4 Tips for Writing a Great Social Media Security Policy

Think creating policies to deal with Facebook and Twitter are a security headache? Security researchers at IANS think these policies actually provide security departments with a great opportunity.

Facebook now claims 300 million active users. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics.

Naturally, social media growth has also been seen in the workplace, both with regard to employee use as well as functioning as a communication and/or marketing tool for some companies. And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, the number of enterprises with a social media policy in place has jumped dramatically, too, in just twelve months.

Also see The Seven Deadly Sins of Social Networking Security

Jack Phillips, IANS co-founder and CEO, said when IANS conducted the same survey in 2008, the majority of respondents did not have a social media policy.

"They really hadn't done the hard thinking," said Phillips. "But then jumping forward to 2009 we saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies."

Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives.

Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. He shared with CSO four things he thinks organizations should consider when putting together policies and practices for use of Facebook, Twitter, Linked In and other social media within an organization.

1. Don't start from scratch

The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. Instead, said Phillips, use this as an opportunity to draw attention to existing policies.

"Most purists will say: This stuff isn't really new. It should be part of our HR and acceptable use policies," said Phillips. "The same sort of norms apply to this new world that has applied to the world before today." (See How to Write an Information Security Policy for more on the basics of effective policy.)

Phillips noted most of the organizations IANS polled with a social media policy already in place said they had not named specific medias because of changing pace of new media.

"It's Twitter today, but it may be something else tomorrow," he said.

2. Use social media policies to raise security awareness

"This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips.

IANS is dispelling what Phillips says is age-old advice for enterprises when it comes to adapting to change. For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important. Same holds true this time around, said Phillips.

"We are finding some innovative awareness tactics that focus on these technologies because they are front and center. A Twitter campaign, or a Facebook campaign, a Linked In campaign, can all have real impact in terms of receptivity. The percentages are so low in terms of success of awareness campaigns, this is an opportunity to jump in."

3. Use social media access to raise security's positive profile within the organization

While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective.

Also see Security Awareness Programs: Now Hear This!

"The advice we have given is, instead of just knee-jerk blocking everything, we find that this as an opportunity to record usage and activity among the employee base," said Phillips. "When the original data-loss-protection technologies were introduced, they were not in blocking mode, but in monitoring mode."

Phillips believes the new technology of social media gives information security what he calls "an interesting opportunity" to see how critical these technologies are to the enterprise.

"That kind of information is quite useful to other functions of the enterprise," he said "Sales, marketing, HR are all going to be interested and that raises information security's profile among management."

4. Be prepared for the next phase

As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific. As it stands now, he said, he finds his clients are more comfortable with some mediums and with others; not so much. Most organizations find Linked In to be the most controllable and with the least potential for damage. But Facebook, with its security vulnerabilities, and the nature of its content, still makes many uncomfortable. Particularly, said Phillips, because many employees are not respecting that line between personal and enterprise.

"Because these technologies are so different, it is at some point we expect policies are going to have to get granular," he said. "Our sense is high-performing teams will have to create unique Facebook, Twitter, Linked In and Google Docs policies. And they are going to have to get that granular about what is appropriate and inappropriate with each tool.

"We will end up with an open environment, but we will end up with some asterisks that say, it's open, but not 100 percent open. For example, some might say: 'It is not appropriate to use the company's name on your Facebook profile.'

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies