Our security team often monitors the social media accounts of users who are involved in suspicious activity. Following...
a recent court ruling against an organization that disciplined an employee for a "private" Facebook post, should we change how or whether we monitor social media?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Social media is an alluring source of information for those in the information security field. The average person seems oblivious to the amount of personal information that they willingly post to these sites, creating a potential treasure trove of investigative material. The temptation to exploit the network access available to security pros on their company networks and tap into this data is strong. Our own government intelligence agencies couldn't pass it up and have paid the price of losing our trust.
Trust is a powerful tool for creating a strong information security culture in an organization. Organizations should not squander it by secretly monitoring every person in the company regardless of suspicion. Though social media is sometimes used in investigations, there are several basic rules to follow to maintain trust and professional ethics.
Transparency is important when it comes to employer monitoring of social media. Companies should develop a formal social media policy for employees that informs users that they could be monitored and how social media monitoring is performed. Explaining to employees why it is necessary to monitor these sites will help them understand. Policies and procedures provide a framework that can be used to defend any future investigations if they end up in court. They can also help deter future social media misuse, as employees will be aware of the monitoring and consequences of misuse.
There are several elements that the policy should include and procedures should contain. For example, the CISO or other designated information security manager must authorize all investigations involving social media. This prevents unauthorized investigations or "snooping" by the security team. Each request for investigation is documented and includes the reasons for monitoring social media. All findings should then be recorded in a formal document and filed in the security department. This process will provide oversight and an audit trail for each investigation, thereby reducing the likelihood of misuse. Some companies may already have a similar procedure for email investigations or telephone monitoring which they can modify for social media.
There are legitimate reasons for using social media in investigations. Security professionals should develop and advertise employee monitoring policies and develop formal processes for investigations to avoid any potential misuse. However, companies should avoid blanket collection and mining of all social media data, as it creates new risks. A good rule of thumb for any social media monitoring is to treat it the same as telephone or email monitoring. A good information security culture can only be maintained when there is a level of trust with the employees of the company. Formal processes and procedures for social media monitoring will help maintain that trust.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading