Add to collection(s) Add to saved
  1. Business

PowerPoint-Präsentation

advertisement 
Risk, Security and Governance
Aspects of Social Media
Urs Fischer, CPA (Swiss), CRISC, CISA
Urs Fischer
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
2
Urs Fischer
•
•
•
•
CPA (Swiss) by origin, CRISC and CISA
5 year external auditor
Switch to IT Audit – In IT Audit for 13 years incl. Head of IT Audit
2004-2010 Head IT Governance & Risk Mgmt Swiss Life Group
•
•
•
•
•
•
•
•
•
•
•
•
Board member of ISACA CH Chapter for about 8 years
Co-Author of CobiT4 and involved in the development of COBIT5
Co-Developer of CobiT Control Practices
Member of the CobiT Steering Committee for 3 years
Member and Chair of ISACA’s EuroCACS Conference Programme Committee for 6 years
2008 – 2009 Chair of ITGI’s 'Risk IT' Task Force
2009 – 2010 Chair of ISACA’s CRISC Task Force
2006 – 2011 Member of ISACA Audit Committee (since 2008 Chairman)
2009 – 2012 Member of ISACA’s Credentialing Board
2010 – 2011 Member of ISACA’s Guidance and Practice Committee
2010 – 2012 Chair of ISACA’s CRISC Committee
Since 2012 Member of ISACA/ITGI’s Nomination Committee
• 2010 Receiver of the ‘John W. Lainhart IV – Common Body of Knowledge Award
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
3
Session Goals
• Describe social media and its impacts to the
enterprise
• Examine the benefits and risks of social media use in
the work place
• Propose strategies for addressing social media risks
• Identify appropriate governance measures when
leveraging social media
• Highlight effective assurance approach
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
4
Agenda
1.
2.
3.
4.
5.
6.
7.
Introduction – What is Social Media?
Business Impact of Social Media
Risk, Security and Privacy Concerns
Strategies for Addressing Social Media Risks
Governance and Change Considerations
Assurance Considerations
Summary / Wrap-Up
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
5
Social Networking
The use of Facebook or Twitter at work is not highly
prized; only one out of five respondents believes that
the benefits of employees using social networking
outweigh the risks.
Source: ISACA – Global Status Report on the Governance of Enterprise IT (GEIT) - 2011
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
6
Views on Employee Use
Source: ISACA – Global Status Report on the Governance of Enterprise IT (GEIT) - 2011
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
7
By Enterprise Size
Source: ISACA – Global Status Report on the Governance of Enterprise IT (GEIT) - 2011
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
8
WHAT IS SOCIAL
MEDIA
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
9
What Is Social Media?
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
10
Social Media – many have tried to define it ...
“media that is created to be shared freely”
“Social media are works of user-created video, audio, text or multimedia that are
published and shared in a social environment, such as a blog, wiki or video hosting
site.”
“Any website or web service that utilizes a 'social' or 'Web 2.0' philosophy. This
includes blogs, social networks, social news, wikis, etc. “
“Software tools that allow groups to generate content and engage in peer-to-peer
conversations and exchange of content (examples are YouTube, Flickr, Facebook,
MySpace etc)”
“Social media is any form of online publication or presence that allows end users to
engage in multi-directional conversations in or around the content on the website.”
“A million different definitions from a million different people. But over at Duct Tape
Marketing they say “[s]ocial media is the use of technology combined with social
interaction to create or co-create value.”
“A category of sites that is based on user participation and user-generated content.”
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
11
The world according to Gartner
“An online environment where content is created,
consumed, promoted, distributed, discovered or shared for
purposes which are primarily related to communities and
social activities rather than functional, task-oriented
objectives. "Media" in this context is an environment
characterized by storage and transmission, while "social"
describes the distinct way that these messages propagate in
a one-to-many or many-to-many fashion. A distinction is
drawn in this definition between media (the enabling
environment) and content (what the environment contains).”
– Gartner IT-Glossary
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
12
BUSINESS IMPACT OF SOCIAL
MEDIA
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
13
Business Benefit of Social Media
Source: Burson-Marsteller, The Global Social Media Check-up Insights
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
14
Key Business Benefits
• Increased:
– Brand Recognition
– Sales
– Search Engine Optimization (SEO) and Web traffic
– Customer Satisfaction
• Rapid feedback and insight from consumers
• Monitor the market
• Locate and recruit potential employees
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
15
„Enterprises that aggresively
embrace social media as part
of their strategy are more
financially successful.“
Source: ISACA White Paper: Social Media
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
16
The number and variety of corporations
leveraging social media is increasing
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
17
Even goverment organisations are getting the
picture ...
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
18
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
19
Personal use of social media at work is also on
the rise
% Using Social Networking While On
Company LAN
2008
35%
33%
30%
25%
20%
2010
27%
24%
19%
24%
24%
20%
15%
13%
17%
14%
10%
5%
0%
Total
US
UK
Germany
Japan
Source: Trend Micro Corporate End User Survey: Global Rise in Workplace Social Networking July 2010
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
20
Personal use of social media at work is also on
the rise (cont.)
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
21
RISK, SECURITY & PRIVACY
CONCERNS
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
22
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
23
STRATEGIES FOR ADDRESSING
SOCIAL MEDIA RISKS
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
24
„A documented strategy (and
associated policies and standards)
should be developed with the
involvement of all relevant
stakeholders.“
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
25
Corporate Social Media Presence
Risk
Malta, 11. Mai 2012
Impact and Associated Risk
©fischer IT GRC Beratung & Schulung
Risk Mitigation Techniques
26
Corporate Social Media Presence
Risk
Malta, 11. Mai 2012
Impact and Associated Risk
©fischer IT GRC Beratung & Schulung
Risk Mitigation Techniques
27
Employee Personal Use of Social Media
Risk
Malta, 11. Mai 2012
Impact and Associated Risk
©fischer IT GRC Beratung & Schulung
Risk Mitigation Techniques
28
Employee Personal Use of Social Media
Risk
Malta, 11. Mai 2012
Impact and Associated Risk
©fischer IT GRC Beratung & Schulung
Risk Mitigation Techniques
29
GOVERNANCE AND
CHANGE CONSIDERATIONS
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
30
„When considering new
technologies, enterprises should
look to established frameworks
such as Risk IT, Val IT and COBIT.“
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
31
Key is a clearly defined strategy
• What is the strategic benefit to leveraging this emerging
technology?
• Are all appropriate stakeholders involved in social media
strategy development?
• What are the risks associated with the technology and do
the benefits outweigh the costs?
• What are the new legal issues associated with the use of
social media?
• How will customer privacy issues be addressed?
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
32
Key is a clearly defined strategy
• How can positive brand recognition be ensured?
• How will awareness training be communicated to
employees and customers?
• How will inquiries and concerns from customers be
handled?
• Does the enterprise have the resources to support such
an initiative?
• What are the regulatory requirements that accompany
the integration of the technology?
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
33
Good governance must include well defined
policies ...
Business use:
•
•
•
•
Permitted?
Process to gain approval for use
Scope of topics or information permitted to be posted
Disallowed activities (installation of applications, playing
games, etc.)
• The escalation process for customer issues
• Employee access to social media via employer-supplied
mobile devices
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
34
Good governance must include well defined
policies ...
Personal use in the workplace:
• Permitted?
• The nondisclosure/posting of
business-related content
• The discussion of workplace-related
topics
• Inappropriate sites, content
or conversations
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
35
Good governance must include well defined
policies ...
Personal use outside the workplace:
• The posting of business-related content
• Standard disclaimers if identifying the
employer
• The dangers of posting too much
personal information
• Use of personal accounts to
communicate work-related information
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
36
Change to the Organisation
• Both Culture and Processes
• New requirements for monitoring, logging, storage,
bandwidth
• New communication channels to be managed and
monitored
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
37
ASSURANCE CONSIDERATIONS
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
38
Strategy & Governance
• Has a risk assessment been conducted to map the
risks to the enterprise presented by the use of
social media?
– The risk assessment should evaluate the planned
business processes for leveraging social media and also
the specific sites to be used.
– The risk assessment should be revisited whenever
there are substantive changes to the social media
resources in use, as well as when new social media
resources are considered for adoption.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
39
Strategy & Governance
• Is there an established policy (and supporting
standards) that addresses social media use?
– Policies and standards should be modified or created
to define appropriate behavior in relation to the use of
social media.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
40
Strategy & Governance
• Do the policies address all aspects of social media
use in the workplace—both business and
personal?
– Policies for social media should address four specific
areas:
•
•
•
•
Employee personal use of social media in the workplace
Employee personal use of social media outside the workplace
Employee use of media for business purposes (personally owned devices)
Required monitoring and follow-up processes for brand protection
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
41
People
• Has effective training been conducted for all
users, and do users (and customers) receive
regular awareness communications regarding
policies and risks?
– It is imperative that all users understand what is (and is not)
appropriate and how to protect themselves and the enterprise
while using social media.
– Customers who will be accessing an enterprise social media
presence will need to understand what is considered an
appropriate use of the communication channel and what
information they should (and should not) share.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
42
Business Processes
• Have business processes that utilize social
media been reviewed to ensure that they are
aligned with policies and standards of the
enterprise?
– Unless business processes are aligned with social media
policies, there cannot be assurance that they will not
expose sensitive information or otherwise place the
enterprise at risk.
– Change controls should be in place to ensure that changes
or additions to processes that leverage social media are
aligned with the policy prior to implementation.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
43
Technology
• Does IT have a strategy and the supporting capabilities to
manage technical risks presented by social media?
– The vast majority of technical risks presented by social media are also found
in the use of malicious e-mail and standard web sites. IT should have controls
in place, both network-based and host-based, to mitigate the risks presented
by malware.
– Suitable controls can include download restrictions, browser settings, data
leak prevention products, content monitoring and filtering, and antivirus and
antimalware applications.
– Appropriate incident response plans should be in place to address any
infection that does get through.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
44
Technology
• Do technical controls and processes adequately support
social media policies and standards?
– It should be verified that any required technical controls are present and
functioning as expected, or that there are clear plans with timelines and a
required budget to reach a specific capability.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
45
Technology
• Does the enterprise have an established process to
address the risk of unauthorized/fraudulent use of its
brand on social media sites or other disparaging postings
that could have a negative impact on the enterprise?
– While scanning for such material can be an onerous task, it is important that
the enterprise have a strategy to address this risk. There are vendors that will
provide this service, and this is generally the best option for enterprises that
deem such monitoring a necessary activity.
– This risk exists regardless of the enterprise’s active use of social media.
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
46
SUMMARY /
WRAP-UP
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
47
Two key questions
• How well will you take advantage of best
practices?
• How long can you afford to wait?
Business history is being made.
What role will you play in your firms
success?
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
48
Guidance is available !
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
49
Questions (Discussion)
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
50
For More Information:
Urs Fischer, CPA (Swiss), CRISC, CISA
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
51
Thank you!
Malta, 11. Mai 2012
©fischer IT GRC Beratung & Schulung
52
Related documents
Articulate Engage Word Output
Articulate Engage Word Output
Specimen Processing sample submission form
Specimen Processing sample submission form
1. Pick any natural number n = 1, 2, 3, … , 100, … , 100000000000000
1. Pick any natural number n = 1, 2, 3, … , 100, … , 100000000000000
Architecture Project | Corporate Village, Malta Information Text
Architecture Project | Corporate Village, Malta Information Text
Arts Council Malta joins EUNIC | June 2015
Arts Council Malta joins EUNIC | June 2015
PO PO THAN (1)
PO PO THAN (1)
Download
advertisement