Eight Essential Elements
Governments are working to develop best practices to ensure the security of their data and technical infrastructure in light of the new uses, users, and technologies related to social media use.
Some of the reviewed policies deal explicitly with security concerns for social media, while others are more general. For instance, the City of Hampton’s policy simply points to existing IT security policies by stating, “Where appropriate, City IT security policies shall apply to all social networking sites and articles.” Other policies target specific security concerns; two types generally found in the policies analyzed and discussed in the interviews were technical and behavioral concerns.
The technology concerns addressed in the policies focused on password security, functionality, authentication of identity using public key infrastructures, and virus scans. Fifteen of the policies included specific requirements such as requiring users to maintain complex passwords. A few policies required a designated official to hold all username and passwords for social media accounts.
The Department of the Navy memo on social media specifically mentions following the Department of Defense’s Public Key Infrastructure procedures and restricts the posting of classified information to protected sites only. Two policies detail how attachments should be scanned using anti-virus tools before they can be posted on behalf of the government.
The behavioral security concerns refer to those threats that result from employees’ intentional or inadvertent actions when engaging with social media sites and tools. The Guidelines for Secure Use of Social Media by Federal Departments and Agencies by the Federal CIO Council discussed the two major threats that rely on certain types of behaviors by users—spear phishing and social engineering. For example, employees may inadvertently post information about themselves or the agency on social media sites, which attackers then use to manipulate users. A related concern is the inadvertent posting of citizens’ personal and protected information by agency employees. While these concerns are not new, many of the reviewed policies mentioned the need to protect confidential information that is personally identifiable or could endanger the agency mission.
Sample language outlining the technical concerns and processes to follow:
"Agency IT Administrators shall:
- Limit Internet access Social Media web sites according to the agency’s acceptable use policy, while allowing authorized Users to reach content necessary to fulfill the business requirements. Limitations may include: ….
- . . .
- Allowing Internet access to Users who are specifically authorized.
- Preventing unnecessary functionality within Social Media web sites, such as instant messaging (IM) or file exchange.
- Minimizing and/or eliminating the addition of web links to other web sites, such as “friends”, to minimize the risk of exposing a government user to a link that leads to inappropriate or unauthorized material.
- Enable technical risk mitigation controls to the extent possible. These controls may include:
- Filtering and monitoring of all Social Media web site content posted and/or viewed.
- Scanning any and all files exchanged with the Social Media web sites."
~State of California
| Next >