Slide Heading
Social Media: Awareness,
Audit and Assurance
Tom Snyder
Trivera Interactive
November 16th 2011
Introductions
• Trivera Interactive
– Web site development, Email
Marketing, SEO and Social Media
– Social Media Strategies and Policies.
• Tom Snyder
– Founded Trivera in 1996
– Working with businesses and organizations to find the
acceptable level of balance between visionary
possibilities and technological and organizational
realities.
Introductions
Social Media Usage
Top 100 most valuable brands in the world are
experiencing a direct correlation between top financial
performance and deep social media engagement
~ ENGAGEMENTdb, The World’s Most Valuable Brands
Fortune Global 100 companies
 65% have active Twitter accounts
 54% have Facebook fan pages
 50% have YouTube video channels
 33% have corporate blogs
~Burson-Marsteller, The Global Social Media Check-up Insights
Social Media Usage
95% of social media users now use it for business
reasons
61% use public social media sites like LinkedIn,
Twitter, Facebook, and YouTube every day (up from
51% in 2008).
15% use these sites "constantly throughout the
day.
56% work for companies that have no policies that
cover use at work and outside work
Social Media Usage
Social Media Usage
76% of companies now use Social Media for
business purposes
43% have experienced employee misuse
31% have disciplined employees for misuse
29% block employee access
27% monitor employee use
25% ban use for non-business purposes
The Old Paradigm
The New Paradigm
Risks for Business
Internal/Infrastructure
• Viruses/malware
• Non-compliance with record management
regulations (PCI-DSS, HIPAA)
• Employee Inefficiency
• Employee Headhunting
Malware and Chain Exploitation
• Malicious profile generation
• Exploitation of “Social Human Touch”
• Worm Generation – Chain Infection and
Reaction
• Drive-by-Download Browser Attacks
• Exploitation of Custom Code and APIs
• Exploitation of URL Shorteners or Hidden Links
• QR Codes
Risks for Business
External/Customer Facing
• Lack of control over publicly-generated
content
• Lack of control over internally-generated
content
• Customer expectations
• Brand hijacking
Addressing Risk
Tactics without strategy
is the
noise before defeat
Strategy without tactics
is the
slowest route to victory
-Sun Tzu
Addressing Risk
Social Media Strategy
• Set your Goals
• Identify your Target
• Choose your Tools
• Craft your Voice
• Define your Roles
• Commit to Consistency
• Measure and Improve
Addressing Risk
Social Media Policy
• “Official” Voices
• Associated Voices
• Everyone Else
• Work and Non-Work Usage
• Process
• Technology
Mitigating Risk
Threats and
Vulnerabilities
Risks
Risk Mitigation Techniques
Introduction of
viruses and malware
to the organizational
network
•Data leakage/theft
•“Owned” systems (zombies)
•System downtime
•Resources required to clean
systems
•Ensure that antivirus and antimalware controls are
installed on all systems and updated daily.
•Consider use of content filtering technology to
restrict or limit access to social media sites.
•Ensure that appropriate controls are also installed
on mobile devices such as smartphones.
•Establish or update policies and standards.
•Develop and conduct awareness training and
campaigns to inform employees of the risks
involved with using social media sites.
Exposure to
customers and the
enterprise through a
fraudulent or
hijacked corporate
presence
•Customer backlash and/or
adverse legal actions
•Exposure of customer
information
•Reputational damage
•Targeted phishing attacks on
customers or employees
•Engage a brand protection firm that can scan the
Internet and search out misuse of the enterprise
brand.
•Give periodic informational updates to customers to
maintain awareness of potential fraud and to
establish clear guidelines regarding what
information should be posted as part of the
enterprise social media presence.
Source: Social Media: Business Benefits and Security, Governance and Assurance
Perspectives , ISACA Emerging Technology Whitepaper, May 2010
Mitigating Risk
Threats and
Vulnerabilities
Risks
Risk Mitigation Techniques
Unclear or undefined
content rights to
information posted
to social media sites
•Enterprise’s loss of control/
and/or legal rights of
information posted to the
social media sites
•Ensure that legal and communications teams
carefully review user agreements for social media
sites that are being considered.
•Establish clear policies that dictate to employees
and customers what information should be posted
as part of the enterprise social media presence.
•If feasible and appropriate, ensure that there is a
capability to capture and log all communications.
A move to a digital
business model may
increase customer
service expectations
•Customer dissatisfaction with
the responsiveness received
in this arena, leading to
potential reputational damage
for the enterprise and
customer retention issues
•Ensure that staffing is adequate to handle the
amount of traffic that could be created from a social
media presence.
•Create notices that provide clear windows for
customer response
Mismanagement of
electronic
communications that
may be impacted by
retention regulations
or e-discovery
•Regulatory sanctions and
fines
•Adverse legal actions
•Establish appropriate policies, processes and
technologies to ensure that communications via
social media that may be impacted by litigation or
regulations are tracked and archived appropriately.
•Note that, depending on the social media site,
maintaining an archive may not be a recommended
approach.
Mitigating Risk
Threats and
Vulnerabilities
Risks
Risk Mitigation Techniques
Use of personal
accounts to
communicate workrelated information
•Privacy violations
•Reputational damage
•Loss of competitive
advantage
•Work with the human resources (HR) department to
establish new policies or ensure that existing
policies address employee posting of work-related
information.
•Work with the HR department to develop awareness
training and campaigns that reinforce these policies.
Employee posting
pictures or info that
link them to the
enterprise
•Brand damage
•Reputational damage
•Work with the HR department to develop a policy
that specifies how employees may use enterprise
related images, assets, and intellectual property (IP)
in their online presence.
Excessive employee
use of social media
in the workplace
•Network utilization issues
•Productivity loss
•Increased risk of exposure to
viruses and malware due to
longer duration of sessions
•Manage accessibility to social media sites through
content filtering or by limiting network throughput to
social media sites.
Employee access to
social media via
enterprise-supplied
mobile devices.
•Infection of mobile devices
•Data theft via mobile devices
•Circumvention of controls
•Data leakage
•Route enterprise smartphones through corporate
network filtering technology to restrict/limit access
•Ensure controls installed/updated on mobile devices
•Establish/update policies and standards regarding
the use of smartphones to access social media.
•Social media awareness training and campaigns
Social Media Audit/Assurance
ISACA's Social Media Audit Assurance Program
released February 2011 and is available to members only
Objective
The objective of the social media audit/assurance review is to provide
management with an independent assessment relating to the effectiveness
of controls over the enterprise’s social media policies and processes.
Scope
The review will focus on governance, policies, procedures, training and
awareness functions related to social media. Specifically, it will address:
•
•
•
•
Strategy and governance—policies and frameworks
People—training and awareness
Processes
Technology
Audit/Assurance Program
2.1 Risk Management
Audit/Assurance Objective: The risk associated with social media is identified,
evaluated, and aligned with enterprise risk profiles and risk appetite. Risk management
is routinely evaluated for new and existing social media projects.2.1.1 Ongoing Risk
Assessment
2.1.1 Control: Risk assessments are performed prior to initiation of a social media
project.
2.2 Policies
Audit/Assurance Objective: Policy and supporting standards exist to support social
media use.
2.2.1 Social Media Policies and Standards
Control: Policies for social media should address the following specific areas:
Communication protocol
Standardized terms/key words that may convey the company brand, product,
image, campaign, business initiative, corporate social responsibility
Use of standard logos, images, pictures, etc.
Employee personal use of social media in the workplace
Employee personal use of social media outside the workplace
Employee use of social media for business purposes (personally owned devices)
Use of mobile devices to access social media
Required review, monitoring and follow-up processes for brand protection
Communication of policy via social media sites
Notification that compliance monitoring will be the right of the company
Management procedures for company accounts on social media sites
PO1.2
PO9.3
PO9.4
ME4.2
ME4.5
PO4.6
PO4.8
PO6.3
PO6.4
X
X
X
Reference
Hyper-link
Monitoring
COBIT
Crossreference
Information and
Communication
Excerpt from
ISACA’s Social Media Audit/Assurance Program
Risk
Assessment
Control Activities
Audit/Assurance Program Step
Control
Environment
COSO
Issue
Crossreference
Comments
Resources and References
• 5 low-risk, high-reward experiments that could turn IT people into
heroes
• FaceTime Survey Reveals 38% of IT Managers Ignoring Web 2.0
Risks
• IT departments in dark over social media use
• Social Media in Healthcare Marketing: Making the Case
• Data breaches and the erosion of consumer trust in brands
• Top Five Social Media Risks for Business: New ISACA White Paper
• Social Media: Business Benefits and Security, Governance and
Assurance Perspectives
• Chain Exploitation - Social Media Malware
• ISACA's Social Media Audit Assurance Program
released February 2011 and is available to members only
Questions?
Tom Snyder –
tom@trivera.com
http://www.triveraguy.com
Trivera Interactive
http://www.trivera.com