Collection security

Staff must not share collection materials with third-party services or providers unless explicitly permitted. This includes, but is not limited to:

• posting images of collection materials on the Internet
• evaluating cloud-based AI tools with collection materials
• sharing sample files for testing purposes

Personal credential management

Staff must use a unique password for every account.

Staff must use a password manager. Staff should use an NYPL-provided password manager, but may choose to use their own.

Staff should use non-password credentials such as public-private keys or security tokens where available.

Shared security information management

Security information includes:

• passwords for shared workstations
• credentials for cloud resources
• IP addresses to network resources
• license keys for purchased software

Staff must store security information for any shared program resources in the programs password manager and share this information with users.

Code Development Security

Code repositories must not contain any security information.

All shared code repositories must be stored on the NYPL Github account and must be added to the DigPres team. Shared code repositories must use the following access profiles by default:

• read access: public
• write access: restricted to the Digital Preservation team and additional users, as needed
• admin access: restricted to staff on the program of primary developers/users

All shared code repositories must require review before approval and merging of pull requests.

Audit

Supervisors must conduct quarterly audits of the following:

• active accounts of the programs password manager
• membership in the program’s Github teams
• team access to shared code repositories