Social Media Security
Best practices for social media security are still evolving. The challenge has to do with the content and destination of outgoing communications, as well as the person who is consuming and responding to the communication. For example, encrypting a blog submitted by an employee will not help your company once it’s published publicly. The post may give away company secrets if the employee doesn’t know he wasn’t supposed to share certain bits of information with the public!
Every company must have policies in place and a framework laid out defining acceptable use of social media. Every organization—from small businesses to governments—need to treat social media policies like IT policies—living documents that guide appropriate use.
H.U.M.O.R. Guidelines
Within the H.U.M.O.R. Matrix, we can also apply social media policy requirements. Different policy matters have to be addressed for each requirement. The table below lists the key aspects of social media policy to be captured.
H.U.M.O.R. Requirement | Policy Component |
Human Resources | • Disseminate policy in an understandable format that is available to all employees throughout the company. |
• Disseminate a public version of applicable policy requirements for employees and customers. | |
• Develop guidelines for using social media for business requirements. | |
• Assure compliance with all legal and regulatory requirements. | |
• Develop a clear response plan for incident management and public interaction. | |
• Create policies for education and training. | |
• Create policies for restricting access to company private information. | |
Utilization of Resources | • Create policy for clear usage of intellectual property by employees and the public. |
• Create guidelines for response to theft of intellectual property. | |
• Create policy on writing content and plagiarism. | |
• Develop processes for utilizing the correct technology resources for different social media activities. | |
• Create policy for updating tools as capabilities change. | |
Monetary Spending | • Create policies for identifying business justifications for spending budget on social media activities. |
• Define budgets for education and training. | |
• Develop process for identifying monetary damage through social media activities. | |
Operations Management | • Develop Operations guidelines for IT, Marketing, Legal, and HR, detailing the responsibilities of each department. |
• Define enforcement requirements and activities that will be taken by HR and IT. | |
• Define the process for understanding what social media resources will be used and what impact the various cloud services will have on the business. | |
• Create a password policy. | |
• Develop processes for threat management. | |
Reputation Management | • Develop clear process for incident response management. |
• Identify policy for monitoring and reporting on both employees and customer/public social media activities that affect the company. | |
• Develop processes for controlling reputation monitoring. |
Developing Your Social Media Security Policy
Once you have determined the key components of your social media security policy according to the H.U.M.O.R. Matrix, you have to actually write it. For each component of the matrix, we go through a number of steps in the following chapters to outline tactical implementation. The first step is to understand the risks your company faces. Your threat assessment should have identified the risks to your tools and the websites you use for social media activities. The intent is to identify risks to your social media activities, understand what could go wrong, and implement mitigating controls based on your documented policies.
The Policy Team
The Community Manager can take the lead in organizing the policy team, or the lead can default to the Human Resources department. Other interested parties may include Marketing, PR, Sales, Business Development, Legal, and Customer Service. This cross-functional team should review each operational aspect of your social media strategy, determine the best possible processes to achieve business goals, develop policies, implement the policies, and respond to the changing landscape. All policies should be flexible and be reviewed every six months due to the changing nature of social media environment. The lead should assign individual roles and responsibilities.
All changes must be made and approved by the policy team. The team will conduct periodic risk analysis to the related business processes that use social media, understand the technologies, and determine what operational changes must be made. The team will be responsible for disseminating the changes and ensuring the appropriate employees know what the policy requires. The policy team will be the liaison to other departments that are impacted by social media usage.
Determining Policy Response
Security monitoring of policy violations naturally requires technology managed by the IT department. Automated processes have to search for employee violations and customer and public interactions that impact the company brand over social media platforms. The policy team can determine what constitutes a violation and develop the associated appropriate responses in coordination with Human Resources. Different levels of risk can be addressed with varying levels of response. For example, Facebook does allow more information to be posted and an employee can easily and unknowingly install a malware Facebook application that’s more dangerous than what you face from your typical Twitter usage, which doesn’t impact network resources as much.
A response process must be in place for policy violations and related mechanisms must also be in place to actually monitor for violations. If you are looking for internal employee access, then data loss prevention tools are needed. If you are looking for external incidents, then you might need third-party monitoring services. You may assign risk levels to different social media activities and apply appropriate resources based on risk to the organization. Once a violation occurs, a clear process needs to be in place to notify the right resources for a response. A fast response is vital, precisely because the real-time, instantaneous nature of social platforms accelerates the speed at which events get passed along and become viral. A plan identifies possible areas for error, minimizes risks, and provides mitigation guidelines all teams can follow on a 24×7 basis.
The level of authority that response teams have has to be defined. Like your disaster recovery plan, you should test your social media response plan for possible attack scenarios. Possible decisions when addressing violations may include:
- Identifying the issue at hand
- Responding to media inquiries
- Acknowledging the problem and responding to mentions in a timely, courteous, and professional manner on relevant blogs, microblogs, and social networks, particularly when posted by influencers
- Determining employee culpability, if any
- Implementing changes to prevent continued use of the access violation
- Isolating the technology (if any) that have been compromised
- Contacting websites that may be involved
- Recording evidence and logging a timeline of events and remediation steps taken
- Contacting the appropriate public agencies if necessary
- Notifying internal executives and legal counsel
Wrap Up
Your Social Media Policy is the foundation of your operations and procedures. Constructing it is challenging, as it has to take into account new functions that many companies have not had to deal with before and has to be constantly updated. Also, departments must collaborate in ways they haven’t done previously. To develop a comprehensive policy, you have to address all the major aspects of the H.U.M.O.R. Matrix. A key driver is how the different departments work together daily to achieve a baseline level of secure operations.
Originally posted at InfoSec Resources.Excerpted from Securing the Clicks: Network Security in the Age of Social Media by Gary Bahadur, Jason Inasi, Alex de Carvalho (McGraw-Hill; 2012) with permission from McGraw-Hill.
InfoSec Institute has been training Information Security Professionals since 1998 with a diverse lineup of relevant training courses.