CHAPTER 6
Social Media Security Policy Best Practices

Best practices for social media are still evolving. In the pure security world, many standards are followed, everything from National Institute of Standards and Technology (NIST) standards to ISO 27001, an Information Security Management System standard. By employing current standards, IT can follow security requirements to secure social media. If you look at social media data as you would any other data stream, you can apply current policy frameworks. For example, to secure communications between the author of your blog posts and the website hosting the blog (assuming you are hosting it), you can enable SSL and require a strong password that gets changed every 90 days. Secure data streams are part of Payment Card Industry (PCI) requirements. If the Marketing department sends data to a vendor, you can secure that communication with e-mail encryption or encrypted file transfer.

But the challenge in the social media environment has to do with the content and destination of outgoing communications, as well as the person who is consuming and responding to the communication. For example, encrypting a blog submitted by an employee will not help your company once it’s published publicly. The post may give away company secrets if the employee doesn’t know he wasn’t supposed to share certain bits of information with the public!

Every company must have policies in place and a framework laid out defining acceptable use of social media. Every organization—from small businesses to governments—need to treat social media policies like IT policies—living documents that guide appropriate use. In this chapter, we discuss social media security policies requirements. Specifically, we cover

The components of an effective policy

How the H.U.M.O.R. matrix fits into your policy

Developing your social media security policy

Toward the end of the chapter, we’ve also included a sample social media security policy that you can use as a guideline for creating your own policy.