records.

[top of document]

Security Education and Awareness

All OPLIN staff shall meet annually to review these policies and the current risk assessment. New OPLIN employees, contractors, and temporary personnel shall also review the policies and risk assessment as part of their orientation to OPLIN. OPLIN staff directly involved with maintenance of OPLIN security capability shall be encouraged to acquire, at OPLIN's expense, appropriate technical training, certifications, formal course work, and/or conferences for information technology security technologies and practices, such as firewalls, wireless devices, routers, switches, virtual private networks, encryption, public key infrastructure, data protection, and audit logging.

Approved by the OPLIN Board on October 12, 2007

OPLIN Bylaws

Ohio Public Library Information Network Bylaws

[Adopted July 11, 1995 by the OPLIN Board of Trustees]

[Amended December 8, 2006]

Artic le I . Name of the Organization and Its Governing Authority.

The name of the organization shall be the Ohio Public Library Information Network, also known as OPLIN,

and its governing authority shall be the OPLIN Board of Trustees.

Artic le II . Purpose of the Organization.

The purpose of OPLIN shall be to ensure equity of access to electronic information for all Ohio citizens.

Artic le II I . Participation in the Organization.

Any board of trustees of any public county, township, municipal, school district, county district, regional

district, or association library organized under the Ohio Revised Code, or any regional library system

chartered by the State Library of Ohio, may choose to participate in OPLIN by notifying the OPLIN Board in

writing and agreeing to comply with OPLIN rules and regulations.

Artic le IV. Purpose and Authority of the OPLIN Board.

The OPLIN Board, as originally established by the 121st GA H. B. 117, has oversight responsibility for the

Ohio Public Library Information Network (OPLIN). In exercise of such responsibility, the OPLIN Board

shall be governed by these Bylaws, all of which shall be in accordance with State and Federal law.

Artic le V. Membership on the OPLIN Board.

Sect ion A. Composition.

1. Eleven members, herein also referred to as Board Members, shall be selected from the staff and past

or present Boards of Trustees of Ohio public libraries.

2. The OPLIN Executive Director and the State Librarian or his/her designee shall serve as ex-officio

Board Members. Other ex-officio Board Members may be appointed at the discretion of the OPLIN

Board of Trustees.

Sect ion B. Duration of Membership.

1. The term of service for Board Members is three years, commencing on July 1. Initial staggered terms

of one, two, and three years will be established to commence on July 11, 1995, with replacement by

full three-year terms thereafter.

2. In the event that an individual Board Member becomes unable to complete his/her term, that term will

be completed by a replacement proposed by the OPLIN Board to the State Library Board, consistent

with Article V, Section E.

3. Board Members may serve no more than two consecutive full terms.

Sect ion C. Good Faith Service.

Members of the OPLIN Board shall carry out its mission in accordance with the strictest ethical guidelines

and will ensure that they conduct themselves in a manner that fosters public confidence in the integrity of the

Board, its processes, and its accomplishments. Board members must, at all times, abide by protections to the

public embodied in Ohio's ethics laws as interpreted by the Ohio Ethics Commission and Ohio courts.

Sect ion D. Rights and Privileges.

1. Each Board Member may cast one vote on any issue presented to the OPLIN Board. Ex-Officio Board

Members are not eligible to vote.

2. Attendance is not transferable. If a Board Member is unable to participate in a majority of the regular

Board meetings during any fiscal year, the State Library Board should be notified to seek a

replacement as prescribed in Article V, Section E, unless the OPLIN Board votes to excuse the

absences due to mitigating circumstances.

3. Any Board Member or ex-officio Board Member may bring issues to the attention of the Board by

submitting said issues to the Board Chair and the Executive Director for placement on the Board

agenda.

Sect ion E. Selection of Members of the Board.

The Board shall be appointed by the State Library Board. A Nominations Committee, appointed annually by

the OPLIN Board, shall provide to the State Library Board the name of a qualified person to fill each vacancy

on the OPLIN Board, based on recommendations from the Ohio public library community.

Artic le VI. Officers of the OPLIN Board.

Sect ion A. Officers.

1. The officers of the OPLIN Board will be Chair, Vice Chair, Secretary and Treasurer.

2. Election of officers shall be conducted at the first Board meeting immediately following July 1.

Sect ion B. Vacancies.

1. Upon resignation of the Chair, the Vice Chair will immediately become Chair.

2. Vacancy of the Vice Chair, Secretary, or Treasurer position will be filled by special election at the next

Board meeting.

Sect ion C. Duties of Officers.

1. The Chairperson of the OPLIN Board will preside at all meetings, approve the Board meeting agenda

for dissemination to the Board, appoint all committees, chair the Executive Committee, and perform

other duties delegated by the Board to the presiding officer.

2. The Vice Chair will, in the absence of the Chairperson, perform the duties of presiding officer of the

Board.

3. The Secretary will be responsible for monitoring the accuracy and completeness of Board records,

will certify and sign minutes and any other official documents adopted by the Board, and will act as

presiding officer in the absence of the Chair and Vice Chair.

4. The Treasurer will be responsible for monitoring the receipt of budgetary and other financial

documents and records from the State Library Fiscal Services, and will act as presiding officer in the

absence of other officers.

Artic le VII . Meetings of the OPLIN Board.

Sect ion A. Regular Meetings.

The Board will meet at least four times per year.

Sect ion B. Special Meetings.

The Chair may call special meetings as required, providing at least 72 hours advance notice and the reason

for such special meeting.

Sect ion C. Quorum.

At all meetings of the OPLIN Board, six voting members present shall constitute a quorum for the

transaction of business.

Sect ion D. Order of Business.

Order of business at regular meetings of the OPLIN Board shall be established by an approved agenda.

Artic le VIII . Voting by the OPLIN Board.

Sect ion A. Motions and Resolutions.

1. Voting on motions and resolutions shall be conducted in accordance with Robert's Rules of Order.

2. If there is a quorum present, a simple majority of votes by Board Members present and voting shall be

required for adoption of most motions or resolutions. Seven votes shall be required for passage of

motions amending Board Bylaws or Policies.

Sect ion B. Consensus.

Certain items of business may be approved by consensus as deemed appropriate by the Chair.

Artic le IX. Committees of the OPLIN Board.

Sect ion A. Committees.

Business of the Board may be conducted by the Board as a whole or by committees or task forces, as

authorized by the Board. Such groups will be appointed by the Chair and may include Board Members or

other individuals as deemed appropriate.

Sect ion B. Executive Committee.

1. The Executive Committee of the Board will consist of the officers of the Board and one additional

Board member to be designated by the Board Chair. The OPLIN Executive Director will be an exofficio

member of the Executive Committee.

2. The Executive Committee is responsible for reviewing all OPLIN budget proposals and expenditures

and monitoring the overall operation as deemed appropriate by the Chair.

Artic le X. Amendments to These Bylaws.

Amendments to these Bylaws and Policies may be proposed at any regular meeting. The proposed

amendment shall be made known to members not present and shall be voted on at the next regular meeting.

Seven votes are required for passage of any amendment.

Artic le XI. Procedures.

All proceedings not specified herein shall be governed by State and Federal law and by Robert's Rules of

Order.

OPLIN Disclaimer

(Disclaimer adopted by the OPLIN Board April 12, 1996)

It is understood by users of this service that much of the networked information available via this service is not generated by the Ohio Public Library Information Network (OPLIN). OPLIN provides access to reference databases of general and special periodical materials, readers' advisory services, homework centers to assist students with research assignments, and legislative, historical, and archival materials and information.

Information available through this service is not warranted by OPLIN to be accurate, authoritative, factual, or complete. The availability of networked information via this service does not constitute any endorsement or ratification of that information . OPLIN is not responsible for the content of networked information via this service. The use of this service to engage in any activity which constitutes violation of local, state, and/or federal laws is strictly prohibited.

All users of this service agree to hold OPLIN harmless from any and all claims, losses, damages, obligations or liabilities, directly or indirectly relating to this service and/or the networked information available via this service, caused thereby or arising therefrom. In no event shall OPLIN have any liability for lost profits or for indirect, special, punitive, or consequential damages or any liability to any third party, even if OPLIN is advised of the possibility of such damages.

OPLIN Electronic Resources Selection Policy Statement

Outline

Introduction
Types and Levels of Resources
Selection criteria
Review and Retention
Responsibility for selection
Future development

1. Introduction

In keeping with the purpose and goal of the Ohio Public Library Information Network (OPLIN) as defined in the OPLIN Vision Statement, OPLIN acquires access to electronic resources, and develops electronic resources, for the use of Ohio public library customers. From the universe of electronic resources accepted as legal by the Ohio Revised Code, OPLIN selects quality resources to provide to the public libraries and residents of Ohio. This Electronic Resources Selection Policy Statement further defines OPLIN's electronic content in support of Ohio public library service. In selecting electronic resources for the network, OPLIN intends to complement and augment, rather than replace, basic public library reference services. OPLIN will assist Ohio public libraries in meeting the needs of their diverse clientele, including children and young adults, as well as all residents of Ohio. OPLIN will ensure that all Ohioans have equitable access to information, whether for school, business, or family. Equity of access must include:

• Access to the diverse resources of Ohio's public libraries;
• Access to federal, state, and regional information resources, and
• Access to other electronic information resources.

2. Types and Levels of Resources

OPLIN aspires to select the best resources possible that both support the vision statement and comply with the selection criteria established in Section 3. OPLIN will make use of several avenues for obtaining access to resources:

• OPLIN-licensed (both annual and perpetual) commercial, fee-based services and databases
• OPLIN-selected external, freely linkable World Wide Web resources and other freely available services and databases
• OPLIN-developed resources created by OPLIN or OPLIN member libraries, or through contractors.

OPLIN will pursue all these avenues, as appropriate, in selecting resources. OPLIN will not select CD-ROMs or other databases which must be loaded locally on OPLIN or member library servers, although exceptions may be made in the case of databases acquired under perpetual license agreements.

OPLIN will use a framework of three levels of priority in selecting resources.

• Level 1 resources are the top priority and are selected to assure that all Ohio public libraries have a base-level of online-accessible electronic content. OPLIN will strive to offer Level I resources to Ohio Public libraries at all times. Level I resources include the following:
  1. A full text general periodicals database.
  2. A full text general reference encyclopedia.
  3. Links to freely-accessible State of Ohio information published by the state or by private organizations.
  4. Links to Ohio public library catalogs (those that are Web-accessible).
  5. Other links to general resources that support the diverse informational and
  6. educational needs of OPLIN's primary using populations (students, business (with emphasis on small businesses) and families).
  7. OPLIN-generated documents and publications.
• Level 2 resources build on the foundation provided by the Level I resources and serve to create a more robust-but still basic-selection of resources to all of Ohio's public libraries. Level 2 resources can have either general or user group- specific application. OPLIN will provide level 2 resources as long as Level I needs are met, and as funding permits and demand warrants. Level 2 resources can include the following:
  1. General application:
     • Newspapers (international, national, regional, local)
     • Electronic books
     • Links to Federal government information
  2. User-group specific application:
     1. School users
        • Full-text multimedia encyclopedia
        • Full-text, multiple source, age & curriculum-appropriate database to support schools (K-12)
        • Links to historical, cultural, and educational web sites
     2. Business users
        • Full-text business database
        • Links to corporation and other business-related web sites
     3. Family users
        • Full-text health database
        • Links to recreation and travel sites
        • Links to employment, real estate, genealogy and other similar sites
  3. Level 3 resources are acquired based on demand, budget, opportunity, and other factors. Level 3 resources and possible acquisition circumstances are listed below:
     1. Situations in which OPLIN can use its purchasing leverage to obtain resources that are otherwise cost prohibitive for most Ohio Public libraries.
     2. Resources that appeal to a specialized audience, use experimental technologies, or are available in a beta test phase.
     3. Resources that have application across library types in Ohio (e.g. public libraries, schools, and colleges and universities) and where the costs of which are shared by OPLIN, other Ohio library consortia (e.g. OhioLINK and INFOhio), and possibly the State Library.
     4. Resources that are of interest to a subgroup of libraries and are purchased under a group contract in order to secure volume-based pricing discounts.

3. Selection criteria

OPLIN will consider the following criteria in evaluating any resource for selection. In combination, these criteria provide a broad assessment of the quality of electronic resources. Few resources meet all criteria; OPLIN will balance strengths against shortcomings in evaluating each resource. Any of these criteria may provide an overwhelming reason to either select or reject a specific resource. 3.1 OPLIN-licensed commercial, fee-based services and databases

3.1.1 Access

• Services shall be Web-accessible (no proprietary clients) and compatible with 3.0 and higher versions of Microsoft Internet Explorer and Netscape Navigator browsers.
• Services shall not require the use of plug-ins to deliver full functionality.
• Services shall include an ADA (Americans with Disabilities Act) compliant interface option.
• Services shall support IP address-based authentication and remote patron authentication using library card numbers.
• Use from within and outside the library must be permitted under the license, with remote users accessing the service using their own Internet dialup accounts.
• Services should provide both Web interface access and support the Z39.50 client/server protocol, version 3, to allow for user access to the service using a Z39.50-compliant user interface client.

  3.1.2 Content

• It is assumed that purchased, licensed resources will meet the selection criteria described in the OPLIN-selected resources section below.
• OPLIN strongly prefers full text databases verses index-only or abstract and index-only databases. Full text databases should include detailed citations and indexing to facilitate high search precision and recall.
• Resources obtained under a perpetual license agreement will generally be of a static verses dynamic nature.
• In keeping with OPLIN's Vision statement, databases licensed are intended to be used by library patrons, or customers, and should therefore be end-user oriented (verses resources created primarily for use library staff).
• As a general rule, OPLIN will not pay for a resource for which there is a substantially equivalent alternative freely available via the Worldwide Web. Examples include telephone directories, encyclopedias, and some newspaper and periodicals content. If OPLIN does pay for such a resource, there must be measurable and substantial unique value delivered via the for-fee licensed product.

  3.1.3 Pricing and License Terms

• The terms of the OPLIN license shall permit access both inside and outside the library.
• Access to services under OPLIN licenses shall not be limited by simultaneous users (or ports), unique users, searches, or any other access parameter. All licenses should provide unlimited access.
• The contract used to govern the use of the service shall be compliant with the ARL Licensing Principles (see http://www.library.yale.edu/consortia/statement.html). In addition, the terms must also adhere to all State of Ohio procurement and contractual agreements.
• OPLIN will seek pricing that supports statewide access to licensed resources, that is, pricing that permits access by users from all types of libraries and all Ohio library networks (including OhioLINK, INFOhio, and OPLIN). Actual purchase of statewide access licenses will depend on funding, value of the resource to non-OPLIN user populations compared to the price charged, and other factors.

  3.1.4 Support

• Service providers shall offer help desk support to OPLIN's help desk.
• Service providers shall deliver usage statistics to OPLIN that comply with the ICOLC (International Coalition of Library Consortia) Guidelines for Statistical Measures of Usage of Web-Based Indexed, Abstracted, and Full Text Resources (see http://www.library.yale.edu/consortia/webstats.html). Providing counts of queries executed and articles delivered, in electronic form and on a monthly basis, is required.

3.2 OPLIN-selected external, freely linkable World Wide Web resources and other freely available services and databases shall be subjected to the following selection criteria.

Purpose

What is the purpose of the resource? Is this clearly stated? Does the resource fulfill the stated purpose?

Authority

Is the resource provided by a reputable publisher, organization, or expert? Are the author's or provider's qualifications and credentials stated? Are sources of information cited? Is the information verifiable?

Advertising and E-commerce

Advertising and e-commerce have become major sources of funding for quality, freely accessible Web resources. It is the handling, implementation, and focus of these elements that will determine the appropriateness of a site, not the mere existence or absence of these elements. The following general rules will apply in evaluating a site that includes advertising and e-commerce elements.

• In general, sites which are primarily online stores or which otherwise have advertising and e-commerce as their primary focus are not included. (Becky – exceptions?)
• Sites which include advertisements the content of which violates OPLIN's content selection criteria (see below) will be excluded.
• Sites which include advertisements that are obtrusive and due to size or animation cause the content of interest to be obscured will generally be excluded.
• .com sites will generally be subjected to more scrutiny than will .org, .edu, and .gov sites.
• Guiding principles for privacy, advertisement size, acceptable and unacceptable product/service categories and other related issues can be found at http://www.lexis-nexis.com/cispubs/Corporate/advertising/advert.htm (guidelines for advertising on the Lexis-Nexis Academic Universe service).

Audience

Who are the intended users of this resource? Does the resource satisfy the needs of this audience? Is the language and reading level appropriate to this audience?

In OH! Kids, OPLIN organizes high-quality educational, informational, and recreational resources for children ages 3 through 12 on the basis of age- appropriate considerations. Works that satisfy OPLIN's selection criteria for adults, but include material not appropriate for minors, are excluded from OH! Kids. No resources deemed potentially harmful to minors will be selected for OH! Kids.

In OH! Teens, OPLIN organizes high-quality educational, informational, and recreational resources for users 13 years of age and older by topic. Works that satisfy other OPLIN selection criteria but fall under the scope of Ohio's "Disseminating Matter Harmful to Juveniles" Statute are excluded from OH! Teens.

For more information about these exclusions, see Content (following).

Content

Is the information factual? Does the resource contain original information, or is it an index to other resources? Resources can be useful either for original information or as access tools, or both.

Does the resource provide information completely, or has it been abstracted from another resource or resources?

Does the author or provider of the resource appear to have a commitment to its ongoing maintenance and stability?

Materials defined as illegal by the Ohio Revised Code (ORC) are not selected. Resources in which frank language or graphics are used toward a recognizable, legitimate purpose, such as the dissemination of medical information or the reproduction of artistic works, and which are not prurient in nature, may be selected for OPLIN (with the exception of OH! Kids) if other selection criteria are met. Works that meet OPLIN's selection criteria are not necessarily excluded because of coarse language, frankness, controversial expression, or graphical representation. Isolated text or images in themselves are not considered adequate reason for rejection, except in OH! Kids, where any such elements are strictly excluded.

Selecting links is an implied recommendation. The ORC accepts the majority of Web-based materials as legal; we exclude any of the small percentage of Web- based materials that do not meet this standard.

OPLIN goes one more step in selecting links for the OH! Teens and OH! Kids areas of the OPLIN Web site by excluding any materials that specifically fall under the scope of Ohio's "Disseminating Matter Harmful to Juveniles" Statute (Ohio Revised code Section 2907.31, as supported by the definitions in Section 2907.01).

Further, all links in the OH! Kids area conform to the Recreational Software Advisory Council on the Internet (RSACi) "Level Zero" rating for all four of its selection criteria (violence, nudity, sex, language). OPLIN excludes any materials from OH! Kids that do not conform to this standard, even those that meet all other OPLIN selection criteria.

Selectors of sites for OH! Kids will strive to assure that sites 1, 2, and 3 links removed from selected sites comply with this selection policy.

Accuracy

Is the information in the resource accurate? Are there political or ideological biases? Is there a balanced viewpoint?

Currency

What time period is covered by the resource? Is the resource static or dynamic? If static, is this appropriate for its content? How frequently is the resource updated? Are the updates indicated?

Scope

What items are included in the resource? What subject areas and types of material are covered? Is the scope stated or only implied? Does the actual scope of the resource match expectations?

Aspects of scope may include:

• Breadth: Are all aspects of the subject covered?
• Depth: To what level of detail in the subject does the resource go?
• Time: Is the information in the resource limited to certain time periods?

Uniqueness

Is the information in this resource available in other formats? What advantages do this particular resource and format have? If the resource is derived from another format, does it have all the features of the original? Have extra features been added? Does it complement another resource, for instance by providing updates to a print source?

Stability

Has the resource been consistently available since its inception? If it has moved from one site to another, is there a link from the old to the new site? Can the resource be expected to rem