Our security team often monitors the social media accounts of users who are involved in suspicious activity. Following a recent court ruling against an organization that disciplined an employee for a "private" Facebook post, should we change how or whether we monitor social media?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Social media is an alluring source of information for those in the information security field. The average person seems oblivious to the amount of personal information that they willingly post to these sites, creating a potential treasure trove of investigative material. The temptation to exploit the network access available to security pros on their company networks and tap into this data is strong. Our own government intelligence agencies couldn't pass it up and have paid the price of losing our trust.
Trust is a powerful tool for creating a strong information security culture in an organization. Organizations should not squander it by secretly monitoring every person in the company regardless of suspicion. Though social media is sometimes used in investigations, there are several basic rules to follow to maintain trust and professional ethics.
Transparency is important when it comes to employer monitoring of social media. Companies should develop a formal social media policy for employees that informs users that they could be monitored and how social media monitoring is performed. Explaining to employees why it is necessary to monitor these sites will help them understand. Policies and procedures provide a framework that can be used to defend any future investigations if they end up in court. They can also help deter future social media misuse, as employees will be aware of the monitoring and consequences of misuse.
There are several elements that the policy should include and procedures should contain. For example, the CISO or other designated information security manager must authorize all investigations involving social media. This prevents unauthorized investigations or "snooping" by the security team. Each request for investigation is documented and includes the reasons for monitoring social media. All findings should then be recorded in a formal document and filed in the security department. This process will provide oversight and an audit trail for each investigation, thereby reducing the likelihood of misuse. Some companies may already have a similar procedure for email investigations or telephone monitoring which they can modify for social media.
There are legitimate reasons for using social media in investigations. Security professionals should develop and advertise employee monitoring policies and develop formal processes for investigations to avoid any potential misuse. However, companies should avoid blanket collection and mining of all social media data, as it creates new risks. A good rule of thumb for any social media monitoring is to treat it the same as telephone or email monitoring. A good information security culture can only be maintained when there is a level of trust with the employees of the company. Formal processes and procedures for social media monitoring will help maintain that trust.
Related Q&A from Joseph Granneman, Security Management
An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best ...continue reading
The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one ...continue reading
Security staffing can be tricky, but talent can be found in unconventional places. Expert Joseph Granneman explains the pros and cons of hiring data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.