Text Size:   A+ A- A   •   Text Only
Find     
Site Image
Social Networking Guide | Security
Privacy, Security, and the Risks
The use of social media must meet your agency’s current policies for Internet use. Require your employees to learn and follow the agency’s policies on acceptable use of state information assets.
 
Statewide  Security Policy Information
 
The following security issues cause concern and require consideration prior to the launch of any social medium.
  • Viruses and Malware
  • Hijacking
  • Unauthorized mobile access

 
Viruses and Malware

Threat or vulnerability
  • Introduction of viruses and malware to the agency's or the state's network
Risks
  • Data leakage
  • Data theft
  • Owned systems (zombies)
  • System downtime
  • Resources required to clean systems
Recommended mitigation techniques
  • Install anti-virus and anti-malware software on all systems and update daily at minimum.
  • Use content-filtering technology to restrict or limit access to social media sites.
  • Where possible, install anti-virus, anti-malware and filtering software on mobile devices, such as smartphones.
  • Establish or update agency policies and standards.
  • Develop and conduct awareness training and campaigns to inform employees of the risks involved with using social media sites.
 

 
Hijacking

Threat or vulnerability
  • Fraudulent or hijacked organization presence that exposes customers or the organization to inaccurate information
Risks
  • Customer and employee backlash
  • Adverse legal actions
  • Exposure of customer information
  • Damaged reputation
  • Targeted "phishing" attacks on customers or employees
Recommended mitigation techniques
  • Engage a brand protection firm that can scan the Internet and search out misuse of the enterprise brand.
  • Give periodic informational updates to customers to maintain awareness of potential fraud.
  • Establish clear guidelines on what information should be posted as part of the social media presence.
  • Immediately contact third-party social media provider and notify them of the fraudulent account.
 

 
Unauthorized mobile access

Threat or vulnerability
  • Employee's unauthorized access to social media via agency-supplied mobile devices (smartphones, PDAs)
Risks
  • Infection of mobile devices
  • Data theft from mobile devices
  • Circumvention of agency controls on social media access
  • Data leakage
Recommended mitigation techniques
  • Route enterprise smartphones through an agency network filter, if possible, to restrict or limit access to social media sites (only if the agency policy limits or restricts access to social media).
  • Install appropriate controls (anti-virus, anti-malware software) and continuously update them on mobile devices.
  • Establish or update agency policies and standards on the use of smartphones to access social media.
  • Develop and conduct awareness training and campaigns to inform employees of the risks involved with using social media sites.
 

 
Privacy

Federal public Web sites must conduct privacy impact assessments if they collect personally identifiable information. They must also post a “Privacy Act Statement” that describes the agency’s legal authority for collecting personal data and how the data will be used. They must post privacy policies on each Web site in a standardized machine-readable format such as Platform for Privacy Preferences Project, or P3P.
 
Read DAS’ “Privacy and Terms and Conditions” information before registering on a social networking site.
 
Although some social media Web sites are exempt from the prior requirements, the state is always bound to protect personally identifiable information on internal Web sites or pages on external social media Web sites. The Privacy Act of 1974 (as amended) may also apply to the activities undertaken on social media platforms, and individuals should consult with the Department of Justice to ensure they are in compliance with all privacy protection requirements.
 

 
Security

Information is an asset that, like other important business assets, is essential to an organization. Agencies must secure and protect that asset.  Sharing information through social media technologies adds risk that agencies must account for and mitigate.
 
The decision to use social media technology must align with the strategic risk management direction of the agency. If an agency decides to use social media technology, the most effective risk-mitigation takes the form of educating users and making them aware of essential security measures.
 
Information security policies and processes also help address risk. User guidelines should be part of agencies’ policies on human resources and acceptable use. In general, information with a classification level greater than one should not be placed on or made available via social networking sites.
 
Agencies must establish controls (e.g., Web content filters, firewalls, strong passwords, etc.) to prevent hacking of the social media technology. The consequences of hacking can be incredibly harmful, because hacking can lead to the leakage of sensitive information.
 
When deciding whether to use social media technology, agencies must consider the following:

  • Business, legal, and regulatory requirements applicable to the agency
  • Click here for more information on Statewide Information Security Plan, Policies, and Standards.
  • Contractual security and privacy obligations
  • Technical security regarding accounts, the application, and data security
  • No circumvention or violation of the enterprise or Agency acceptable use policies, without prior authorization
  • Liability
  • Technical threats (i.e., malware)
  • Privacy threats (i.e., leakage of personally identifiable information)
  • Authenticity, reliability and integrity of information
  • Reputation
  • Management of the account (password sharing is not a viable option)

 
   

 
The Risks

In recent times, major security issues have troubled the social networks. Security firms have found that up to one in 600 profile pages on social networking sites hosted some form of malware. This trend has continued over the past several years, according to Kaspersky Lab Global Research. Last year, sites such as Facebook and Twitter became hotbeds of malware and spam. A worm recently spread on Twitter, infecting an unknown number of Twitter profiles. The worm propagated from one user profile to another by exploiting cross-site scripting vulnerabilities in unfiltered inputs on the Twitter profile pages.
 
Security concerns for these sites abound because many of the pages on Social Networking sites contain embedded scripts that can be compromised. Advertisements on these pages can infect PCs with un-patched systems simply by accessing a Web page with a compromised ad. Trojan horse programs could upload automatically without the warning prompt, causing immediate infection. Injected scripts can can allow unsuspected, unguided session hijacking. Infected users are also vulnerable to phishing attacks.
 
DAS Risk Management received the following information from the Broker of Record, Willis HRH.
 
The potential risks of social networking sites fall mainly into the area of cyber liability and arise from the ability of cyber criminals to access sensitive/personal data via the network. The main perils appear below:

 

  • Implantation or spread of a computer virus
  • Security breaches such as unauthorized access and unauthorized use
  • Content infringement (Web site copyright, trademark, domain names)
  • Cyber extortion
  • Breach of privacy / Identity Theft (electronic and non-electronic)
  • Denial of service outages
  • Destruction, modification, or disclosure of electronic data
  • Loss of business income due to a network security breach
  • Information theft
  • Fraud (including theft of customer funds or credit card/account numbers)
  • Theft of computer system resources
  • Covered acts caused by service providers
  • Negligent release of confidential information
  • Expenses associated with breach of security notification requirements
 
The article, “Despite popular opinion, the blogosphere isn’t the Wild West,” describes why public companies need to develop policies to govern employees’ use of social networking sites and blogs, in order to avoid violating certain SEC regulations regarding fair disclosure.
 
Links to two other articles are listed below:
 
      Click here to learn how federal agencies and the US Department of Defense address social
      media
 
      Click here to view a sample acceptable use policy. (Scroll down on the page to link to the
      policy.)
 
Risk management strategies must include education and training. Assign curriculae designed to educate government employees and citizens about concerns inherent in using new technologies in a government context.
 
This article, “Network Security and Privacy” by Oregon’s Broker of Record, Willis HRH, covers security and privacy issues to consider before getting involved in social media.