Operations Management
Operations management is about managing the day-to-day activities related to using social media. A company has to have structured processes for these activities and clearly defined roles for operations. Operational weaknesses can lead to downtime of the social media tools being used, lost opportunities or increased risk resulting from incoherent or incomplete business processes, or the loss of data through weak restrictions on social media.
The role of IT in providing security for a dispersed medium such as social media has to be clearly defined and articulated both to the IT department and to the end user. In the “Human Resources” section, you defined the IT security policies that must be applied to social media. Operations are the implementation of those policies. How involved should security be and where is the line between IT and the business unit owners such as Marketing and Legal? The roles of defining the security issues may fall on the IT department, but working and educating employees and the business unit owners may fall to different groups.
Assessing the Current Environment
The key responsibility for Operations lies with the Information Technology department. To a lesser extent, Operations will also be handled by other departments such as Marketing, Human Resources, and Legal for certain aspects of social media management.
Assessment Steps for Understanding Operational Risks
To understand how operations impact the ability to utilize social media tools properly, your staff and employees have to know the appropriate steps to follow. Different tactics and job functions will determine what tools are necessary on a day-to-day basis. Key areas that will drive your operational capabilities include access to information, the impact of regulations, data management requirements, shared service models, business continuity, and necessary support services.
Access Your employees may be storing sensitive data on social media sites such as work documents they might e-mail to themselves for later use or key information about themselves that can be used to guess their passwords such as a birth date or children’s names. Determine who is accessing that information internally by logging visits within your company to social media sites with web filtering technologies such as FireEye(www.fireeye.com). Determine how employees are accessing that information. Can you tell if they surf the Web or go online using smart phones provided by the company?
Regulations Do you know if the social media site meets any regulatory requirements? Are you under a regulatory requirement that might bar you from using third parties that have not been audited or met certain standards? Do your employees know whether the data they may be submitting to social media sites is breaking a regulation? Determine a fast and effective process for removing information from each of the social media platforms, as well as any third-party applications used in conjunction with them, to comply with regulations. When it comes to social media and the ability to share content across mediums at the click of a button, rapid response is critical.
Data storage Do you know where the servers you are using for your social media activity actually store your data and interactions? What if it’s in another country? Or, in the case of Blackberry, which runs all enterprise traffic through RIM data centers in Britain and Canada, are messages subject to eavesdropping by competent hackers or governments? If it’s confidential or sensitive or regulated data, are the encryption levels strong enough or are you at risk of breaking some law? Also, depending on whether you are using Blackberry’s own Facebook application or another party’s application on a Blackberry to access your Facebook profile, your data may be sitting on multiple servers in several countries without you or your employee’s knowledge. Determine where data is stored—depending on the location, it might impact the ability of your organization to use social media platforms for business.
Data access After spending dozens of hours submitting content and media to a website and establishing relationships and creating a community, can you export that data? How often is the data backed up? Determine your backup and recovery strategy for social media content.
Shared services The concept of cloud computing is about shared services. What if you have access to a server with thousands of others and data gets comingled? Determine if there is a risk of your data being comingled.
Business continuity If you have spent vast sums on a marketing campaign that utilizes a social media site or process, your business could be dependent on that site or process. If that site goes away, you could be out of luck, losing data and customers and wasting time and resources. You do not control social media sites. Determine if there is a business continuity plan in place for the particular social media platforms you are using.
Support services Social media sites are notorious for not having support. You are usually on your own. How do your employees use these sites and do they need assistance, which could be a drain on your own resources? First understand how employees use the social networks and what applications are truly needed. What functionality do employees need? You can then determine the level of support necessary to meet a specific business goal.
Assessment Steps for Cloud Resources
When using cloud or open source technologies, assessing the risk of using both types of technologies is important:
1. Identify how information is stored.
2. Identify how information is controlled.
3. Identify the channels for creating and accessing information.
4. Identify any information access mechanism by users.
5. Identify their identity theft response capabilities.
6. Identify their third-party credential storage management routines.
7. Identify their capabilities to protect against spam, viruses, and malware.
8. Identify hacker attacks on stored data or applications.
9. Identify data loss prevention techniques.
The IT department’s final responsibility lies in determining and implementing the necessary toolset to protect social media usage. Until recently, all the IT security tools were focused on the network layer, the operating system layer, and the application layer. All the policies and operations guides were geared at securing these environments. Now, social media pushes the control outside of IT and makes the management and usage of data a new responsibility for IT. A list of sites and services and the tools necessary to provide some form of tracking, monitoring, and reporting of those sites and services should be created and updated as social media changes. With the many options you have, a tracking mechanism to manage all your technologies is definitely a requirement.
The desired outcome of the use of tools and security processes should be defined in the “Human Resources” section through the policies and procedures created. For each technology used, define the effects of a specific attack and how the appropriate response from a technology perspective and a policy perspective will address the attack. We will go into more details later in Chapter 4 on defining threats and how to respond. This section should only assess what the current environment is and set the stage for implementing IT audit controls.
Information Gathering
Operations management procedures are part of the standard processes IT follows for day-to-day security management. The difference is that social media has to be specifically addressed as a landscape that changes on an almost daily basis.
To assess the current environment, the various departments, with IT leading, should address the following questions:
Do you have a secure social media operations guide or a subset of guidelines within normal operating procedures?
What practices are currently being followed?
Is there a specific correlation between Human Resources and IT security policies and social media tactics?
Have responsibilities been designated to specific departments?
Does your company follow any industry best practices for operations?
How do you find industry best practices for social media security operations?
How does IT track new social media sites and technologies to anticipate security concerns or different data usage paths?
Who is allowed to conduct social media practices?
Is there a process to inform operators of social media platforms and new usage by other departments?
Where do the operators learn about new social media security problems and solutions?
Measuring the Current State: H.U.M.O.R. Matrix
After reviewing the operations capabilities of the various departments, you can start measuring your capabilities in the Operations management portion of the H.U.M.O.R. Matrix. As we have done previously, JAG Consumer Electronics has assessed their environment and come up with the following ratings in Table 2-10. JAG is again rated Poor because the company has not clearly identified operational guidelines for social media security. Policies are not being followed, day-to-day activities are not in place, and the IT department has not integrated social media monitoring into its processes. JAG has no ability to track where data is being stored on social media sites and no ability to recover operations if those sites become unavailable or the data becomes unavailable.
