Governance of Social Media &
E-Mobility Risks
#CPESOX
Copyright ©2012 Infinitive
1
1
As a matter of their respective company policies our panelists today are
expressing their views and perspectives as professionals in their
respective industries. These views are their own, and do not necessarily
reflect the views of their respective Companies.
DISCLAIMER
Copyright ©2012 Infinitive
2
Agenda
Introduction ……………………………………………..………..(5 Minutes)
Opening Remarks.………………………………………..….….(10 Minutes)
Panelist Remarks………………………………..……………….(50 Minutes)
Question & Answer………………………………….………….(25 Minutes)
Copyright ©2012 Infinitive
3
Introductions
Douglas Miller, Vice President and Global Privacy Leader, AOL - Douglas
Miller, CIPP, is Global Privacy Leader at AOL Inc., overseeing a full range of
privacy operations, guidance, education, and planning. Prior to becoming
a full-time privacy professional in 1998, his AOL duties included child and
teen protection, online conduct, content and advertising guidelines, antispam initiatives, and consumer safety and security. Before joining AOL, he
led government affairs for the Software Publishers Association. From
2004-07, he taught courses in Internet Policy and Computer Ethics at Old
Dominion University. He serves on the Board of Directors for the Network
Advertising Initiative, the Advisory Board of the Future of Privacy Forum,
and the Education Advisory Board of the International Association of
Privacy Professionals.
Copyright ©2012 Infinitive
4
Introductions
Dino Tsibouris - Tsibouris & Associates, LLC Tsibouris & Associates
concentrates in technology and intellectual property law with a focus in
electronic commerce, online financial services, licensing, and privacy law.
In addition, the practice includes the implementation of electronic
signatures, records management, and information security.
Mr. Tsibouris was previously an attorney with Thompson Hine LLP and a
Vice President and Counsel for eCommerce and Technology at Bank One
Corporation (now JPMorganChase).
He has presented at CLE and trade association presentations on various ebanking and e-commerce matters and participated in regulatory and
industry task forces addressing new legislation. Listed in The Best Lawyers
in America in the area of Technology Law 2007-2011.
Copyright ©2012 Infinitive
5
Introductions
Angelos Stavrou, Associate Professor, George Mason University Angelos is associate Professor in the Computer Science Department and
an associate director of the Center forSecure Information Systems at
George Mason University, Fairfax, Virginia. He received his M.Sc. in
Electrical Engineering, M.Phil. and Ph.D. (withdistinction) in Computer
Science all from Columbia University. He also holds an M.Sc. in theoretical
Computer Science from University of Athens, and a B.Sc. in Physics with
distinction from University of Patras, Greece. Dr Stavrou has published
over 40 papers on large systems security & survivability in major
international journals and conferences. Dr. Stavrou’s research interests are
focused in security for Mobile Devices and Mobile Applications. His
research has been funded by DARPA, IARPA, NSF, NIST, ARO, AFOSR, AFRL,
and Google among others.
Copyright ©2012 Infinitive
6
Session Objectives
Social media and mobile applications are the modern day gold
rush for companies. The velocity of information and products are
creating new risks and financial reporting challenges. This
session will cover the emerging risks and considerations for
internal control specialists.
• Identify and document current and intended social media use
• Perform a risk assessment for the use of social media and
mobile devices
• Implement security policies that address the use of social
media and mobile devices
• Provide social media training
• Monitor social media channels
Copyright ©2012 Infinitive
7
Triple Play
Mobile
WWW
Social
Media
Copyright ©2012 Infinitive
8
Governance
Social Media platforms such as Facebook and Twitter blend
personal and professional lives into a seamless ecosystem.
Companies must navigate the policies, procedures and a complex
risk environment in order to answer the following:
• Who are your clients
• Who are your friends
• What’s a professional position
• What’s a personal point of view
• What’s secret and what’s public?
• What can you monetize and what would violate your privacy
policies?
Copyright ©2012 Infinitive
9
Camouflaged Fraud: Mobile Devices
Mobile Fraud
• The power of mobile is breaking the speed of business by opening
new markets and allowing even the smallest companies to play big
• The increase use of mobile applications has lead to a rise in fraud
targeted at the mobile space
• Mobile fraud schemes are successful when companies are operating
in silos and not sharing their view of risks across the organization
Rogue Mobile Apps Defined:
• Created by non-authorized individuals or entities
• Seek to confuse consumer to believe it is published from an
authorized source – similar name, use of logo, or similar publisher
• Similar to other applications but its objectives are to compromise
other apps on the device
Copyright ©2012 Infinitive
10
Copyright ©2012 Infinitive
11
Panelist Perspective – Doug Miller
Copyright ©2012 Infinitive
12
Panelist Perspective – Dino Tsibouris
Copyright ©2012 Infinitive
13
Governance
Francesca’s CFO terminated for “improperly
communicated company information through
social media” – 05/14/12
BMW salesman posting pictures about Costco hot
dogs served at a new model release – (Protected
Concerted Activity because others had
complained)
Social media coordinator fired and would not
surrender passwords (Ardis Health, Phonedog)
Social media consultant fired for posting “FBomb” on Chrysler’s official Twitter feed
Copyright ©2012 Infinitive
14
Governance
Challenges abound:
• C-suite
• Sales and Marketing
• In house-social media coordinators
• Vendor social media coordinators
Copyright ©2012 Infinitive
15
Governance
Legal Implications of Social Media
• Brand image
• E-Discovery and litigation
• Human resources/Employment
• Privacy
• Regulatory
• Security
• Torts
Copyright ©2012 Infinitive
16
Governance
Example 1: Sarbanes-Oxley Section 409
• Must “disclose to the public on a rapid and
current basis such additional information
concerning material changes in the financial
condition or operations of the [company],
in plain English”
• Events requiring Form 8-K or Regulation FD
disclosure
• How to harmonize with social media
strategy?
Copyright ©2012 Infinitive
17
Governance
Example 2: The NLRB
• Concerted action by employees is protected
• Cannot prohibit employees from blogging
about work or criticizing it
• Can’t prohibit them from using company
contact information on personal sites
• Memorandum OM 11-74 08/1/11
• Is current company policy overbroad?
Copyright ©2012 Infinitive
18
Governance
Social Media Policy should address:
• Permissible activity
• Consequences of violations
• Required employee agreement
• No reasonable expectation of privacy
• Personal responsibility for actions
Copyright ©2012 Infinitive
19
Governance
• Require confidentiality of trade secrets,
company strategies, product development,
and all financial information
• Authorization required to share copyrighted
materials
• Address “official” social media use (Official
voice of company)
.
Copyright ©2012 Infinitive
20
Governance
• Encourage employees to link to the company
website when possible
• Clear and conspicuous disclosure of any
relationship or connection an employee has
with the company
• Disclose and any compensation or gift
received from any company mentioned
Copyright ©2012 Infinitive
21
Governance
Create a policy that addresses your company’s
unique business goals
Train employees and contractors
Monitor
Archive content – even if third party, when
needed
Take remedial action for violations
Incorporate changes into policy periodically
Repeat…
Copyright ©2012 Infinitive
22
Panelist Perspective – Angelos
Stavrou
Copyright ©2012 Infinitive
23
CIO Business Priorities
Copyright ©2012 Infinitive
24
Maturity of Technologies
Copyright ©2012 Infinitive
(source Gartner)
25
The real picture: Malicious Apps exist...
Analyzed ~267,000 Applications from the
Google Android Market
• Thousands with incorrect/permissive manifest
• Hundreds with excessive functionality that can
be constituted as malicious
• Hundreds of Trojans (i.e. take over existing,
legitimate applications)
• Who will download these apps?
• People who use SEARCH to find apps
• Virtually everyone…
• Two infection vectors:
- Regular Web Search
- Search inside the Mobile App Market
Copyright ©2012 Infinitive
26
The real picture: Malicious Apps exist...
A multifaceted problem:
 Developers maybe well-intended but…
 They do not necessarily understand the mission
or the security/policy requirements
 They make mistakes
 They use third-party libraries and code
 The Android permission model is neither
sound nor complete
 Intentions, Reflection, JNI, Webkit, others…
 Android permissions are enforced inside
Dalvik not everywhere in the device
Copyright ©2012 Infinitive
27
What about existing Analysis Tools?
Commercial application testing tools cover
regular, non-Android specific Bugs:
• No Security Analysis of the Code Functionality
• No Power Analysis of the Application
components and code
• No Profiling of the resource consumption of
individual applications
• Cannot Regulate/Deny the access and use of
phone subsystems (Camera, Microphone, GPS..)
Existing tools do not cover Program
Functionality
• We reveal the application capabilities and access
Copyright ©2012 Infinitive
28
28
Questions
Copyright ©2012 Infinitive
29