Human Resources
Human Resources (HR) is the main driving force of the security framework. HR makes all other policies or approves all other policies such as IT security policies, so it should be no different for social media policies. Whether your company is large or small, a department or person handles the HR function. The Information Technology (IT) staffing company Robert Half Technology (http://www.roberthalftechnology.com/Small-Business-Resource-Center) found that in 2010 54 percent of U.S. companies had banned workers from using social networking sites at the office and 19 percent restricted use to business use only. In light of this restrictive HR trend, how does your company handle this issue?
Whether an employee posts communications that might impact his company from home or from work is a gray area that the company needs to clarify. If an employee tries to post information to social networks at work, you can easily forbid this with a policy document or even block it with technology such as a data loss prevention tool like Symantec’s Vontu program. If that same employee posts to social networks at home, you cannot block it. Still, the employee may effectively be limited or restricted from posting confidential or derogatory information about the company by company policy and contracts between the employee and company. However, case law isn’t clear on employees’ full rights vis-à-vis their employers when posting to social networks. In a recent case (“NLRB Backs Worker Fired After Facebook Posts Ripping Boss”1), the National Labor Relations Board is defending an employee fired for a Facebook post as a freedom of speech case. American Medical Response of Connecticut fired a medical technician for criticizing a supervisor online. By no means are these cases clear cut on what companies can legally do.
1Susanna Kim, “NLRB Backs Worker Fired After Facebook Posts Ripping Boss,” ABC News, November 10, 2010, http://abcnews.go.com/Business/facebook-firing-labor-board-takes-stand/story?id=12099395.
Assessing the Current Environment
Human Resources and Information Technology department management must first understand what policies and processes are in place. IANS, a Boston-based research company, found that in 2008 under 10 percent of survey respondent enterprises had an implemented social media policy; this figure jumped to 34 percent in 2009. This is definitely a step in the right direction. Analysis of current HR practices in regards to social media security can be broken down into the categories shown in Table 2-2.
If we look back at the hack of the Mark Zuckerberg Fanpage, could more stringent policies on how pages are accessed, limits on who accesses the page, and restrictions on sharing of passwords or other procedures have prevented the hack?
Your initial assessment of current practices has to identify the company’s business goals. What is allowed runs to different extremes, and policies have to map to how a company intends to address social media usage by employees and how it intends to respond to customers over social media. Strategies and tactics must not only include responding to customer groups, but also any and all influential communities (whether they are customers or not) that are talking about the brand and the company’s products and services. Most companies have no middle ground when it comes to their social media policies. Extreme restrictive practices often block all sites, completing record all activity, register all profiles, and limit authorization. A very relaxed environment allows companywide usage without restrictions on sites or times of usage and no monitoring and reporting.
Information Gathering
After you have completed your current assessment steps, you then review all policies regarding social media use. Each department—Human Resources, Information Technology, Marketing, Legal, and any other department involved in social media—must first assess what policies are in place. Table 2-3 identifies the steps that each department goes through during the information gathering phase. The review JAG performed is detailed in the third column.
Table 2-3 Information Gathering Steps
Document and Process Review
After you have gathered all policies from all the departments, you must analyze each policy in detail and identify and evaluate the processes that impact social media security. After reviewing each policy, you can determine the impact on social media. Table 2-4 lists examples of how this part of the process can be applied to our fictional company, JAG Consumer Electronics.
Table 2-4 Impact of Each Policy on Secure Social Media
Measuring the Current State: H.U.M.O.R. Matrix
The analysis of how all the policies and processes associated with the security impact social media usage prepares you to identify your organization’s ability from a policy perspective to use social media securely. Our final analysis of the Human Resources metric is to identify all the tactics that make up a robust security environment. Table 2-5 shows the metrics that Human Resources needs to measure their security capabilities, with IT providing the right tools. Let’s use JAG again as our test company. After reviewing its current HR tactics and policies, JAG has filled in the matrix in Table 2-5, first by determining where they are and where they would like to be in the next 12 months. JAG currently scores a 1 on the policy items because no social media policies are really in place. JAG does have IT security policies, which is why it garnered a 2 in those components; however, JAG hasn’t updated these to address social media. JAG rates a 2 in dissemination and communication because the capabilities exist, if only the right policy content was available to disseminate it. Finally, no training is provided for IT staff or employees, so that rates a 1.
