Tip

A social networking policy template for information awareness training

Blogging, tweeting and participating in forums and on social websites can enhance a company's reputation, improve customer relations and generally benefit the organisation -- if it's done securely and according to company policy. Even if your organisation has banned the use of social networking sites, it should have a social networking policy to cover employees' postings from home, which could include corporate information, and thus have an impact on your company's reputation.

No policy is effective if employees are unaware of it, so focus the key points in your policy that you must get across during

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

information awareness training to mitigate the risk of social media threats?

This social networking policy template covers the three main categories of risk in using social networking sites:

  1. Risks caused by posted content.
  2. Risks caused by social interactions.
  3. Risks caused by malware, phishing and spam.

But the first topic has to be the organisation's approach to social networking. The organization must inform employees whether they can access social networking sites during work and whether personal use is permitted. If personal use is allowed, make clear where the line is between limited personal use and abuse. State the sites can or can't be accessed during office hours. Even if a technical capability has been or will be deployed to enforce this type of policy rule, the policy should stress the disciplinary consequences for anyone who doesn't follow it to discourage employees from putting those measures to the test. Email discussion lists and newsgroups should also be covered, but, due to the sheer number of such sites, should be treated generically. Make it clear that the policy isn't limited to just the named sites. Social networking activities should not interfere with any employee's primary job responsibilities. Being social should have a positive effect on productivity, not a negative one.

When business networking, employees should only post on behalf of the company within their area of responsibility, and they must clearly identify who they are to establish credibility. They should certainly never make recommendations of individuals -- for jobs or otherwise -- as a representative of the company. It may give the appearance that the company endorses the individual being recommended, opening up possible liability if another company hires the person on the basis of the recommendation. Employees should not post on behalf of the organisation unless they've been authorized to do so, and separate personas should be used for work and personal use.

Define what employees can and can't talk about, and provide examples of information that can't be posted, such as the company's financial information, intellectual property, proprietary information, information about customers and internal announcements such as layoffs -- basically any information that could be useful for competitive intelligence, present the company in a negative light, or is legally protected.

Employees are legally responsible for any personal views they express, and if they wish to mention the company in personal posts, then they must state that any opinion is theirs and does not represent the views of the company. Point out that a post lives forever. Once information is posted, it can't be completely retracted, so workers should be encouraged to think before they type.

Acceptable behaviour policies and codes of conduct need to be documented to cover the use of language and conduct. Obviously inaccurate, distasteful or defamatory comments should not be allowed and neither should be accessing or sending offensive, obscene or indecent material. Relationships with clients, customers and partners can be damaged through a thoughtless comment. References to clients, customers, or partners shouldn't be made without obtaining their express permission. Even a positive reference about one client could irritate another. An easy rule of thumb is: If it would fail a good judgement test, then it's not allowed.

Employees need to be aware of their legal obligations with regard to copyright and libel, even when forwarding material. Defamatory statements can lead to lawsuits and bad publicity. They are also responsible for reading, knowing and complying with the terms of service of the sites they use. (You will of course have to check that no clauses contradict your own policies, such as the use of pseudonyms when signing up for sites that ban giving false names.)

Social networking sites are mainly based around friend-of-a-friend-of-a-friend relationships, so stress that normal behaviour wouldn't include giving your full name, National Insurance number, address, phone number, full birth date, financial information or diary to a friend-of-a-friend you've never met. There's always a risk that private information can be exposed, and the company's monitoring of that information doesn't guarantee personal privacy. The more personal information a person posts, the more vulnerable he or she becomes to losing his or her privacy and personal identity.

Many employees will not be aware that posted content can pose a serious risk for both themselves and the company. With enough information, criminals can impersonate someone to gain further information from other members of staff about a company. Avoid providing personal information that would help someone identify or locate you offline. Photos can easily be used to identify someone and deduce his or her location from background content. Photos pose other risks as well, as they can be altered and shared to cause embarrassment or worse. Any form of location information can put people in physical danger. Also, encourage staff to regularly check what information about them is available on the Web by doing a Google vanity search (also known as egosurfing).

The privacy settings of social networking sites are by no means foolproof, but they can restrict access to your profile and limit what other members can see. Users should always check the last login date is correct if this is given and be alert to any alterations to their profile pages or new people in their contact lists.

It is important that you explain to staff how to access the privacy settings on any social networking sites they're permitted to use, and advise them which default settings to turn off.

Employees should not use the same password for all sites and must have different passwords for their personal and business personas. This avoids problems similar to those caused by the attack on the Gawker website, where millions of users have had to change their passwords to other sites as well, as they were the same as their Gawker password. Also, the impact of phishing attacks can be minimised by avoiding password reuse.

Social networking sites are prime targets for malware distribution, and third-party applications should never be downloaded for fear of malware. It's important to keep everyone informed of the latest techniques being used by online criminals. If an employee feels that an app has a legitimate business benefit, then he or she should present a business case and a request for review to the IT department. One trade off could be for network administrators to limit the privileges of machines or users that access social networking sites. For example, one solution would be blocking the download of any type of files.

Never take information you receive from an online contact at face value. Users should be wary of emails asking for personal information, asking them to log in or follow links. It is safer to access sites by typing the address or using a saved favourites URL to minimise the risk of logging on to a fake site. Users should be particularly wary of shortened URLs. If you feel threatened or uncomfortable during an online interaction, don't continue the dialogue, and only ever meet someone who has contacted you online on company premises with others present.

Employees must know how to report incidences of inappropriate behaviour or information being posted. Explain that Internet activity is monitored and that the possible consequences of a policy breach could include termination. For any policy to work, it must be enforceable, and there must be consequences for violations. However, no policy should be published without adequate user training. User education to raise awareness of these risks and promote good practice is key in ensuring these sites can be used safely.

Recap and policy template

  1. Outline risks caused by posted content
    1. State the organisation's approach to social networking.
      1. State which sites can or can't be accessed during office hours.
      2. Communicate that being social should have a positive effect on productivity, not a negative one.
    2. Outline rules for posting content.
      1. Employees should not post on behalf of the organisation unless they've been authorized to do so.
      2. Employees should only post on behalf of the company, and only within their area of responsibility.

     

  2. Outline risks caused by social interaction
    1. Lay out ground rules for interacting on social networking sites
      1. Separate personas should be used for work and personal use.
      2. Define what employees can and can't talk about, and provide examples.
      3. Remind employees that they are legally responsible for any personal views they express.
        1. Hand out documented behaviour policies and codes of conduct.
        2. Remind them that, if it would fail a good judgement test, then it's not allowed.
        3. Make them aware of their legal obligations with regard to copyright and libel.
    2. Remind employees that there's always a risk that private information can be exposed.
    3. Remind them to avoid providing personal information that would help someone identify or locate them offline.
      1. Any form of location information can put people in physical danger.
      2. Employees should regularly check what information about them is available on the Web.
    4. Remind them to restrict access to their profiles and limit what other members can see.
      1. Explain to staff how to access the privacy settings on any authorised social networking sites.
      2. Explain that they must have different passwords for their personal and business personas.

     

  3. Outline risks caused by malware, phishing and spam
    1. Social networking sites are prime targets for malware distribution, and third-party applications should never be downloaded.
      1. Keep everyone informed of the latest techniques being used by online criminals.
      2. Remind them never to take information they receive from an online contact at face value.
      3. Users should be particularly wary of shortened URLs.
    2. Explain to employees how to report incidences of inappropriate behaviour, information posting, or suspected malware.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com's contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in March 2011

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.