• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Social Media for federal agencies

Social Media for federal agencies



Reaping the rewards while mitigating the risks

Reaping the rewards while mitigating the risks



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.pinterest.com 1


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Social Media for federal agencies Social Media for federal agencies Document Transcript

    • Social media programs for federal agencies Reaping the rewards while mitigating the risks Social media defines activities that integrate technology, • The Federal Bureau of Investigation (FBI) launched its social interaction, and content creation through own Facebook page and a mobile application to enable mechanisms, such as Web logs (“blogs”), business individuals to get updates on missing children, wanted networking sites (e.g., LinkedIn), social networking criminals, and terrorists3 websites, video- and multimedia-sharing sites, and “wikis.” By leveraging these technologies, Federal agencies have The increased use of social media, however, has presented improved collaboration and transparency of decision new risks related to the realms of security and privacy, making to the public. Social media can also: information protection, and records management, to name • Facilitate internal collaboration a few. Many agencies struggle with how to: • Allow for information sharing with external partners or • Limit the collection of personal information contractors • Extend privacy protection requirements to third-party • Engage the public providers of social media services • Allow users to keep pace with fast-moving events • Provide guidance on how employees should use social • Harness the ideas of the public to support an agency’s media technologies responsibly mission • Implement applicable records management procedures • Monitor employee use of social media technologies Agencies are creatively using social media to disseminate • Respond to public requests of information that may fall government information, services, and resources. The outside the agency’s control arrival of YouTube and other platforms is permitting • Develop the applicable policies and procedures to previously unheard levels of direct interaction between address social media use federal agencies and the citizens they serve. Examples include: While cross-federal policies have been passed by agencies, • The Veterans Affairs (VA) has more than 100 Facebook such as the Office of Management and Budget (OMB) pages, more than 50 Twitter feeds, two blogs, a (e.g., OMB M-10-234, Guidance for Agency Use of YouTube channel, and a Flickr page. VA is working to Third-Party Websites and Applications; OMB M-10-225, have an active Facebook page and Twitter feed for all Guidance for Online Use of Web Measurement and 152 of its medical centers.1 Customization Technologies) and the National Association • Disabilities.gov leverages social media technologies to integrate resources and benefits related to 3 http://www.fbi.gov/news/stories/2010/january/social_010710/As used in this document, transportation, education, and health2 our-newest-social-media-initiatives“Deloitte” means Deloitte LLP 4 http://www.whitehouse.gov/sites/default/files/omb/assets/and its subsidiaries. Please see memoranda_2010/m10-23.pdfwww.deloitte.com/us/about for 1 http://www.nationaljournal.com/tech/ 5 http://www.whitehouse.gov/sites/default/files/omb/assets/a detailed description of the legal veterans-affairs-promotes-social-media-use-with-new-policy-20110817 memoranda_2010/m10-22.pdfstructure of Deloitte LLP and its 2 http://www.tmsp.umd.edu/TMSPreports_files/6.IEEE-Computer-TMSP-subsidiaries. Government-Bertot-100817pdf.pdf
    • of Records Archives (NARA) (e.g., Guidance on Managing of social media threats and risks. We will discuss our Web Records6), agency-specific policies and procedures proposed approaches for addressing these threats and vary in maturity. For example, NARA interviewed 16 risks, including: agencies on the current maturity of their social media • Conducting a social media risk assessment policies. Of the agencies interviewed, 50 percent have said • Developing a social media policy they have some type of policy in place, while the other 50 • Implementing a data protection strategy for social percent reported they had no social media policy7. media technologies • Implementing a social media breach response strategy • Developing a social media awareness and trainingWith sites such as Facebook and programTwitter surpassing 600 million Social media threats and their associated risks Social media technology is becoming essential andusers, it is no surprise that pervasive — as well as a major part of an organization’s operations and a facilitator/an avenue for achievingcriminals view these sites as great business objectives. But this pervasiveness makes the management of social media difficult and risky, evenvenues for finding victims. more so given the increased use of mobile, wireless, and Web-enabled devices.Security stories about Twitter and Only by viewing the entire social media risk picture can organizations make informed decisions about riskFacebook dominate the headlines, mitigation. Social media risk refers to the potential damage or negative impact that can be incurred by an agency aswith stories of hackers managing a result of using these technologies inside and outside the organization. Unfortunately, many organizations haveto hijack the Twitter accounts of fragmented views of their technology infrastructure, which hampers effective risk management. Thus, they arecelebrities and organizations, unaware of how vulnerable they are as a result of the use of social media platforms within the enterprise.including President Barack Social media and associated processes can take anObama and Britney Spears. agency to new levels of user experience, productivity, and customer engagement; however, these same technologiesHacked accounts have been used also present the rise of new threat vectors that traditional policies and security controls are unable to address. Socialto propagate malware, offensive media threats exploit the vulnerabilities that exist in social media platforms. The process of identifying these threatsmessages, and the posting of links and the associated risks, the probability of occurrence, and the vulnerability and potential impact that could be causedto other malicious sites. is necessary to develop preventative measures and recovery strategies. Understanding the threats and an organization’s vulnerability is the first step in effectively managing the risk imposed by the use of social media within the agency. Trends such as user-created content, synchronous The purpose of this whitepaper is to provide a background communication, openness and transparency, online regarding the social media challenges agencies are facing, collaboration, and the viral nature of social media can the current state of social media policy, and an overview create security risks for an organization. To make matters more challenging, the tools and methods used to launch 6 http://www.archives.gov/records-mgmt/policy/managing-web- attacks are constantly evolving. These threats, generally, records-index.html align against five main vectors. 7 http://www.archives.gov/records-mgmt/resources/web2.0-use.pdf 2
    • 1. Social engineering: A nontechnical intrusion that • Reputational: Damage can result from an employee depends heavily on human interaction and often doing something on a social site that either intentionally involves tricking other people to break normal security or unintentionally (more common) adversely impacts procedures (e.g., deceiving users to perform an action, the organization’s reputation or brand. In the age such as clicking a link, that launches an attack) of social media, ongoing interactions between an2. Exploitation of improper controls/procedures: The agency’s employees and its constituents contribute abuse of security weaknesses (e.g., lack of verification to the agency’s reputation. An informal comment by and strong authentication mechanisms) that are an employee via a social networking website can be characteristic of social media and open source software interpreted as the official position or unpublicized truth/ environments that lack formal standards position of an agency on a particular topic. Reputational3. Server-side attacks: Attacks that target back-end damage can also result from the posting of negative servers and networks on which social media sites are remarks by external parties. Damages can be inflicted hosted in order to disrupt their operation, accessibility, as a result of exploitation of the risk areas associated and integrity of stored data with privacy and/or data leakage. These situations4. Client-side attacks: Attacks targeted at a user’s Web present the risk of damaging the brand and perception browser aimed to steal critical information, such as of an organization and affect its reputation in the cookies and passwords, through the use of malware marketplace. and injection of Web code • Privacy: Social network service providers maintain vast5. Privacy intrusion: Threats that exploit information repositories of personal information. As a result of social posted on social media sites to glean additional private media’s ability to mimic in-person interactions, people information for use in nefarious and unintended are often willing to reveal more private details than they activities, such as identity theft or sale of personal would otherwise. There are numerous ways by which information the use of social networking can compromise privacy, such as accidental release of PII and the unauthorizedAs a result, numerous risks are emerging, and leaders are use of private data for marketing purposes.only now beginning to comprehend them. They include: • Data leakage: The attributes of social media that• Regulatory and legal: From a compliance and legal make it a productive communication and collaboration perspective, the degree of risks associated with tool are the same attributes that make social media adopting social media vary based on a given industry’s a potential risk for information leakage. Whether policies and standards. Federal agencies are running accidental or malicious, social media allows users to up against policy and procedural obstacles as they aim easily disclose or release confidential information (e.g., to meet the principles set forth in the Transparency intellectual property, corporate secrets). Gone are the and Open Government Memo8. For example, without days when a Web administrator is needed to release or proper controls for the handling of user-volunteered update content maintained on a static page. Users now personally identifiable information (PII) in social media have the ability to share large volumes of data externally, sites, an agency is considered noncompliant with the creating major risks for organizations. E-Government Act, Privacy Act, and Federal Records Act when social media is deployed or leveraged within its Table 1 provides a sample of threats that target or are enterprise. imposed by the use of social media within the government and their potential impacts.8 “Transparency and Open Government.” The White House. Web.02 May 2011. <http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment/>. 3
    • Table 1: Example of social media threat sources and risks Example threats/ Risks to Threat Sources Description of vulnerability/attack vulnerabilities government Social Spear phishing/ An attack targeting a specific user or group of users that • Privacy engineering whaling attempts to deceive the user into performing an action. • Data leakage Typically initiated through the use of phony widgets/ websites or emails. Exploit of Weak Social media applications rarely leverage strong forms • Privacy improper authentication of authentication. As a result, weak and easily guessed • Data leakage controls mechanisms passwords are employed by users. In addition, password reminder questions are based off of publicly available information (e.g., Sarah Palin attack). Anonymous Many social software sites allow contributions to be made • Regulatory browsing anonymously. and legal • Reputational • Data leakage Limited use of When authenticating using Asynchronous JavaScript and • Regulatory encryption (e.g., Extensible Markup Language (AJAX), mashups, or widgets, and legal SSL, TLS) password information may be transmitted unencrypted • Data leakage and stored outside of the control of the host website. Server-side Denial-of-service Involves bombarding a website or server with more traffic • Reputational attacks attacks than it can handle, effectively causing online gridlock. • Regulatory Often, such attacks are distributed, meaning that multiple and legal computers, usually compromised by malware, send data to the target site in unison. Client-side/ Cross-site request Vulnerability that allows the launch of an attack, whereby • Reputational application forgery a malicious event is executed against an already trusted • Privacy attacks site. Malware Malicious content that leverages social media infrastructure • Reputational to perform nefarious activities. (e.g., the use of Twitter or • Privacy RSS feeds to control botnets; Koobface worm). Botnets • Data leakage can be used to launch denial-of-service attacks. Privacy intrusion Workforce Social networking sites can be used as a source for • Privacy targeting/ conducting surveillance on companies and persons of • Regulatory profiling/ interest. and legal surveillance Impersonation Social software accounts can be established under false • Reputational names in order to impersonate someone else. In addition, • Privacy stolen passwords are used to impersonate the victim. • Regulatory and legal 4
    • A risk-based approach to social media • Outline rules of engagement: Specify the social mediaWhether inadvertent or intentional, the threats and risks behaviors that are encouraged or prohibited, andposed by social media to an organization are equally as articulate how existing codes of ethics and acceptabledangerous to an organization’s employees, stakeholders, use policies relate to social media.and mission. These risks, if identified and controlled in • Determine ownership: Clarify ownership rights ofthe proper way, can bring benefits to the organization content and intellectual property posted to social mediaand society as a whole. Agencies should be proactive sites by employed individuals as well as ownership ofand develop — and continually update — social media the accounts used to post the information.policies. We recommend a five-step approach. • Plan for the breach: Prepare for the after-the-fact discovery of a policy breach by identifying steps that1. Conduct a social media risk assessment would be initiated in the event of an employee notWhile different organizations face different types and complying with these policies.levels of risk when engaging in social media, the first • Specify approval/access processes: Decide whostep in managing the risks is to understand them. For any requires access to specific social media sites/accountsnew program or service, conducting a risk assessment based on business needs and perceived risks. Buildand mitigation prior to its launch or use will likely help a business process around who gains access, who isdetermine which issues need attention. Deloitte’s approach allowed to post, and who authorizes access.for executing an effective social media risk assessmentincludes: 3. Implement a holistic data protection strategy for• Identifying and obtaining a high-level understanding social media technologies of the social media applications in use within an In addition to controls related to policy development and organization awareness and training, an applicable data protection• Establishing the main platforms on which accessed strategy for social media technology that ties into your social media applications reside and identifying the key enterprise data protection strategy is critical. The strategy interfaces between them should leverage applicable tools and technologies to• Identifying, at a high level, user needs, demands, and mitigate both internal and external threats. problems regarding existing/proposed enterprise 2.0 applications and externally hosted social software applications• Recommending controls and procedures to effectively manage identified risks2. Develop a social media policyDue to the particular capabilities of social media,traditional and generic organizational policies typically Such technologies and tools include applicablemay not fully address the risks created by this technology. authentication, authorization, and access controls as wellA specific social media policy, therefore, is a must. The as verification and network monitoring tools to protectpolicy should document its scope, the content to which it data throughout its life cycle — from creation to eventualapplies, and the standards and guidelines to be followed in disposition. We recommend integrating social mediaorder to comply with the policy. technologies with the enterprise’s identity, credentialing, and access management (ICAM); data loss preventionTo develop a policy that governs social media use within (DLP); enterprise digital rights management (EDRM);an organization, we recommended a five-step process. enterprise content management (ECM); and encryption• Define it: Define the mix of social media tools and technologies as applicable. This provides an agency with technologies permitted within the organization. the technical controls required to both share and Document the activities that are allowed in internally or protect data. externally hosted virtual environments. 5
    • • ICAM: Given the sensitivity in managing the • ECM: Collaboration is critical to meeting mission confidentiality and integrity of your systems, Deloitte objectives. By integrating ICAM with an ECM encourages the development of sound provisions to technology, sensitive information contained in grant and restrict access to sensitive data. Our communities of interest that are otherwise wide open approach to securing access to social media sites is and decentralized can be adequately protected. to combine authentication, authorization, and access • Encryption: Encryption is the foundation for control. The integration of these controls, such as using maintaining the integrity, authenticity, and multifactor authentication, can help provide a greater confidentiality of an agency’s information. level of reliability and further mitigate social media attacks. 4. Develop a social media breach response capability • DLP: DLP tools offer context-based policy protection It is critical to have an incident response (IR) capability and define how data should be secured or released designed specifically for dealing with breaches or other by flagging discussions that may involve proprietary malicious events related to social media. As a first step, information and identify potential breaches or patterns. Deloitte recommends identifying where there may be • EDRM: Implementing and using social media gaps in current capabilities as they relate to identifying technology involves risk to an organization’s incidents and mitigating damage caused by improper information, including intellectual property. Integrating use or protection of data flowing through social media with your EDRM solution can help protect such data, technologies. An incident response capability for social whether it is structured (such as database queries) or media should align with federal breach response unstructured (such as social media posts or email). requirements as well as the enterprise incident response capability. • Efficiently and effectively respond in the event of • Execute against the a social media breach strategic plan to build the capability Breach response • Support immediate Capability post-breach development and activities, including implementation • Develop strategic vision internal and external • Design a capability and • Establish Incident communication Incident response development Steps implementation plan to Response policies and • Risk-based• Understand social media achieve that vision protocols for social prioritization vulnerabilities media • Support and perform Strategy and capability • Develop procedures• Determine if an initial containment design and training organization is activities adequately prepared • Develop a social • Develop scenarios and • Conduct root cause to respond to a social media incident conduct case testing analysis media breach response strategy, • Establish escalation • Develop remediation including objectives chains and strategy and roadmap Breach diagnostic and scope communication • Implement • Conduct breach • Determine roles and channels remediation roadmap preparedness responsibilities • Integrate social media • Minimize business diagnostic • Design capability and specific response disruption and • Identify strengths and governance structure capability into reputational damage weaknesses • Align capability with existing enterprise • Develop diagnostic breach notification IR capabilities and report and road map requirements procedures Incident response offerings 6
    • If an incident arises, we recommend learning from it — • Identify the social media sites that are acceptable to usethat is, understand its root cause, remediate vulnerabilities, • Specify what is acceptable and what is inappropriate toand make any adjustments necessary. post to social media sites • Identify what can be posted during or after business5. Develop an awareness and training program hoursFostering a culture of security awareness as it relates to • Explain how the use of social media will be monitoredsocial media is critical because it is another effective way • Educate users about the privacy settingsto mitigate security and privacy issues. Training must • Establish roles and responsibilities for those using andinform employees of new social media threats and refresh responding to social mediatheir understanding of how to identify and avoid socialengineering attacks. This training should emphasize the Social media training and awareness programs should beneed for security and inform people of the actions they updated as needed based on agency requirements, andcan take to prevent the release of confidential information. agencies should encourage employees to continue to refresh their knowledge of the established policies.Training is necessary at all levels of the organization andacross all divisions. Functions such as public relations, The Deloitte differencemarketing, customer service, human resources, legal, Deloitte has the insights, people, and experience that spanand information technology may be involved with social the government and business world — and the resourcesmedia; therefore, specialized training for those employees to help clients in their efforts to get it done. Together, weshould be considered. Moreover, consistent leadership help clients create lasting change and make a differencecommunications emphasizing the importance of security for people around the world.is just as necessary as employees understanding theirindividual roles and responsibilities. As one of the largest management consulting provider globally, we are known for bringing a mix of private-sectorUnderstanding the workforce capabilities needed to perspective and public-sector experience, drawn fromsupport the use of social media is important. Leaders delivering industry-leading practices across governmentmust be mobilized and aligned, and stakeholders must be and business. Highly collaborative in our approach, weengaged and communicated with. Awareness and training work side by side with your team to assess your socialprograms should: media threats and challenges and to evaluate and• Identify potential social media threats and attacks implement the applicable solutions to mitigate them.• Identify mitigation strategies• Emphasize the need for security with regards to social media technologies and the protection of personal information 7
    • ContactsFor more information, please contact:Carrie Boyle Meredith MarloweDeloitte AERS Deloitte AERSSpecialist Leader Manager+1 202 370 2324 +1 202 370 2482cboyle@deloitte.com mmarlowe@deloitte.comNydia Clayton Jhaymee WilsonDeloitte Consulting Deloitte ConsultingManager Senior Consultant+1 703 859 5432 +1 571 319 6975nclayton@deloitte.com jhwilson@deloitte.comFor further information, visit our website at www.deloitte.comCopyright © 2011 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited