Developing Your Social Media Security Policy

Once you have determined the key components of your social media security policy according to the H.U.M.O.R. Matrix, you have to actually write it. For each component of the matrix, we go through a number of steps in the following chapters to outline tactical implementation. The first step is to understand the risks your company faces. We discussed threat assessment in Chapter 4 and further in Chapter 5. This section of the book goes through the controls you need to implement with your policies. Your threat assessment should have identified the risks to your tools and the websites you use for social media activities. The intent is to identify risks to your social media activities, understand what could go wrong, and implement mitigating controls based on your documented policies.

The Policy Team

The Community Manager can take the lead in organizing the policy team, or the lead can default to the Human Resources department. Other interested parties may include Marketing, PR, Sales, Business Development, Legal, and Customer Service. This cross-functional team should review each operational aspect of your social media strategy, determine the best possible processes to achieve business goals, develop policies, implement the policies, and respond to the changing landscape. All policies should be flexible and be reviewed every six months due to the changing nature of social media environment. The lead should assign individual roles and responsibilities.

All changes must be made and approved by the policy team. The team will conduct periodic risk analysis to the related business processes that use social media, understand the technologies, and determine what operational changes must be made. The team will be responsible for disseminating the changes and ensuring the appropriate employees know what the policy requires. The policy team will be the liaison to other departments that are impacted by social media usage.

Determining Policy Response

Security monitoring of policy violations naturally requires technology managed by the IT department. Automated processes have to search for employee violations and customer and public interactions that impact the company brand over social media platforms. The policy team can determine what constitutes a violation and develop the associated appropriate responses in coordination with Human Resources. Different levels of risk can be addressed with varying levels of response. For example, Facebook does allow more information to be posted and an employee can easily and unknowingly install a malware Facebook application that’s more dangerous than what you face from your typical Twitter usage, which doesn’t impact network resources as much.

A response process must be in place for policy violations and related mechanisms must also be in place to actually monitor for violations. If you are looking for internal employee access, then data loss prevention tools are needed. If you are looking for external incidents, then you might need third-party monitoring services such as ReputationDefender.com. You may assign risk levels to different social media activities and apply appropriate resources based on risk to the organization. Once a violation occurs, a clear process needs to be in place to notify the right resources for a response. A fast response is vital, precisely because the real-time, instantaneous nature of social platforms accelerates the speed at which events get passed along and become viral. A plan identifies possible areas for error, minimizes risks, and provides mitigation guidelines all teams can follow on a 24×7 basis.

The level of authority that response teams have has to be defined. Like your disaster recovery plan, you should test your social media response plan for possible attack scenarios. Possible decisions when addressing violations may include:

Identifying the issue at hand

Responding to media inquiries

Acknowledging the problem and responding to mentions in a timely, courteous, and professional manner on relevant blogs, microblogs, and social networks, particularly when posted by influencers

Determining employee culpability, if any

Implementing changes to prevent continued use of the access violation

Isolating the technology (if any) that have been compromised

Contacting websites that may be involved

Recording evidence and logging a timeline of events and remediation steps taken

Contacting the appropriate public agencies if necessary

Notifying internal executives and legal counsel