Operations Management Strategy

Your Operations Management strategy provides a way to correlate information about your day-to-day activities in the social media landscape. By compiling information from all departments using the centralized tools we discussed in previous chapters, such as Radian6, SocialMention, or Addict-o-matic, you can manage and respond to threats that come through social media channels, limit damage to the company, and reduce your risk. In this section, we look at who is responsible for various operations, what assets need to be managed, the training necessary to conduct operations and communications, as well as network management, access controls (both physical and logical), compliance management, and security testing processes.

Roles and Responsibilities

Operations Management strategies have to be companywide and also applied to the contractors and partners you use in your social media campaigns. The purpose of this guideline is to manage day-to-day social media usage to handle any adverse events in which some aspect of security is threatened, including loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability.

The IT department. the Community Manager, or both, are responsible for developing and maintaining the social media policies we discussed in Chapter 6. Specific responsibilities for Operations Management include

Developing and maintaining the company social media security program

Developing information risk analysis, assessment, and acceptance processes for all tools being used

Promoting awareness and training for the new processes and policies put in place

Educating personnel as to the implementation of the social media security program

Serving, or assigning a direct report, as a member of any technical advisory committees to evaluate new technology resources

Collaborating with other business units regarding their changing business goals to ensure that social media security issues are addressed early in marketing campaigns

Consulting with senior management early on in any social media security crisis

An annual periodic information security risk assessment and review of implemented security controls should be performed. In addition, ongoing self-assessment can be part of the security processes. In a larger organization with its own security team, this audit can be handled internally. With a smaller team, this review may have to be outsourced. The review and assessment ensures that the existing guidelines and controls adequately address changes to business requirements and priorities and consider new threats and vulnerabilities to the company as social media evolves.

Asset Management

IT should maintain an inventory list of all the tools used in managing social media usage as a subset of the IT general inventory—by department and by responsibilities. Every application, whether hosted by a third party or internally, should be part of this asset management system. All systems that have installed applications should be secured, just as you would secure any other installed application, and if social media data is stored locally, it should be encrypted. Data management of third-party applications and storage becomes more difficult because it is distributed on sites you don’t control.

Information and data stored on laptops, mobile web-enabled devices, and portable computers and third-party applications must be backed up regularly. If you store customer data in third-party applications like Facebook, keep a local copy of all the customer contact data offline. With the assistance of the IT department, authorized Facebook users should ensure that backups take place on a regular basis. For example, if Marketing uses Facebook to manage customer interactions, there should be some method of downloading and storing contacts and e-mails from consumers who are following the company on Facebook. This backup process is not as simple as backing up a server in your data center. You can do a manual download of your Facebook information by selecting the Account option in Facebook. Then select Account Settings and Download Your Information. Third-party applications, such as SocialSafe (www.socialsafe.net), are available as well.

As covered in Chapter 8, the company’s intellectual property is also an asset. IT, along with Marketing and Legal, should check for potential infringement of this asset. For example, the company’s brand name might be stolen by someone on one of many social media sites. Your company may have registered a page or a profile on Facebook, Twitter, Foursquare, and Flickr, but how about on Slideshare, MySpace, Tagged, bebo, hi5, Tumblr, or others? In Figure 10-1, you can see how using a tool such as Knowem allows you to see how your name is being used in a number of social media applications. In this example, the name “KRAASecurity” is taken in Twitter, Digg, YouTube, and LinkedIn, but not yet taken in MySpace, Flickr, or Tumblr, among others. What if someone had registered this name on those other sites and posted a page that made the company look bad? This is why it’s a good practice to register your company name with as many of these sites as possible to eliminate some risk of brand damage. We’ll talk more about Reputation Management in the next chapter.

Figure 10-1 Using Knowem.com to check your registered name

NOTE

If you haven’t registered your name but it has been taken, in some cases, you may be able to work collaboratively with the site to get your name back. In other cases, you may have to explore legal action with the platform or with the squatter to recover your brand name on a particular social media site.

To the extent possible, it is better to reserve the company’s brand name across the most important current and emerging social networks, establish an official profile, and monitor engagement on those sites. Whether the company is active or not on these other social networks, monitoring for brand mentions is important. The volume and sentiment of mentions will largely determine the engagement or corrective actions that the Community Manager must take to respond to consumer interest or concerns.

Security Awareness Training

The company should train its own personnel and third parties in information security when dealing with company data on social media sites. Training can be accomplished through a variety of methods: Webinars, PowerPoint presentations, policies, live training, and so on. Training should cover all platforms that may impact brand management or customer relations. When new social media platforms and sites are created, the company should provide regular and relevant information security awareness communications to all staff through various means, such as electronic updates, briefings, and newsletters, as well as via social media sites such as corporate wikis.

If any business unit uses third-party companies to manage social media, especially when managing customer information, your social media security guidelines must be formally delivered to the third-party company prior to the commencement of any provision of services, and you must ensure that they understand your security protocols and requirements. Key goals of the operational training program include:

Providing specialized training based on applications and job functions

Training according to policies that are in place, such as your IT security policy

Providing training on the differences between business and personal social media functions and where the line gets crossed (such as posting personal anecdotes on the corporate Twitter account, which is just meant for corporate posts)

Providing risk classification and information disclosure training

Providing guidance on how to communicate with the public

Providing training on specific regulatory requirements relevant to your business

Providing knowledge of threats in the social media sphere

NOTE

As part of training, ensure all company personnel understand that they have a responsibility to report incidents affecting security through appropriate management channels. Every IT security policy should include steps for incident response; these guidelines should also be followed in the case of a social media incident. If you do not have an Incident Response policy, you are definitely not up to best practices! Any incident, event, or circumstance that might reasonably be expected to adversely impact any individual, or the security of the company, its data, interests, or operations must be reported to IT security or to the Community Manager or other designated staff.

Physical Security

If applications are hosted in-house, appropriate physical entry controls should be in place to ensure that only authorized personnel are allowed access to data facilities. All computer premises must be protected from unauthorized access using an appropriate identification system—such as card key access to server rooms or password protections to company laptops and desktops—to identify, authenticate, and monitor all access attempts.

When using third-party hosted platforms such as WordPress, you can request a SAS 70 report on the security measures they follow. Most reputable vendors will have a report on their security procedures, which includes physical security.

Communications

Document operating procedures for all tools and processes used to manage social media campaigns and communicate these procedures appropriately. At a minimum, you want to have procedures for

Handling company restricted or confidential information as appropriate

Scheduling requirements, interdependencies with other systems, job start and completion times

Instructions for handling errors such as inappropriate posts

Support contacts for each social media site for assistance in problems such as unavailable access or lost passwords

System recovery procedures in the event of hosted application failures

Change control procedures should also be in place when changes occur, whether regarding the tools or hosted sites used, marketing campaigns, or the back-office tools for monitoring the environment and employees activities. If new staff is authorized to access the company social media accounts, create a change control form to track that access.

The challenge of managing change control on third-party hosted tools is significant. You cannot dictate what functions will change or even know ahead of time what’s coming from the site you are using. Facebook seems to change its privacy functions every few months. At best, you can monitor all the sites you use for updates and analyze those updates quickly to determine if they have any adverse effects on your usage or customers or employees. Utilize formal change control procedures for all major changes to production applications and software that you do control in-house, and then communicate those changes to staff.

Part of the change process should be a notifications process when there are any threats to the software being used. If a worm or virus is spreading through a Facebook application, the IT staff or Community Manager must convey the danger to users through e-mail notifications or company wiki websites or shared forums. Company employees should be made aware of the danger of unauthorized or malicious software and of detection, escalation, containment, and eradication procedures when malicious software is discovered.

Network Management

Access to information and actual social media sites and tools should be strictly controlled. If possible, log all access to these sites and tools. With third-party sites, logging will be difficult. But you can provide some logging by monitoring all access to these sites from a company-owned computer or smartphone. Enable security auditing on all critical applications that are hosted in-house. You should log:

Authorized access, including user ID, date and time of key events, types of events, accounts accessed, and program/utilities used

Unauthorized access attempts, including failed access and login attempts, access policy violations, alerts, and system failures

Network management should follow best practices for network security for any systems managing and hosting social media applications within your control:

Establish hardened operating systems.

Enable strong encrypted authentication and communications especially across different networks.

Follow best practices in application and operating system patch management.

Use the latest patched web browsers.

Provide black lists and white lists for social media site access.

Create authorized user access control protocols to specific sites and applications.

Implement web content filtering to monitor and manage all network access.

Implement data loss prevention technology to block and report on content.

Employees should have no expectation of privacy when using company resources. As we mentioned in Chapter 3, the U.S. Supreme Court ruled in favor of companies being able to monitor their employees. Other countries may have a different legal stance on this topic, and if your business is international, you should be aware of the local country’s data privacy laws and human resource laws. According to a 2010 Trend Micro survey (http://uk.trendmicro.com/uk/about/news/pr/article/20101102170926.html) of corporate and small business Internet users, 50 percent admitted to revealing confidential information using unsecured web mail or social media accounts and 60 percent of mobile employees admitted to sending out confidential information. The survey also revealed that one out of ten users admitted to overriding their company’s security systems in order to access restricted websites.

The company should reserve the right to investigate any information with the company’s systems. Some situations may require access to personnel files, such as complying with a court order, subpoena, lawsuit, discovery request, or other authorized request from a government agency investigating an incident. The IT department and the Community Manager (if one is in place) have to document and update all operational security procedures.

Access Control

Access to software tools should be controlled based on business and security requirements. When implementing new campaigns or tools, observe the following protocols:

Security requirements for business applications and supporting information systems and processes.

Assigned roles and responsibilities for managing business application security and supporting information systems and processes. A Community Manager may have more rights than someone in marketing to post to the company blog or a regular employee may be barred from mentioning the company name without permission.

The classification level of information handled by the in-house and third-party hosted social media tools and the definition of the type of data being handled—generally acceptable classifications are Confidential, Privileged (do not distribute), and Public.

Relevant legislation and contractual obligations regarding protection of access to data or services being used in applications.

The IT department or the Community Manager should require a formal user registration process for granting access to social media accounts. This process should include the following:

Assigning unique user IDs so users can be linked to and made responsible for their actions

Ensuring access levels (privileges) are implemented in a least-privilege manner

NOTE

Least-privilege means employees are only given the bare minimum access needed to do their jobs, in accordance with each role and responsibility.

Ensuring appropriate management/data owner authorization is obtained prior to granting access to customer information

Ensuring employees are aware of their security responsibilities and the terms and conditions for their access to social media

Reviewing user access rights on a quarterly basis

Because many social media platforms are hosted by third parties, reviewing access rights frequently is extremely important. If an employee leaves, he or she can easily log into the company Facebook account and cause trouble, if the password hasn’t been changed.

As with all systems that require a login, a good password policy and process must be in place. This process must include both newly assigned and reset passwords. An ideal password management process must:

Ensure that users are aware of their responsibilities for maintaining the confidentiality of their passwords.

Ensure users are provided initially with a secure temporary password.

Require that the temporary password must be changed immediately.

Ensure verification of a user’s identity prior to providing a temporary password.

Require password expiration every 180 days (this works only for internal sites and applications you host, third-party hosted applications generally do not have password expiration).

Access to application systems must be based on an individual’s roles and responsibilities and on the underlying business application requirements. Functional roles, such as the Community Manager, should be defined based on the job requirements, and IT should grant application access based on these roles and requirements.

Access to hosted social media sites from non-company-owned systems should be restricted if possible. For example, if the employee is at a hotel and using a public kiosk, you may not want him or her logging in to your accounts. You don’t know if a keylogger might be running on that public machine and capturing all data typed. If your employees are using your company systems to access a site, you have some comfort level in knowing you have antivirus and firewalls running to protect the computer and minimize the risk of a hacker gaining the login ID and password. If you allow access from distrusted systems, the risk of compromised login credentials increases exponentially. It is very hard to programmatically restrict access from only certain devices; you have to use policies to enforce this type of behavior.

Application Development and Testing

If you will be hosting your own internal social media applications such as a wiki, you should follow best practices in software development. You have to build in security as you design the application and its functions. You should also consider adding controls and audit trails of activities that can be easily monitored and logged. Follow basic applications testing procedures even if you use open source applications internally. Testing can include reviewing the following:

Input data validation testing Test if the application accepts only valid types of data and not corrupt or garbage input data.

Data integrity controls Verify that legitimate data is entered.

Message authentication Verify who is sending the message.

Application hosting facility Test the security posture of the servers hosting the applications.

Cryptographic controls Verify that data is sent and used over encrypted channels.

Security of system files and directories Verify that the operating system files can’t be compromised to allow unauthorized access to application data.

Application of operating system security patches Verify consistent patch management for known weaknesses.

Backup processes and version control Verify consistent backup processes are in place.

User access controls Verify that only authorized users can access the applications.

Developing in-house application for social media is low on the list for most companies since using a free application such as WordPress and internal wikis or an installed application such as HootSuite is much easier. If this is the case, application testing will focus on ensuring that the systems hosting the application are secure from attack and that the application installation does not have any weaknesses. For IT departments, conducting a routine application security assessment or host security assessment should be a part of ongoing security processes.

When using third-party applications, you can only really rely on their SAS 70 reports. You can’t conduct testing of third-party sites without explicit permission, which is usually hard to get. You have to rely on your own research into the reputability of the site, reviewing their posted policies and privacy information and publicly available testing such as using Google Safe Browsing diagnostic. With this free service, you can see if a site is known to be malicious or host malicious applications, as shown in Figure 10-2. The site “maharath.com” is reported to be potentially harmful to your computer.

Figure 10-2 Testing a site with Google Safe Browsing for malicious activity

Compliance

Every company faces some form of compliance restrictions. IT cannot be solely responsible for making sure systems meet all the compliance standards. Legal and Human Resources must work with IT to make sure the right controls are in place to meet all regulations that impact the company. For each application being used for social media campaigns, have the legal department review how data is handled, contracts with any third-party providers, and what data may impact regulations.

International law also poses a challenge to social media. Many sites you use may not be hosted in your home country. You might be impacted by privacy laws if you are transferring customer information from the European Union to the United States. In Europe, for example, consumers have to give permission for a company to collect personal information and the consumer can review that information; employers cannot read workers’ private e-mail; companies cannot share data across borders without consumer permission; and checkout clerks do not have the right to ask for your phone number. The European Union Directive on Data Protection of 1995 creates a Data Protection Authority to protect citizens’ privacy.

If you operate in a country that blocks or attempts to block social media sites, such as Uganda or China, then your marketing policies have to take this into account. You have to be aware of what access consumers will have to your social media platforms and the data you provide through those platforms.

The users of social media platforms also have to be informed and trained regarding intellectual property rights, copyright laws, and the proper use of media licensed under the Creative Commons regime. It’s easy to copy articles into blog posts or share information you find on the Internet, but it’s also easy to infringe on someone else’s rights. You have to implement the right tools to verify compliance with these standards, including monitoring of programs and data on company computers and communication equipment with data loss prevention techniques.

Personal use of social media during standard business hours can lead to a loss of productivity. If you implement data loss prevention tools, you can easily monitor what employees are doing and see when they are spending too much time on personal activities. Before monitoring, review with Human Resources to determine what the company prohibits, which might include any or all of the following:

Engaging in any communication that is unlawful or breaks company policy

Using someone else’s passwords to access other resources

Installing personal software on company assets

Communicating too much information about the company over social media sites

Impacting the company’s reputation

Viewing prohibited sites such as those involved in gambling, adult material, or other illegal sites

Conducting personal business