Jesse Wilkins, CIP, CRMAIIM InternationalJanuary 12, 2012
   Director, Research and Development, AIIM   Background in electronic records    management, ECM, digital preservation,...
 Social media governance challenges Social media policy statements Capturing and managing social  content              ...
10. I am not a lawyer.9. I am not a lawyer.8. I am not a lawyer.7. I am not a lawyer.6. I am not a lawyer.5. I am not a la...
I am an IT geek, a records manager, a business  guy, a trainer, a former Marine Corps Drill  Instructor, and sometimes eve...
Does your organization keep its own history record or searchable archive ofwhat has been published or communicated on the ...
By the end of 2013, half of allcompanies will have been askedto produce material from socialmedia websites for e-discovery...
When is “social” a Federal“record?”   Is the information unique    and not available anywhere    else?   Does it contain...
If the answers toANY of theabove questionsare yes, then thecontent is likely tobe a Federalrecord.              Source = h...
Is a Facebook “like” a record?                                 11
12
13
14
   Drug companies lose protections on    Facebook, some decide to close pages    -- Washington Post, August 13, 2011   N...
Systems of Engagement  Era      Mainframe      Mini        PC       Internet    ???                           Systems of R...
   Stuff stored outside the control of the    organization    ◦ No ready way to get at most of it    ◦ Co-creation, aggre...
   Disparagement of the organization – or of    competitors or others   Slander or libel   Sexual content   Solicitati...
Official vs. unofficialLink to social media policy                              20
Creation of official accounts                                21
   Account details    ◦   User name    ◦   Picture    ◦   Corporate logo usage    ◦   Bio    ◦   Contact information   F...
   Whether posts will require approval   Pictures and video    ◦ By the organization    ◦ By third parties   Links (i.e...
   Access to personal accounts using    organizational resources    (time, computers, network, etc.)   Access to sites u...
   Acceptable and unacceptable groups   Perception of approval                                         25
   Personnel-related information   Financial information   Confidential information   Health information   If you wou...
   Whether comments are allowed    ◦ And monitored                                   27
Monitoring and reviewing comments                                28
   Whether the account is monitored for    actionable content (screenshot)             Public records       Monitoring fo...
 Is there a business need for the  information? Does it document a transaction or  decision? Is the information unique ...
32
   Blog post    ◦ Comments?    ◦ Updates?   Individual Tweet    ◦ Links and shortened URLS?   Wiki article    ◦ The art...
34
   Commercial and hosted sites store    information outside the firewall    ◦ Little control over how it is stored    ◦ L...
Take a screenshot of content                               36
   Archive selected items locally    ◦ Use search queries and monitoring      Store selected items locally      using sea...
Store locally using built-in tools                                     38
Store locally using third-party service                                     39
Store locally using APIs                           40
   Use Word or Notepad to draft content    updates and save *that*                                       41
42
• And many others                    43
44
Jesse Wilkins, CIP, CRM, CDIA+, ermmDirector, Research and DevelopmentAIIM International      +1 (303) 574-0749 direct    ...
   2-day instructor-led or online course   Includes:    ◦ Specific governance elements for      Facebook, Twitter, other...
PROFESSIONAL CERTIFICATION covering the broad                       based body of knowledge that every information        ...
20120112 AIIM Southwest Social Media Governance
20120112 AIIM Southwest Social Media Governance
20120112 AIIM Southwest Social Media Governance
20120112 AIIM Southwest Social Media Governance
Upcoming SlideShare
Loading in …5
×

20120112 AIIM Southwest Social Media Governance

2,254 views

Published on

This presentation delivered to the AIIM Southwest Chapter described key issues social media presents to a governance program and then described way to capture social content as records.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,254
On SlideShare
0
From Embeds
0
Number of Embeds
1,651
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The first step is to determine whether or not something is in fact a record. Just as we know that most email messages are not records, for most organizations their Facebook fan page updates will not be records either. In other words, we have to ask the same questions about these tools that we’d ask about any other type of information:Does it document a transaction or a decision? If it does, it’s probably a record. Is it captured in another form? This is the biggest reason why most social networking sites like Facebook and Twitter wouldn’t need to be captured as records – in most cases they are being used as another transmission mechanism for information stored elsewhere. Now, just because it isn’t a record doesn’t mean it couldn’t be discoverable or a public record and subject to FOIA-type laws. Again, same considerations here as for other types of information. [twitter]Determine whether something is a record or not according to its content and context.[/twitter]
  • During my professional lifetime, I have seen at least 4 major enterprise IT transformations, and they seem to be occurring with increasing acceleration. When I first came into the workforce, the enterprise IT norm was centered on mainframe computers focused on batch-processed financial applications. This was the era of Burroughs and Univac and NCR and Control Data and Honeywell. This era was soon eclipsed by the rise of minicomputers.Minis were themselves eclipsed by the PC revolution, stitched together in Local Area Networks. Steroids in the form of the internet changed everything about how we connected PCs together distributed documents and information around our organizations. And then along came Google and our expectations about enterprise IT and simplicity of use morphed once again.
  • Pretty straightforward
  • Official vs. unofficial includesDisclaimers (this is or is not official; disclaimer of responsibility if it isn’t)Also includes a link to his social media policy
  • Whether approval is required to create an account (official only)It’s also useful, as CSU does, to list all the official accounts somewhere on the website.
  • This includes things like:What user names are appropriate, and whether to use the organization as part of it (e.g. Dell_JeffW)Pictures – same thingBio – same thing, plus things like official account, name (and sometimes personal Twitter handle) of the person behind the account, etc. Different types of contact informationIt’s also valuable to have guidelines for what types of contacts are appropriate. An official federal government account could “friend” Barack Obama on Twitter, but probably shouldn’t friend his re-election campaign or the Democratic Party (and even if it did the Republican Party as well, it’s still problematic). Similarly, it might look a bit odd for an energy company account to “friend” a parody account like BPGlobalPR, or a competitor, or an unsavory group, etc.
  • Pretty straightforward here. Three main points:If third party content is allowed, it should be reviewed so people don’t upload pornography, etc. If it is reviewed, the organization may have some responsibility to remove things that are inappropriate. This should be spelled out clearly and adhered to rigorously – all goes back to transparency. If an official account “likes” something on Facebook, or retweets something on Twitter, this could be considered approval or even recommendation – and if it’s something offensive, or illegal, or otherwise inappropriate, this could cause serious issues.
  • The policy should outline what types of groups are appropriate and what types of groups should be out of bounds. This is especially important for official commercial accounts but could be applicable even to personal accounts where the connection could be made to the organization because of the employee’s visibility. For example, it would be inappropriate for an official in charge of elections to be a member of a Facebook group focused on reelecting one candidate or another. Moreover, there are any number of groups dedicated to patently offensive or illegal causes; having accounts associated with these types of groups could bring significant risk to the organization and its brand. ~Another related area involves conveying a perception of approval of content that might be controversial, offensive, or illegal. For example, both a Facebook “like” and retweeting content on Twitter are often perceived as approval of that content. If an official account or the personal account of a senior manager retweets a sexist joke or something that condones illegal drug use, that could also cause serious issues for the organization.
  • These are specific to government. It’s always a good idea to link back to the organization’s home website and vice versa so it’s clear that the account is an official one. Because of public records and sunshine laws, it’s important for the agency to be open about whether comments are allowed or monitored and whether it believes them to be covered under such legislation. And for public safety accounts in particular, such as fire departments or police, the account should note whether it’s monitored and what the “official” mechanisms are to report safety issues.
  • Here’s an example of this from the Seattle Fire Dept – it clearly says “This site is not monitored. Call 911 for emergencies.” It also notes the applicability of public records laws and has a link to the main website.
  • The first step is to determine whether or not something is in fact a record. Just as we know that most email messages are not records, for most organizations their Facebook fan page updates will not be records either. In other words, we have to ask the same questions about these tools that we’d ask about any other type of information:Does it document a transaction or a decision? If it does, it’s probably a record. Is it captured in another form? This is the biggest reason why most social networking sites like Facebook and Twitter wouldn’t need to be captured as records – in most cases they are being used as another transmission mechanism for information stored elsewhere. Now, just because it isn’t a record doesn’t mean it couldn’t be discoverable or a public record and subject to FOIA-type laws. Again, same considerations here as for other types of information. [twitter]Determine whether something is a record or not according to its content and context.[/twitter]
  • Prepare for discovery. This means having the same type of data map you have in place inside the organization, but with listings of all the services you use, the accounts used there, etc. At a minimum you should list any official use of services and official accounts. It also means understanding the process for getting at that information in the event of litigation, FOIA request, etc. The time to put that process in place is before the subpoena is received. For hosted tools, such as FB or Twitter, it may mean taking periodic snapshots of what is posted to them. Right now there aren’t a lot of tools that do this; one way that can be effective is to capture the RSS feeds generated by these tools. As updates are made, they are published through the RSS feed, which can be saved locally. It might also require working with the third-party vendor in the event that some information or some updates are not available through RSS – for example, web-based email. It’s also important to note that at least for commercial solutions there is very little ability to put or enforce legal holds or to prevent a user from deleting an account, at least without a subpoena and without doing it before the user knows to delete it. [twitter]Prepare for discovery in advance, including listing official use of services and accounts.[/twitter]
  • As we just noted, the records management or communications policies (or both) should address the use of these tools. We’ll look at some examples of policies over the next few slides. At a minimum, the policy should address: Identity, relationship, and transparency – is the account official or unofficial?Security, confidentiality, and sensitive informationComments and responses to commentsResponding to others’ posts on commercial sitesAccuracy and ethicsMonitoring and auditing[twitter]Address these tools in the records or communications policies (or both). [/twitter]
  • How to capture content will depend first on one key variable: where is it stored? The vast majority of social media sites are either hosted solutions or commercial ones – that is, users’ data is not stored inside the organization’s firewall, but on some third party data center outside the control of the organization. This can present a significant issue because how and how long the data is stored is almost entirely dependent on the site’s Terms of Service. If the Terms are changed from retention for 7 years to retention for 2 weeks, or to permanently, it presents a real problem for the records program. And depending on the site this is almost certainly non-negotiable with the exception of governmental entities with the force of the law behind them. ~It’s also the case that some regulatory regimes have geographical aspects that, for example, require particular content to be stored inside a country’s boundaries, or prohibit it from being stored in certain countries’ boundaries. This can present issues for services that store information in the cloud and that might have numerous data centers spread around the world. ~Once the organization has determined what to capture, the next step then is to save that information locally. This is almost always a copy – in other words, saving social content from Facebook does *not* delete it from there. There are a number of ways to accomplish this that we will review over the rest of this module.
  • Finally, there are enterprise versions of every Web 2.0 application. These enterprise versions are often available to be hosted inside the firewall, meaning that security is much more robust. Access can be secured to them much more effectively. They can be integrated into the organization’s identity infrastructure – whether Active Directory or something else – such that any change, post, comment, edit, update, etc. can all be tracked and, more importantly, tracked to a specific named user. No anonymous postings here. Of course, you have to pay for an enterprise version, but what you’re really paying for is a level of peace of mind. And you still get many of the same benefits – ease of use, familiarity with the type of tool, rapid and agile collaboration across geographical and time boundaries, etc. You’re just getting a more secure and robust version of it. [twitter]Consider implementing enterprise versions. FB is FB, but internal tools might be more appropriate.[/twitter]
  • At this point I’d be pleased to entertain your questions.
  • 20120112 AIIM Southwest Social Media Governance

    1. 1. Jesse Wilkins, CIP, CRMAIIM InternationalJanuary 12, 2012
    2. 2.  Director, Research and Development, AIIM Background in electronic records management, ECM, digital preservation, and social business ARMA Int’l Board of Directors, 2007-2010 AIIM Int’l Board of Directors, 2004-2005 Frequent industry speaker and author AIIM Social Business Expert Blogger Co-Author, AIIM Social Business Roadmap Author, AIIM Social Media Governance Certificate Program 2
    3. 3.  Social media governance challenges Social media policy statements Capturing and managing social content 3
    4. 4. 10. I am not a lawyer.9. I am not a lawyer.8. I am not a lawyer.7. I am not a lawyer.6. I am not a lawyer.5. I am not a lawyer.4. I am not a lawyer.3. I am not a lawyer.2. I am not a lawyer. 4
    5. 5. I am an IT geek, a records manager, a business guy, a trainer, a former Marine Corps Drill Instructor, and sometimes even a princess. 5
    6. 6. Does your organization keep its own history record or searchable archive ofwhat has been published or communicated on the following sites orcommunications channels? 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Generally less Emails than half Press articles keeping their Intranet Public presentations or videos own record of External website internal social Old SharePoint team sites media content Internal blogs and forums types... Other internal social sites or systems Instant messages Public blogs and forums …and even less Micro-blog/electronic notice board for external Company Facebook or Linked In pages networks. Twitter Yes No N=335, “N/A Don’t Know” make up to 7 100%
    7. 7. By the end of 2013, half of allcompanies will have been askedto produce material from socialmedia websites for e-discovery. Source: “Social Media Governance: An Ounce ofPrevention”, Gartner 8
    8. 8. When is “social” a Federal“record?” Is the information unique and not available anywhere else? Does it contain evidence of an agency’s policies, business, mission, e tc.? Is the tool being used in relation to an agency’s work? Is there a business need for the information? Does it document a transaction or decision? 9
    9. 9. If the answers toANY of theabove questionsare yes, then thecontent is likely tobe a Federalrecord. Source = http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html 10
    10. 10. Is a Facebook “like” a record? 11
    11. 11. 12
    12. 12. 13
    13. 13. 14
    14. 14.  Drug companies lose protections on Facebook, some decide to close pages -- Washington Post, August 13, 2011 New Facebook Policy Spurs Big Pharma to Rethink Social Media Strategy Major Marketers Fear that Enabling Comments Will Attract FDA Ire -- Adage.com, June 2, 2011 15
    15. 15. Systems of Engagement Era Mainframe Mini PC Internet ??? Systems of Record 1960- 1975- 1992- 2001- 2010- Years 1975 1992 2001 2009 2015 Typical A batch A dept A A web thing transactio ??? process document pagemanaged n Best Digital known IBM Equipmen Microsoft Google ???company tContent Image Doc Content mgmt Microfilm ??? Mgmt Mgmt Mgmt focus 16
    16. 16.  Stuff stored outside the control of the organization ◦ No ready way to get at most of it ◦ Co-creation, aggregation, fragmentation Stuff accessed by and published from personal/mobile devices (BYOD, security) The law always lags the technology 17
    17. 17.  Disparagement of the organization – or of competitors or others Slander or libel Sexual content Solicitations of commerce Threats Illegal activity Violation of copyright Etc. 19
    18. 18. Official vs. unofficialLink to social media policy 20
    19. 19. Creation of official accounts 21
    20. 20.  Account details ◦ User name ◦ Picture ◦ Corporate logo usage ◦ Bio ◦ Contact information Friends/buddies/contacts Groups/fans/likes 22
    21. 21.  Whether posts will require approval Pictures and video ◦ By the organization ◦ By third parties Links (i.e. “sharing”) Applications and widgets Likes, retweets, etc. 23
    22. 22.  Access to personal accounts using organizational resources (time, computers, network, etc.) Access to sites using personal devices (iPhone, tablet, etc.) 24
    23. 23.  Acceptable and unacceptable groups Perception of approval 25
    24. 24.  Personnel-related information Financial information Confidential information Health information If you wouldn’t post it to your website or send via email, don’t post to FB or send via Twitter. 26
    25. 25.  Whether comments are allowed ◦ And monitored 27
    26. 26. Monitoring and reviewing comments 28
    27. 27.  Whether the account is monitored for actionable content (screenshot) Public records Monitoring for public safety 29
    28. 28.  Is there a business need for the information? Does it document a transaction or decision? Is the information unique and not available anywhere else? 31
    29. 29. 32
    30. 30.  Blog post ◦ Comments? ◦ Updates? Individual Tweet ◦ Links and shortened URLS? Wiki article ◦ The article? ◦ Its changes over time? It depends…. Prepare for production 33
    31. 31. 34
    32. 32.  Commercial and hosted sites store information outside the firewall ◦ Little control over how it is stored ◦ Little control over how long it is stored ◦ Geographic and jurisdictional issues First step is to save content locally 35
    33. 33. Take a screenshot of content 36
    34. 34.  Archive selected items locally ◦ Use search queries and monitoring Store selected items locally using search queries or RSS 37
    35. 35. Store locally using built-in tools 38
    36. 36. Store locally using third-party service 39
    37. 37. Store locally using APIs 40
    38. 38.  Use Word or Notepad to draft content updates and save *that* 41
    39. 39. 42
    40. 40. • And many others 43
    41. 41. 44
    42. 42. Jesse Wilkins, CIP, CRM, CDIA+, ermmDirector, Research and DevelopmentAIIM International +1 (303) 574-0749 direct jwilkins@aiim.org http://www.twitter.com/jessewilkins http://www.linkedin.com/in/jessewilkins http://www.facebook.com/jessewilkins http://www.slideshare.net/jessewilkins http://www.govloop.com/profile/jessewilkins 45
    43. 43.  2-day instructor-led or online course Includes: ◦ Specific governance elements for Facebook, Twitter, other social business tools ◦ Commercial vs. enterprise social technologies ◦ Capturing and managing social content http://www.aiim.org/Training/Essential%20Trainin g/Social-Media/Course%20Descriptions 46
    44. 44. PROFESSIONAL CERTIFICATION covering the broad based body of knowledge that every information professional needs to understand. www.aiim.org/certification Enterprise search, Business intelligence, Master Access/ Use data management, Text analytics Information capture, BPM, KM, Email Capture/Manage management, Content management Collaboration, Social media, InfoCollaborate/Deliver workplace, IM, Telecommuting support, Web conferencing Security, RM, Data Secure/Preserve privacy, DRM, Archiving, eDiscovery Info architecture, Technical architecture, CloudArchitecture/Systems computing, Mobile apps, Websites and portals Strategic planning, Building business case, Impl Plan/Implement planning, Req def, Solution design, Change mgmt 47

    ×