What Is an Effective Social Media Security Policy?

Defining the content of a policy is the first great challenge. Currently, there are no international standards bodies (such as Institute of Electrical and Electronics Engineers or IEEE) to help with this problem. The government is trying to adapt NIST SP 800-53 Rev 3, which is a government standard on information security procedures, to take into account some form of accreditation for services such as Twitter or YouTube as a network system. As these are hosted services, however, you have no control over them; you have to rely on the administrator of Twitter and YouTube to maintain security protocols.

An effective policy has several main components that take into account the type of services used. Social media platforms are both internal and external, and what type you use will necessarily dictate at least some parts of your policy. Here are the key ingredients that policies should have:

Any regulatory requirements and legal requirements that social media use could impact

Managing internal and external hosted applications, including monitoring and reporting tools and techniques and testing and auditing

Enterprise-wide coordination

Codes of conduct and acceptable use

Roles and responsibilities for the Community Manager

Education and training

Policy management, reporting, and monitoring

Regulatory and Legal Requirements

As we’ve discussed in earlier chapters, the reasons for needing a social media security policy (or a security policy applied to your organization’s social media usage) are very similar to any other policy you may have. Employees need guidelines for appropriate usage. The decades-old acronym PEBKAC—Problem Exists Between Keyboard And Chair—certainly applies to today’s new social media environment. A number of legal risks also drive the need for documented policies. Several of these include:

Discrimination claims Employees can say anything over social media that might be attributed to the company. For example, you could have a policy basically saying if employees post things on personal sites that impact other employees or the company, they may get terminated. Discrimination claims can lead to an employee claiming a hostile work environment and filing a lawsuit. Or perhaps a supervisor uses social media to disparage an employee during off hours; this could also cause a lawsuit.

Defamation claims Employees may say things over business or personal social media outlets that impact the company or competitors or even customers. Employers may share too much information, including photos, about other employees that can lead to a lawsuit. Case law has not settled on this as yet. A case was pending in which the National Labor Relations Board alleged that American Medical Response of Connecticut Inc. had illegally fired an employee in 2009 after she criticized her supervisor via a personal Facebook post. The firing prompted a lawsuit based on protected speech under Federal labor laws. The case was settled in early 2011. The settlement called for American Medical Response of Connecticut Inc. to change its blogging and Internet policy that barred workers from disparaging the company or its supervisors. The company also has to revise another policy that prohibits employees from depicting the company in any way over the Internet without permission.² This is a far-reaching consequence to their overall policy. The modified policy has to very careful in trying to restrict off-hours usage.

²“Company Accused of Firing Over Facebook Post,” New York Times (November 8, 2010), http://news.yahoo.com/s/ap/20101109/ap_on_hi_te/us_facebook_firing.

Confidentiality breach This risk is probably the most prevalent. An employee shares too much confidential information, leading to regulatory fines or even competitors finding out too much.

Regulatory breach Many regulations also include educational components for employees, detailing what is appropriate to communicate about regulated products, such as financial investment opportunities or claims about pharmaceutical drugs, or about disseminating confidential customer information. For example, an employee might easily share too much patient information over social media in breach of the HIPAA Security Rule regulations, as illustrated in Chapter 4 in the case involving a Twitter post sent out by a hospital employee.

Your policy should address the consequences of giving out proprietary and confidential company information; making discriminatory statements; and making defamatory statements regarding the company, its employees, customers, competitors, or vendors. It should address how employees can use the company name and what information can be shared. You need to have a well-documented escalation procedure to apply the right enforcement capabilities, create a framework for chain of custody, document all types of legal discovery and proceedings, and provide justification for possible actions against employees, hackers, or other malefactors. Much social media content is beyond the company’s direct control so policies and procedures have to suffice where technology tools cannot have an impact.

Managing In-house (Self-hosted) Applications

Your social media security policy should detail security requirements for using social media sites that you do have control over. Companies that build their own policies and apply their own requirements without the benefit of adopting a secure process for developing applications are developing policies based on how technology and privacy of data has been historically treated in typical security infrastructures. Many approaches to securing a social media application or website are similar to securing your company’s ecommerce site or proprietary applications. Differences occur when you are compromised by an employee saying something inappropriate, a customer attacking your company brand, or your sales team losing customer data over social media channels. These problems make it into the public sphere much quicker; customer feedback is almost immediate; and your brand can suffer damage within the span of a few hours.

When using social media sites that you do have control over, such as your own WordPress-based Blog or wiki site, key security requirements must be baked into the availability of the sites to your employees:

1. Ensure that you have followed a security assessment process to test applications for risk due to traditional attacks, data management problems, and secure coding practices. Your security processes should detail the basic steps you have to follow in testing a web-based social media application:

a. Information gathering, including application fingerprinting; application discovery; spidering and Googling; analysis of error code; SSL/TLS testing; DB listener testing; file extensions handling; old, backup, and unreferenced files

NOTE

For detailed technical security analysis of secure software testing, review Hacking Exposed 6: Network Security Secrets & Solutions by Stuart McClure, Joel Scambray, and George Kurtz (McGraw-Hill Professional 2009).

b. Authentication testing, including default or guessable accounts, brute force, bypassing authentication schemas, directory traversal/file include, vulnerable remember password and password reset, logout and browser cache management testing

c. Session management, including session management schema, session token, manipulation, exposed session variables, HTTP exploits

d. Data validation testing, including cross-site scripting, HTTP methods and XST, SQL injection, stored procedure injection, XML injection, SSI injection, XPath injection, IMAP/SMTP injection, code injection, buffer overflow

e. Web services testing, including XML structural testing, XML content-level testing, HTTP GET parameters/REST testing

f. Denial of service testing, locking customer accounts, user specified-object allocation, user input as a loop counter, writing user-provided data to disk, failure to release resources, storing too much data in session

2. Address post-deployment testing and consistent testing of your application over time.

3. Identify what key company and customer information should be encrypted during each data management step: creation, transportation, usage, storage, and destruction.

4. Review how authentication steps are handled for third-party applications and APIs; weak or plaintext unencrypted authentication can allow inappropriate access to or theft of credentials.

5. Define strong passwords and how they will be enforced and when they should be changed, especially if multiple employees in, for example, Marketing might have access to the company account on sites such as YouTube or Facebook.

6. Address log management issues. Where possible, you want to log which employees access the social media corporate accounts and know who posts information. Log management can be extremely important to incident response plans.

In-house Social Media Site Checklist

Once you have built your self-hosted site, follow the approval process for deployment to production, just as you would for any other IT application being placed into production.

Answer these questions to ensure you are meeting the key requirements for approval:

Are appropriate disclaimers in place?

Is ownership of the site clearly defined and displayed?

Is an operations process in place for site update and content review?

Does content get signed off by appropriate management? Are policies in place for user content moderation?

Are all users and administrators of the application trained in appropriate usage, moderation, and content creation?

Have you developed a community manager process?

Are security testing plans in place to test the application’s functions as well as the operating system’s and network layer’s capabilities to defend against hacker attacks?

Is an incident response process in place for application usage as well as potential damage to the application’s functions?

Are operations staff assigned responsibilities for maintaining the site?

Managing Externally Hosted Applications

Third-party cloud applications cannot be handled in the same manner as your own infrastructure applications. You have minimal impact on these third-party companies and their security requirements, and influencing them to modify their security posture will probably not be effective. Alternatively, reliance on your own controls is essential. Examples of internal controls to consider include:

How your employees use these third-party social media sites

What data is allowed

How you will monitor your corporate activity

How you will respond to an external incident

Another key change in how you manage data is that you have to rely on third-party platforms to conduct their own security testing of their applications, and then they may or may not show you the results. You inherently trust these platforms and related applications to keep all the private messages you receive from your Facebook Fans secure from hackers and you rely on third parties not to sell customer lists of your Twitter followers. But has your company asked Twitter or Facebook for a SAS 70 II audit report (which is a third-party analysis of a company’s security posture)? As of last year, Twitter agreed to share all public tweets since its inception (2006) and archive them in the Library of Congress—with the exception of deleted tweets. Google already indexes tweets in real time. Yahoo! and Microsoft get copies, too. This could be part of your audit processes. Have you any idea what their security policies are over the data you share with these third-party companies?

The policy framework has to take into account the following major security concepts when dealing with a third-party application:

Social media is generally based on third-party “cloud” applications and, therefore, your company can’t control their security.

Social media web applications and downloadable applications have the same security challenges as all other web-based applications and other installed software applications.

The general public is as involved with your company’s use of social media as you are, and your policy has to give guidance to your employees on how to handle public interactions.

Your company should have a public version of your social media policy that explains your positions on social media.

Sharing of data is a must in social media, but data sharing is also a key aspect of attacks from both a technological hacking perspective as well as a content perspective.

Malicious code is easier to share via social media portals and downloadable applications that can then connect back to the corporate environment to introduce viruses, Trojans, and other malware.

Reputation management is often more important than secure technology-based controls when addressing the risks due to social media.

Enable encrypted communications to the social media site when possible. This is not easy with most sites, but applications are available that can help with this task. One example is HTTPS Everywhere from the Electronic Frontier Foundation (https://www.eff.org/https-everywhere). As the site says:

HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the Web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

When you install the HTTPS Everywhere add-on in Firefox, it forces encryption on the sites it covers. In Figure 6-1, you see that going to Facebook without HTTPS Everywhere leaves the website unencrypted. Once you install HTTPS Everywhere, you will see, as shown in Figures 6-2 and 6-3, how the “https” is now forced without any user interaction for social media sites you visit.

Figure 6-1 Visiting a site without HTTPS Everywhere turned on and no encryption

Figure 6-2 “HTTPS” is forced when visiting Facebook with HTTPS Everywhere.

Figure 6-3 “HTTPS” is forced when visiting Twitter with HTTPS Everywhere.

HTTPS Everywhere actually offers protection against Firesheep and the software currently supports other sites such as Google Search, Wikipedia, bit.ly, GMX, and Wordpress.com blogs, and, of course, Facebook and Twitter. (As we mentioned in Chapter 5, BlackSheep can also help identify the Firesheep threat.) As Facebook and Google and other sites make HTTPS connections more readily accessible and a default option, the threat of unencrypted communications will decrease.

Externally Hosted Social Media Site Checklist

Although determining the security measures employed by a third-party site may seem difficult, follow at least a minimal set of baseline standards when allowing your company to utilize any website for marketing campaigns, storing customer data, and communicating with the public. At a minimum, you should attempt to gain a better understanding of the third-party application you are using and ask pointed questions to gain insight into its security protocols. Your policy for gathering information should list, at a minimum, these requirements:

Review the social media site/platform’s SAS 70 II audit report. If the site doesn’t have one, ask for one to be conducted and get the results sent to you if possible.

Ask for and review a basic financial summary of the company: Are they profitable or on the road to profitability?

Review the site’s privacy policy for any steps that may compromise your data or your customer’s data.

Ask for the guidelines the site has for its own internal testing procedures for vulnerabilities and review their procedures. What is the schedule for conducting testing?

NOTE

In May 2010, the security company F-Secure discovered a malware attack being run by fake Twitter accounts on Twitter posts with the message “haha this is the funniest video ive ever seen.” When users clicked it, a Trojan was installed on their systems! If Twitter had a very proactive security program in place, they would have found this before F-Secure.

Ask for and review the site’s incident response program.

Review the encryption of the site’s data storage, data transmission, and authentication.

Ask for and review the site’s backup strategy.

What happens to your data if the company goes out of business? This is a question you will probably not get a good answer to, but you may want to ask about a data escrow service.

Review any documentation the site has regarding industry regulations or types of data stored. Review the site’s data breach notifications policy.

Review the service level agreement with the site. If the site does not have one, ask for one to be developed.

Enterprise-wide Coordination

Like your current human resources policies and IT security policies, your social media policy has to be a companywide program. If only the Marketing team is subject to the policy, other employees will not know what is allowable and will most likely post inappropriate information. If the IT department is the only one following the policy, other departments will not know how to use social media sites in a secure manner or will not receive any training on what can and cannot be posted about the company.

Writing the social media policy is a collaborative effort. Creating more granular social media security policies and educating employees must be a companywide effort. The policy can either be broken down into multiple policies and written as the business functions change, or it can be written in a more generic format to address future changes in related processes, which might be a bit more difficult to do. Most companies currently have a Laptop Policy and a Mobile Device Policy; these are granular policies. The approach you select really boils down to an individual choice. If you do want to write granular policies, you may consider starting out with these:

Social Media Policy

Social Media Security Policy

Employee Code of Conduct for Online Communications

Employee Social Network Information Disclosure Policy

Employee Facebook Policy

Employee Personal Social Media Policy

Employee Twitter Policy

Employee LinkedIn Policy

Corporate Blog Policy

Corporate YouTube Policy

Social Network Password Policy

Personal Blog Policy

Codes of Conduct and Acceptable Use

For any of the policies you define, there are basic requirements that all employees should adhere to and understand. Any HR professional will know these by heart! Widely used examples of such policy provisions include:

All employees must take responsibility for knowing the policies, just as they do for reading the company handbook. Training is, of course, a requirement to ensure employees can follow the policies properly.

Employees must understand the policy is global for all social networking activities.

Employees are under the same confidential restrictions regarding company information no matter what platform they use.

Any information disclosed publicly should include the appropriate disclaimers, for example, employees should clearly identify themselves as company employees when speaking about the company or about the industry.

The employee cannot infringe on company trademarks or intellectual property whenever communicating outside the company.

Guidelines about sending out certain types of company-related information, from brochures to sales proposals.

Employees can be terminated for inappropriate use of company information or conduct unbecoming an employee that negatively impacts the company.

When different departments collaborate on developing policy and managing technologies, a company can get a better handle on how social media will be used internally and externally and how rules for social media usage can be developed. Here are some basic rules and guidelines that employees must follow:

Employees must read and understand all policies related to social media.

Employees must understand they need to be trained appropriately in social media usage.

Employees may use company resources only for approved social media activities during working hours.

Employees must not disseminate confidential information.

Employees should not use nonsecure social media systems to conduct company-related work activities, unless otherwise specified.

Employees are not allowed to circumvent company security procedures and technologies.

Employees should not share login information to social media sites in any unapproved manner.

Employees will follow company guidelines on using secure passwords.

Employees should understand they represent the company when they discuss the company name on social media sites and will respect company policies.

Employees should have, at a minimum, yearly training on security processes.

Employees are responsible for security along with the IT department.

Roles and Responsibilities: The Community Manager

The Community Manager is a relatively new role as applied to the online environment in Web 2.0 and beyond. Where the role fits into the organizational structure is still up for debate, and largely depends on the company’s industry, culture, and objectives for participating in social media. In many companies, the Community Manager role is a Marketing function due to the overwhelmingly communicative nature of social media. Other companies, such as Comcast, use social media primarily for improving customer service. Lego, the toy manufacturer, uses social media for new product idea generation. Dell has successfully used social media for community building and sales promotions. Dell encourages all employees, regardless of department, to engage with their communities via social media. Employees spend an average of 20 minutes/day connecting with online communities and customers.

Some companies have recognized the cross-functional nature of social media, setting up a separate reporting line as a cost or a profit center or as a shared support service, based on strategic objectives. Whichever the case, the manager guides strategic, tactical, and operational activities related to social media outlets and implements daily procedures, plans, ad-hoc campaigns, and oversees resources and processes around multiplatform community scalability.

The role must be defined at the outset from the standpoint of secure utilization of social media, however. Part of the Community Manager’s responsibility involves interfacing with the IT Security, Legal, and Human Resource departments to ensure a cohesive strategy that reduces risk to the company from the potential social media threats discussed in Chapters 4 and 5.

The current role of the Community Manager usually involves a combination of the following:

Welcoming customers to the organization’s social community

Identification and relationship building with key influencers

Real-time monitoring, moderating, responding to, and redirecting conversations

Encouraging interaction and community development among members

Managing programs and content

Managing internal resources allocated for social media

Enforcing policies and guidelines

Managing tools for social media development programs and communications

Reporting on activities and developing new metrics

Tracking customer sentiment

Developing, implementing, and managing content creation strategy

Managing responses to the brand

Delegating feedback to internal teams

Developing web communications to optimize all customer interactions

Managing the company blog for engagement and readership

Responding to and managing crises

Developing internal communications through thought leadership, employee engagement, and training

Online and offline event planning for connecting the company with its community of customers and clients and providing forums for like-minded consumer advocates to meet and interact

Nowhere in this description is there an explicit interface between the Community Manager and the IT, Legal, and Human Resource departments. This integral connection is too often overlooked in policies and by management. The role of the Community Manager must expand to take on a liaison project management function that goes beyond just managing social media content and communications. To be effective as a real interface for the company, the Community Manager’s role must take on these further responsibilities:

Coordinate policy development among all business units.

Work with IT Security to track incidents.

Work with Marketing and IT together to coordinate public response to incidents or customer threats.

Work with Legal to understand application laws to social media usage.

Work with Human Resources to ensure all employees involved in social media understand the restriction on usage and potential dangers.

Work with IT Security to use appropriate tools to track, monitor, and report on employee use of social media tools.

These new tasks take the Community Manager out of his or her current role. A best practice would be to designate someone in IT or IT Security to partner with the Community Manager or even take on some of the Community Manager’s responsibilities in the IT realm. In the role of assisting the IT department with helping employees understand the security implications of social media, the Community Manager can share responsibility with IT for reviewing and searching for security information related to the social media tactics being used. This has to be a shared responsibility, as social media site monitoring includes:

Reviewing company profile pages daily to determine if any inappropriate or hacked content has been displayed

Reviewing other sites and profiles referenced or relevant to the company for acceptable use of company information

Creating a routine for checking to see if users and customers connected to the company’s social media profiles are conducting their online activities in accordance with company acceptable standards of association

Scanning links to the company to see if any compromised pages have been posted

Working with IT Security to test company sites for weaknesses

Working closely with IT Security to review what new vulnerabilities might impact applications and websites used for social media marketing campaigns

TIP

Sites for tracking vulnerabilities include the National Vulnerability Database (http://nvd.nist.gov/nvd.cfm), Security Focus Database (http://www.securityfocus.com), and Open Source Vulnerability Database (www.osvdb.org). On these sites, you can search for technologies and social media channels you use for any known vulnerabilities that might compromise your security.

The successful implementation of the Community Manager role has to be assessed by multiple departments. IT must be able to communicate technology challenges, threat scenarios from social media, and response capabilities. Human Resources must be able to implement and enforce policies through the assistance of the Community Manager, and together, they must work with employees to enforce compliance with policies. Marketing must be able to coordinate communication projects and business objectives to all other departments through the Community Manager and have access to the right technology resources to accomplish its goals. Legal should be able to coordinate regulatory restrictions on social media usage across all departments through the Community Manager.

With these new responsibilities, the reporting structure will be a challenge, particularly as the role naturally evolves cross-functionally over time. Although an employee should never have two bosses, which is often a recipe for failure, involving other departments in a goal setting process for evaluating the Community Manager’s job performance can be effective. The Security Director has a key role to play in working with the Community Manager. A number of security technologies, which many large companies already have in place, can also be applied to secure new media communications. Data loss prevention tools are probably the most comprehensive for monitoring the types of data coming into and leaving the company’s environment. By putting a process in place for IT Security to work with the Community Manager, new projects and campaigns, new web applications, and proposed social media tools can be monitored, tracked, and reported on in a more timely manner.

Education and Training

As with any security framework, educating your staff is paramount. A good baseline training program can reduce risk as well make employees less likely to cause inadvertent breaches. Employees can be unaware of how easily social media channels can be used to manipulate users into divulging confidential information or granting computer system access. Using social media, attackers try to use a variety of techniques (just a few a noted here) to gather private information:

Pretexting Using an invented scenario and a piece of known information to establish legitimacy in the mind of the target. Information is then typically used to try to obtain Social Security numbers, date of birth, or other personal verification measures.

Phishing An e-mail that appears to come from a legitimate source (like your bank) requesting verification of information and warning of a consequence for noncompliance.

Trojan horse A destructive program that masquerades as a benign application.

Many employees recognize some of these attack techniques. Unfortunately, not every employee understands the complete attack landscape, which can leave your company and possibly your network vulnerable to attack. Employees need to understand the importance of network security and the key role they can play in helping protect company information. For example, employees may create common passwords to use on social media sites to simplify their interactions and daily status routines, but this ease-of-use scenario can also make it simpler for the attacker to gain access to their social media accounts and possibly leverage further attacks into your network.

The benefits of employee security training include:

Employees absorb the importance of “best practices” and then they can, in turn, practice and preach a broader understanding of a company culture of safety and security.

Employees are less likely to fall victim to attacks and expose your company to additional attacks.

Employees learn a new model of acceptable behavior and culture within the company.

Employees learn about their responsibilities to help prevent malicious activity and detect problems.

Training helps reduce the risk of intentional or accidental information misuse.

Training provides a baseline of compliance for federal and state regulations that may require security awareness training.

Policy Management

Once you have your social media security policies in place, you have to update them continuously. The challenge with social media, as compared to other technologies, is the speed at which the sites, technologies, capabilities, and processes change. New functions are being built so rapidly that a completely new capability, function, or application might be available in six months that is not currently covered by your policies. Securing these new functions and understanding how employees and customers interact with new sites is going to require more diligent updates of your policies than you are used to with normal IT security policies.

Both the IT staff and the Marketing staff must have a process in place for researching new technologies, determining what employees and customers are using, and understanding how these new sites affect the company’s assets and resources. For example, geolocation is rapidly rising in popularity with new applications coming out weekly, but most companies have yet to grasp the true capabilities, dangers, and opportunities of geolocation applications. To keep abreast of the latest trends and functions, the Community Manager must work with Marketing and IT to

Select specific sites to read and research such as Mashable.com and TechCrunch.com.

Review employee web surfing to look for what is trending.

Put a process in place to analyze new applications before the company is swamped with something unexpected by employees or customers.