Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

« March 2010 | Main | May 2010 »

April 2010

Social Media and Policy

In the broadest of definitions, people have been blogging for centuries.  Whether on a soapbox in the middle of town square or on the world stage of the Internet, people tend to gravitate towards public forums, where they can voice their opinions, make observational comments, or simply rant.  So, in today’s rigorous environment of governance, risk, and compliance, how does social media impact one’s corporate citizenship and the organization for which they work? The answer is, in a word, policy.

As with all business risk (and, ‘yes’, the use of social media is a business risk), policy is often implemented as a mitigating control.  At the heart of a well written policy should lay a clearly defined behavioral expectation related to a particular risk, as set forth by executive leadership.  In the case of social media, the intent of the policy will typically revolve around its acceptable professional use.

 

Policies related to social media can vary greatly from organization to organization.  This is tied to multiple variables, which may include, but are not limited to: the type of risk, corporate culture, the organization’s levels of acceptable risk (what some may refer to as ‘risk appetite’), contractual obligations, industry regulations, and an ever growing number of laws.   Compounding the issue is the speed and totality in which social media has been generally adopted.  As a result, the pervasive and permeating use of social media and its relationship to the workplace is still a fairly new challenge with varying ramifications.

 

As the business impact of social media continues to grow, discussions and issues related to both compliance and non-compliance are becoming commonplace.  I leave you with the following: 

 

  • The FTC is now addressing the use of social media in Marketing:

http://www.adweek.com/aw/content_display/community/columns/other-columns/e3i5bf1e98f0ce98d79ff2629077ea6b78a

 

  • The use of social media is finding its way into guidelines and regulations:

http://blogs.bankinfosecurity.com/posts.php?postID=499

 

  • Individuals are being fined for violating policy via the use of social media:

http://sports.yahoo.com/nba/blog/ball_dont_lie/post/Dwight-Howard-has-to-pay-35-000-just-for-blogg?urn=nba,237611

Robert Salandre on 30 April 2010 | | Comments (0)

| | | | | |

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them.  I focused mostly on “apps” within these social networking communities.   These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

  • Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball).  Do you trust the requestor?  Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you  can install it now and then proceed with your original task.  Do you know the software provider?

  • Review your privacy settings periodically, there are many recommendations  in this regard in the mainstream media (see table at bottom).
  • When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy!  There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!
  • Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it.  If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk.  To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time.  When creating such accounts do be sure they are not endowed with any administrative powers.  Delete all the files they leave behind and perform a virus/spyware scan.  Don’t think of it as being distrustful, think of it as good hygiene.
  • Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials,  tax returns, medical bills/records, …).   This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have  experienced ID theft, you may decide I am not being adamant enough!  Of course, you have to find a happy medium for your circumstances.  Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy

Privacy Recommendation

facebook

High level: NY Times

Very detailed: AllFacebook

MySpace

For better privacy control, switch from profile 1.0 to profile 2.0. 

MySpace recommendation

LinkedIn

Walk-through: Network World

LinkedIn recommendation

twitter

Creating a non-public  twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

John Brady on 06 April 2010 | | Comments (1)

| | | | | |