A Sample Social Media Security Policy
Each policy varies depending on company size, industry, regulatory requirements, corporate culture, and level of engagement with customers and the public. Some companies might be more concerned with brand awareness whereas others are more concerned with sales activities. If you are a smaller company, you might not be able to field a cross-functional team from Legal, HR, Marketing, Sales, Customer Service, and IT to manage your social media security tactics: it might all fall on Marketing and IT or perhaps just Marketing. This would dictate a number of different policy requirements. But every company still needs a policy in place if it is to engage with the public in a manner that includes risk reduction tactics.
Here is a basic outline you can follow to develop your own social media security policy.
Social Media Policy Outline
1. Introduction
i. What is this policy all about?
a. Policy Management
ii. Company rights to change and update this policy
b. Effective Date
c. Goals
i. What are the goals of this policy (set guidelines, determine responsibilities, manage reputation, etc.)
d. Purpose
i. What is the purpose of this document and who does it apply to?
e. Scope
i. What is the applicability to the policy to technologies and employees, contractors and partners, etc.?
f. Policy Owners
i. Who manages this policy?
a. Social Media Channels (Facebook, Flickr, LinkedIn, Twitter, YouTube, GoWalla, Foursquare, etc.)
b. Social Media Benefits (marketing, sales, customer service, new product development, customer feedback, access to media, partnerships, communications, cost reductions, etc.)
c. Community Manager Objectives
i. Who is the Community Manager?
ii. What is the Community Manager’s role?
d. IT Security Department Responsibilities
i. Define role of IT Security.
ii. Identify processes to authenticate and authorize each social media platform.
iii. Define implementation responsibilities.
iv. Define reporting responsibilities.
v. Define monitoring responsibilities.
e. Marketing Department Responsibilities
i. Define role of IT Security to assist the Marketing department in conducting their responsibilities in a secure manner
f. Human Resources Responsibilities
i. Define role of IT Security to assist the HR department in conducting their responsibilities in a secure manner
g. Legal Department Responsibilities
i. Define role of IT Security to assist the Legal department in conducting their responsibilities in a secure manner
3. Social Media General Policies
a. Advertising
b. Regulatory Requirements
c. Community Management
d. Confidentiality
i. What information can be shared?
i. What must employees disclose when using social media and what must they not disclose?
f. Legal Issues
i. What legal restrictions must be applied to social media usage?
g. Level of Engagement
i. What are the expectations of engaging with the community and what internal and external resources are required?
h. Managing Friends of the Company
i. Understand the dangers and opportunities posed by Friends and review endorsements, profile information that is linked and shared, and manage trust.
i. How to Handle Negative Comments
j. Press Inquiries
i. Define responsibilities for dealing with the press.
k. Third-party Employees
i. Identify process for managing third-party relationships
l. Restrictions on Trademarks and Intellectual Property
i. How are trademarks, copyrights, and IP managed?
4. IT Security Policies
a. The purpose of these policies is to establish the technical guidelines for IT security and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the company’s comprehensive set of security policies. This policy purposely avoids being overly specific in order to provide some latitude in implementation and management strategies.
b. Social Media Sites Authentication
i. Define complexity of passwords for all in-house hosted application and third-party hosted social media applications.
1. Password Construction
The following statements apply to the construction of passwords for network devices: Eight characters, with a mix of letters, numbers, and special characters (such as punctuation marks and symbols). Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary, should not include “guessable” data such as personal information like birthdays, addresses, phone numbers, locations, etc.
2. Change Requirements
Passwords must be changed according to the company’s Password Policy. Identity requirements that apply to changing network device passwords.
3. Password Policy Enforcement
Where passwords are used an application must be implemented that enforces the company’s password policies on construction, changes, reuse, lockout, etc.
4. Administrative Password Guidelines
As a general rule, administrative access to systems should be limited to only those who have a legitimate business need for this type of access.
c. In-House Deployed Social Media Applications
i. Failed Logons
Repeated logon failures can indicate an attempt to “crack” a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user’s account after five unsuccessful logins.
ii. Logging
Logging needs vary depending on the type of network system and the type of data the system holds. The following sections detail the company’s requirements for logging and log review.
1. Application Servers
Logs from application servers are of interest since these servers often allow connections from a large number of internal and/or external sources. At a minimum, logging of errors, faults, and login failures is required.
2. Network Devices
Logs from network devices protecting the application servers are of interest since these devices control all network traffic, and can have a huge impact on the company’s security. At a minimum, logging of errors, faults, and login failures is required.
1. Log Review
Log management applications can assist in highlighting important events, however, a member of the company’s IT team should still review the logs as frequently as is reasonable.
2. Log Retention
Logs should be retained in accordance with the company’s Retention Policy.
iv. Intrusion Detection/Intrusion Prevention
The company requires the use of either an IDS or IPS on critical application servers.
v. Security Testing
Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the company’s network security.
1. Internal security testing
2. External security testing
vi. Social Media Application Documentation
Documentation, specifically as it relates to security, is important for efficient and successful application management.
vii. Antivirus/Antimalware
viii. All application servers and end-user systems that connect to the application servers should have antivirus/antimalware software running.
ix. Software Use Policy
1. Software applications can create risk in a number of ways and thus certain aspects of software use must be covered by this policy.
2. All downloadable social media end-user software and applications for desktop, laptops, and mobile devices should be approved by IT Management.
x. Suspected Security Incidents
1. When a security incident is suspected that may impact a network device, the IT Staff should refer to the company’s Incident Response policy for guidance.
d. Third-party Hosted Applications
i. Service level agreement
Review all service level agreements with sites and application providers.
ii. Updates
Upgrades must be in place for updates, upgrades, and hotfixes to address security concerns
iii. Testing
1. Third-parties must provide proof of security testing of their applications or allow the company to test the application for security weaknesses.
2. Third-parties must provide proof of security infrastructure and policies that maintain a secure environment for customer data.
e. Education and Training
i. IT Security is responsible for training end users on security requirements for all hardware and software resources.
ii. HR is responsible for policy and process training.
iii. Hold a yearly training program and ongoing updates to alerts users of new risks and security measures.
5. Social Media Do’s and Don’ts
a. What are the major Do’s and Don’ts?
b. Social Media Do’s
i. Add value, promote the company in a positive light, educate, be a brand ambassador, respond to customers, engage in conversations, be a knowledge resource, build relationships, know the restrictions on content, understand the risks of the mediums, check all facts, provide disclaimers, gain feedback, check regulatory risk, understand legal ramifications, secure communications, secure and protect customer information, understand privacy requirements, etc.
c. Social Media Don’ts
i. Discuss confidential information, share private customer information, share derogatory comments, access unsecured or unencrypted channels, discuss customer activity, post internal information, associate personal life with corporate accounts, disparage competitors, disparage partners, be condescending or patronizing, etc.
a. What is the brand policy and what are the guidelines for discussing and promoting the brand?
7. Twitter Usage Policy
a. Identify what Twitter should be used for.
b. Identify objectives (access, brand monitoring, identity management, research, customer communications, media coverage, etc.).
c. Policy Team Ownership
d. Identify who can source and publish tweets.
e. Content Guidelines
i. Identify content requirements such as frequency, context, content, tone, hashtag usage, followers, following, etc.
ii. Link shortening policy
f. Re-tweeting and Following
i. Focus areas: research, partners, industry news, statistics, other relevant content
ii. Research, partners, industry news, statistics, other relevant content
g. Product-specific Accounts Management
i. Link accounts to products
ii. Monitor specific accounts
8. Facebook Usage Policy
a. Identify what Facebook should be used for.
b. Identify objectives (brand monitoring, marketing, community engagement, partnership development, lead generation, etc.).
c. Policy Team Ownership
d. Identify who can use Facebook and post from company accounts.
e. Content Guidelines
i. What content is applicable and allowed?
ii. Content types and sources (such as events, news, surveys, photos, etc.)
iii. Tone of community engagement and interaction (personal, corporate, friendly, professional)
iv. Online contest general guidelines from a security perspective
a. Define the purpose of corporate blogging
b. Objectives
c. Policy Team Ownership
d. Identify who is responsible for blogging
e. Content Guidelines
i. Define what content is allowed in blogs
ii. Identify video policy for blogs
10. Personal Blogging Policy
a. Identify how employees are allowed to use company information in personal blogs and social network posts, and when and where personal blogs can be accessed.
i. What are the limitations?
ii. What corporate IP can be used?
iii. What can be said about company products and services?
iv. Identify relevant Human Resources policies that restrict employee dissemination of company information in any form.
v. What company confidential or other information can be posted?
b. Approval process
c. Disclaimer
i. What disclaimers must employees use?
d. Disclosure
i. What must employees disclose and not disclose on their blogs?
e. Endorsements
11. Employee Code of Conduct Policy
a. Reference Human Resources handbook on code of conduct.
b. Do not damage the company reputation.
c. Use of inappropriate comments.