Although it might seem like a "no-brainer" to fully embrace and accept social media within an enterprise, government chief information security officers (CISOs) and other leaders are grappling with an additional layer of pros and cons in allowing social media platforms within their organizations.
Whereas private industry is typically accountable to a specific group of clients or stockholders, government CISOs are public servants responsible for protecting the information of military veterans, taxpayers and every national citizen. If government systems are compromised, the effect is not solely an embarrassment or loss of revenue. Individual lives can be negatively affected by crimes such as identify theft, and citizens and businesses might be unable to obtain critical government services for grants or patents or the acquisition of records.
Thus, government CISOs need to understand the intended business use of social media and evaluate and clearly convey the associated security and privacy risks. But they also must provide leadership and guidance, keeping other decision-makers properly informed to ensure any intended adoption of social media is both controlled and secure.
[ Spam is a government problem, too. Read Social Spam Invades The Enterprise. ]
Similarly to the origins of the Internet, when the Defense Advanced Research Projects Agency (DARPA) first conceived it, the initial concept and platform for social media was never intended to be used to the extent it is today. As noted in an MIT Sloan Management Review interview, "tools for social business were originally created for consumers." Issues surrounding the business needs, administration and security of social media are still being debated by agency leaders.
Lured by cost savings and other benefits, CISOs wanting to implement social media use within their agency or department must first define the intended purpose -- whether it is for individual employee use, official department or agency communications, or both. The actual business must be the driver for the adoption of a social media platform, as this need will drive the baseline policy, the corresponding security controls, and the acceptable level of risk based on the associated value.
One of a CISO's most critical responsibilities is to ensure that other decision-makers are well-informed of various security risks and can weigh those risks against the promise of better productivity. Here are the five key areas you should monitor for social media:
1. FISMA and other regulatory compliance
Social media is subject to the Federal Information Security Management Act (FISMA) when used to process, store or transmit federal government information. In a June 2011 Government Accountability Office (GAO) Report, the GAO identified challenges in agencies' use of social media relating to records management, privacy and security. Many cloud service providers also have social media components that fall within the scope of the Federal Risk and Authorization Management Program (FedRAMP). Access to and use of social media platforms directly affects compliance with these federal regulations and programs.
2. Security guidance and best practices
CISOs must carefully assess and ensure appropriate security controls are implemented and monitored based on the latest guidelines, such as Revision 4 of the National Institute of Standards and Technology Special Publication 800-53 that includes security controls related to social media/networking resources.
3. Data loss or leakage
Social media makes it very easy to either intentionally or unintentionally expose sensitive data to unauthorized entities. CISOs must understand and communicate with other organizational leadership regarding the potential disclosure of proprietary or sensitive organization data via social media.
4. Account hijacking
Since multiple individuals often have access to a single corporate account, the likelihood increases significantly that the loss of a single phone or compromised computer would give malicious actors access to a corporate account. Government CISOs must realize that recent account compromises (like those affecting the Associated Press, Fox News, the New York Post, Jeep, and Burger King, to name just a few) could just as easily happen to their department or agency Twitter, Facebook or other social media accounts.
5. Exposure to malware
With the ability to cast a wide net at a minimal cost, adversaries are regularly using social media platforms to lure users to infected or malicious content via shortened URLs, malicious files or simple social engineering. CISOs must prevent such exposure by minimizing the use of public social media platforms or implementing additional compensating security controls.
Although acceptable risk-tolerance levels will vary from one organization to another, access to external social media and networking sites from government systems should be limited to only individuals with an official business need. Personal use can be limited to personal devices (i.e., smartphones) not connected to government systems or networks, and personal devices should not be used to access official government accounts. Shared social media accounts used for corporate purposes and information dissemination need to transition from a single username and password to a more secure authentication approach, such as two-factor authentication.
Additionally, there are now a number of third-party applications available that allow appropriate enterprise accountability, management and access control to corporate accounts. To best address the risks associated with social media, it is critical that government CISOs and other leaders ensure that a social media policy is appropriately established and communicated within their department or agency. Without an established policy and rules of behavior, social media and its security risks will run rampant throughout an organization.