Q
Problem solve Get help with specific problems with your technologies, process and projects.

What should be included in a social media security policy?

A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media policies.

One infosec expert said that CISOs should be responsible for the cybersecurity of their employees' work-related...

social media accounts. Is there any merit to this? What role, if any, should CISOs take with a social media security policy for accounts associated with their organization?

Social media sites, such as LinkedIn, Twitter and Facebook, have become a part of our daily lives such that they are portals to news, business events, current events, family communications, political banter, e-commerce, business opportunities and entertainment.

Much can be gained from perusing a person's social media profile, where anyone can derive a considerable amount of professional and personal information that one would not normally provide to the general public. So why do we willingly provide such information?

Enterprises use social media for marketing and research reasons. They know that these mediums sometimes provide greater visibility to their services and accomplishments that demonstrably set them apart from their peers.

Many companies today do not allow employees to have social media accounts, and use unified threat management-like controls to prevent their use. Exceptions do occur for those that present a business need, such as marketing. However, there are also some companies that do not have such controls.

Should the CISO be responsible for the cybersecurity of company social media accounts? The real question is whether the board of directors should be responsible for their organization's social media security policy, and whether social media accounts should even be allowed for company use. The board sets policy; the CISO enforces it. Of course, the CISO should recommend controls to include in the social media security policy, but, invariably, business needs pre-empt risks.

NIST SP 800-53r4 AC-23 (Data Mining Protection) states that "The organization employs [Assignment: organization-defined data mining prevention and detection techniques) for (Assignment: organization-defined data storage objects] to adequately detect and protect against data mining." This includes social networking or social media websites.

Although NIST and other cybersecurity frameworks do not explicitly state what controls are required, below are some recommended controls an enterprise could include in a social media security policy to control the use of company accounts.

  • All employees who use social networking sites should take care not to divulge information that could, in any way, be detrimental or harmful to the company.
  • No confidential or sensitive data should be revealed, including, but not limited to, personal data, financial data, strategic information, trade secrets, copyrighted material or export-controlled material.
  • No entries should be made that would, in any way, tarnish the image or reputation of the company or any of its employees. Nor should it include discriminatory, disparaging, defamatory or harassing comments.
  • Employees should be careful not to divulge information about themselves or their colleagues that could be used in a social engineering attack on the company.
  • Employees should exercise extreme caution when contacted by new friends and followers. Attempts should be made to verify their identities previous to any communication.
  • Employees should use a product like TweetDeck or DestroyTwitter to expand tiny URLs and to help validate that links are safe before clicking them.

These should be included in a social media security policy with clear enforcement statements and consequences if they're not followed.

On their own, these are not sufficient controls over social media. They should be augmented with security awareness, cybersecurity training, restrictions on use of social media, executive-sponsored communications and targeted monitoring mechanisms, such as data loss prevention, to ensure that sensitive company information is not leaked through social media.

Ask the expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn what needs to be in a healthcare organization's social media policy

Find out how social media and analytics have redefined politics

Discover why nearly 90% of customers say social media affects brand loyalty

This was last published in April 2017

Dig Deeper on Information security policies, procedures and guidelines

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think should be included in social media security policies?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close