10 questions you should ask about social media and data security.

March 3, 2010

Don’t look now, but social media is everywhere. Try as you may to escape it, you simply can’t. The reason for that universality is that social media, simply put, delivers on the promise.

It is therefore difficult to tell a business that they should refrain from using social media as a growth vector, and indeed, such is not our message.

However, it would be foolish to venture into this new set of business processes without carefully analyzing not only what the business can gain from it, but also what threats to the business are inherent to the use of social media.

Ten simple security questions:

At the InfoSec Group, we believe in two things:

1. Information Security is about business, not IT.
2. Simple – yet efficient – rules yield far more attractive results than complex ones.

With that in mind, here are some simple questions any business should consider prior to launching itself in the wild world of social media:

1. Should all employees be involved in social media, or should it be a selected, chosen few?
2. Should those employees who will not be professionally tasked with handling social media be allowed to access those sites?
3. Who owns the content and the followers/friends/connections: the business, or the employees?
4. Which social media platforms – twitter, facebook, linkedin, etc… – should the company use?
5. Which functions – messaging, posting, discussions, file transfer, group membership, etc… – should employees be allowed to use in the name of the company?
6. Which topics should employees be barred from commenting on? (Politics, religion, abortion, etc… come to mind.)
7. What is the reputational risk to the company of having employees publicly converse on social media platforms as representatives of the company?
8. How much, if any, monitoring of employees’ output and behavior on social media sites should take place?
9. What internal policies should be created or augmented to respond to the risks inherent to the use of social media by the company?
10. What training should employees receive before being allowed to officially represent the company on social media sites?

Some of these questions are first-degree, while others are more in-depth and will require a significant amount of internal discussions. I would recommend that any organization interested in using social media would answer at least those questions – many more come to mind, but for the sake of not writing a tome that would rival War and Peace in length, we decided to limit ourselves to ten.

Furthermore, it would behoove any company to make sure that representatives of different departments be present during these conversations, including, but not limited to:

Legal counsel
Information Security

Because of the perceived threat that social media can represent to an organization, the US Marine Corps decided that Marines cannot discuss anything related to their work on social media platforms anymore.

We are not advocating that your organization’s position should be as black and white, but we are certainly recommended that threats be identified and analyzed, and that remediation controls be deployed to answer them before your organization launches itself into the wonderful world of social media.

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: