Controls Auditing

Once you have implemented your social media policy and have controls in place, you need to know if you are following best practices and determine if employees are adhering to your policies and if IT and the Community Manager are actually following your processes. As you would for any other security process, you must have consistent auditing in place.

An economical solution to keeping your compliance costs reasonable and a growing trend is to adopt a Control Self-Assessment process for management. Control Self-Assessment is a methodology where management evaluates their own risks and controls over any set process. For purposes of monitoring compliance with the company’s social media policies, management could create a series of control questionnaires listing out the guidelines/objectives of the policies. The surveys are then distributed to all those affected by the policy. The results of the survey should be tallied by an independent party. These results can be easily converted into a risk assessment, which we discussed earlier in this chapter. We provide a more granular view of the risk and threat assessment methodology in Chapter 4.

Each hosted application or software used in social media, whether a site to launch marketing campaigns or a site to monitor social media usage, should have an auditing process in place. This ensures compliance with company policy. You can categorize the tools into those used by IT security or by the Community Manager to audit employees’ use of social media (at work and offsite) and then audit the capabilities of actual business processes. Those business processes that use social media can be further audited, for instance, to make sure a marketing campaign is in compliance with the social media policy requirements or state regulations. Following are two separate processes for auditing social media sites.

Auditing Steps for Internal Security Tools and Social Media Sites

Follow these steps to audit internal security tools and sites:

1. Process management Review procedures for integrating social media into the IT security model.

2. Monitoring Review procedures for monitoring public and employee social media mentions.

3. Reporting Review reports generated on social media activity.

4. Incident management Review activity and procedures to handle incidents on social media sites.

5. Employee education Review procedures for educating employees on the dangers of social media.

6. Research Review research processes that allow for continuous updates to social media tools and knowledge of the changing landscape.

7. Policy Update policies annually on social media security practices.

8. Inventory Assess all software tools and sites used in social media business practices periodically.

9. Software Test all application software applications for vulnerabilities that may allow hacker access.

10. Site audit Research and report on all changes to third-party hosted applications that are in use by the business.

11. Code review Review and test all code on in-house applications used for social media.

12. User access Audit all user access to social media tools.

Auditing Steps for External Social Media Sites

Follow these steps for auditing company use of external social media sites:

1. Profile information Review all company profiles and messages being disseminated from official company accounts.

2. Company search Search all available profiles to ensure no fake company profiles are being used.

3. Data accuracy Review all data posted by the company for accuracy.

4. Branding Review all material about the company to ensure it meets all branding and marketing requirements for design elements.

5. Content Review content and how it’s displayed to ensure it meets company standards.

6. Posting Review processes for posting, authorizations needed to post, and approval processes for posting.

7. Feedback Review how feedback is handled and the responses sent for content, accuracy, and timeliness.

8. Tools Review new technologies and sites that could impact or change business processes.

9. Customer notification Review how customers are notified and the availability of policies and information the customer may need regarding company social media usage.

10. Tracking Analyze data from tracking tools to ensure appropriate data is being managed and captured regarding social media campaigns.

11. Research Review research processes that allow for continuous updates to social media tools and processes for learning about the changing social media landscape.

12. User access Audit all authorized personnel for social media postings.