Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications


Published on

This white paper discusses some of the technologies in use by the US Federal government, it provides an overview of some of the variety of regulations imposed upon Federal agencies, and it offers advice on what Federal agencies should do to mitigate the risks created by use of established and new communications technologies.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

  1. 1. WHITE PAPER Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsON An Osterman Research White Paper Published February 2012 SPONSORED BY sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • •
  2. 2. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsWhy You Should Read This White PaperFEDERAL AGENCIES ARE AT RISKA July 2007 United States Government Accountability Office (GAO) reporti found thatalmost all of the 24 major US federal agencies had significant information securitycontrol vulnerabilities, most notably focused on access control, continuity of operationsand configuration management. The report found that these security holes could put atrisk, among other items, federal payments and collections, critical defense andemergency services operations, sensitive taxpayer data and Social Security records, andagency missions of various types.The US Federal government is the United States’ largest single employer, employing2.15 million people in 2010, or 1.6% of the US workforceii. Information security is ofvital importance to the Federal government, partly because of the very large amount ofsensitive data that the US government has under its control. For example, the USgovernment maintains tax records on most individuals living in the United States, itmaintains health records for tens of millions of Americans, and it maintains a variety ofother types of protected information.DATA BREACHES ARE NOT UNCOMMON IN THE FEDERAL GOVERNMENTNot surprisingly, there have been a sizable number of data breaches that have occurredwithin the US government, some recent examples of which are shown below:• In late October 2010, the General Services Administration (GSA) announced that six weeks earlier an employee of the GSA emailed the names and Social Security numbers of all 12,000+ staff members at the GSA to a personal email addressiii.• A report in January 2011 showed that a client computer at the Veteran’s Affairs Medical Center in White River Junction, VT, allowed individuals to anonymously log onto a network, giving them access to sensitive patient informationiv.• The Orthopedics department of a Veteran’s Affairs facility in Chicago, IL, used Yahoo! to track patient scheduling, including the names, dates and types of surgery performed on 878 patients. This began in July 2007 and was shut down only in late November 2010v.• A report in December 2010 showed that a subcontractor for the Social Security Administration Office of Temporary Disability Assistance in New York, NY, accessed and stored roughly 15,000 Social Security numbers, including (possibly) the addresses, telephone numbers and birthdates of these individualsvi.• In June 2010, a partial search of the National Highway Traffic Safety Administration’s public complaint database revealed the names, addresses, birthdates, vehicle identification numbers and driver’s license numbers in up to 792,000 complaint cases.As a result of the growing potential for data breaches, the increasing number ofinformation tools and assets maintained by the Federal government, as well as a general©2012 Osterman Research, Inc. 1
  3. 3. Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communicationsrecognition that information security is critically important from a national securityperspective, the US government has been ratcheting up its information security postureover the past decade. For example, the US government spent roughly $68 billion oninformation technology and $6.2 billion on information security in 2008 alonevii. Thesefigures are expected to increase significantly over the next several years.ABOUT THIS WHITE PAPERThis white paper sets out to do the following:• Discuss some of the technologies in use by the US Federal government• Offer an overview of some of the variety of regulations imposed upon Federal agencies• Offer advice on what Federal agencies should do to mitigate the risks created by use of established and new communications technologiesThis white paper also discusses the sponsor of this white paper, Actiance, and itsofferings that specifically address the security and compliance issues addressed in thisdocument.Communications Practices in the Federal GovernmentGROWING ADOPTION OF UNIFIED COMMUNICATIONSBoth voicemail integration and enterprise instant messaging hold the promise ofspeeding up processes and streamlining communication between people in manyindustries, particularly in the Federal government, given its size and the scope of theservices it offers. Voicemail integration with email inboxes means that end users canget their voicemail from wherever they receive their email, thus eliminating voicemessages as a separate and siloed repository. Enterprise instant messaging, whencombined with presence, gives a clear indication of when people are available forinteraction, irrespective of their location or time zone. This is particularly important forgovernment agencies that are often distributed nationally or internationally withsometimes hundreds of field offices that must share information and work jointly onprojects.There are myriad problems associated with managing email systems; real-timecommunications systems, such as instant messaging; as well as unified communications,social networking, and the like. As shown in the following table from an OstermanResearch survey conducted in 2010, organizations face a variety of problems in thisregard.©2012 Osterman Research, Inc. 2
  4. 4. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsTop Ten Security Concerns% Responding a Serious or Very Serious Concerns Problem % Malware being introduced from employees’ Web surfing 56% Phishing attacks 42% Data loss from employees sending confidential info via email 41% Malware being introduced from employees’ home computers 40% Virus/worm/malware infections 38% Users complaining about mailbox quotas 36% Breaches of sensitive customer data 35% Malware being introduced from employees’ personal Webmail 34% Spam – the amount that your organization receives 34% Breaches of sensitive internal data 34%Skype is another important service that is finding more users, including those ingovernment. For example, as of mid-2010, there were 560 million total Skypeaccountsviii.SOCIAL NETWORKING TOOLS ARE BECOMING IMPORTANTSocial networking tools are exploding in popularity. Consider the following:• Facebook had 153.9 million unique visitors in December 2010 in the United States alone, an increase of 38% from December 2009ix. December 2010 also saw 26.6 million US visitors and 23.6 million visitors to Twitter, representing increases of 30% and 18%, respectively, compared to a year earlier.• Further, the penetration of social media sites continues to increase. For example, while the number of unique visitors to Facebook increased by 38% during the year ended December 2010, total minutes spent on the site increased by 79%x.Many Federal agencies are significant users of social networking tools. A growingnumber of Federal agencies have a social networking presence, including the FederalEmergency Management Agency (FEMA), the Centers for Disease Control (CDC), theDepartment of Homeland Security (DHS), the Environmental Protection Agency (EPA),the National Aeronautics and Space Administration (NASA), the National ScienceFoundation (NSF), and many others. For example, the Veteran’s Administration usessocial media to develop a consistent voice for its practice and policies and also to obtainfeedback on its performancexi; FEMA will be expanding its use of social media in order tobetter respond to disastersxii.Some Federal government social networking accounts are among the top sites followed:the NASA Twitter account, for example, has more than 800,000 followers as of February2010 and ranks 429th out of the millions of accounts on Twitter. The CDC uses socialmedia for distributing information on a variety of health issues and has more than95,000 followers on Twitter and more than 78,000 “likes” on Facebook. FEMA usesTwitter and Facebook to distribute information on emergency situations andpreparedness activities with more than 30,000 followers on Twitter.©2012 Osterman Research, Inc. 3
  5. 5. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsThe Growing Risk of Non-ComplianceREGULATIONS GOVERNING USE OF COMMUNICATIONS TOOLSThere are a variety of Federal government regulations and recommendations that focuson the use of communications tools and the output generated by them. Among themore important of these regulations are the following:• Federal Information Security Management Act of 2002 (FISMA) FISMA is a far-reaching law that requires every agency within the United States Federal government to develop and manage an information security plan for every information asset it owns, as well as those that support its operations. A key part of FISMA is the requirement for an annual review by CIOs, inspectors general and others, and a submission of this audit to the Office of Management and Budget (OMB). OMB, in turn, prepares a report on information technology compliance for submission to Congress. Key components of FISMA include the ability for information systems used by the Federal government to meet minimum security standards, a system security plan that must be periodically reviewed and updated, and continuous monitoring of key information system components. Important publications that are relevant to all Federal agencies include Special Publication 800-53 (Recommended Security Controls for Federal Information Systems) and Federal Information Processing Standards Publication 200 (Minimum Security Requirements for Federal Information and Information Systems).• National Industrial Security Operating Manual (NISPOM) NISPOM was issued as part of the National Industrial Security Program (NISP) to codify the “requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information” by the Federal government. NISPOM is focused on the Executive Branch of the US government and its agencies and focuses on how information is disclosed to its contractors. Focus areas of NISPOM include Restricted Data, Formerly Restricted Data, sources of intelligence and the methods used to obtain this information, Special Access Program (SAP) information, and Sensitive Compartmented (SC) Information. Management of NISP is the responsibility of the National Security Council. A key part of NISPOM is Chapter 8, Information System Security.• Director of Central Intelligence Directive 6/3 This directive created the US government’s security policies and procedures for managing classified intelligence information in government-operated information systems, specifically those systems that manage SAP and SC information as noted above. This directive encompasses any information system that involves the management, transmission, storage, interchange or other processing of both voice and data information. As such, it applies to virtually any type of information system that might be operated by the Federal government that is focused on SAP or SC information.©2012 Osterman Research, Inc. 4
  6. 6. Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications• National Archives and Records Administration (NARA) NARA is the official archivist of the US Federal government. As such, it has been given the responsibility to archive all official records of legislation, executive orders, Federal regulations and other content. NARA has been among the more proactive of the US Federal agencies in terms of how it uses social networking and social media technologies. For example, in 2009, the US National Archives launched a channel on YouTube to make archived content of public interest more accessible, and it launched a Flickr account to share US government-archived photographs with the public.• National Institute of Standards and Technology (NIST) This agency provides guidance to federal agencies for information systems and security policies and procedures, offers technical assistance regarding compliance with various standards, and it develops standards for information categorization.• Other regulations, committees, etc. Other regulations focused on Federal information security include: o National Security Directive 42 – established what is now known as the Committee on National Security Systems, an interagency organization focused on providing guidance for system security to executive-branch agencies. The committee is represented by several Cabinet-level departments. o Public Law 107-347 – established the position of Federal Chief Information Officer within the OMB to oversee the management of electronic systems in use by the Federal government. o Directive-Type Memorandum (DTM) 09-026– focuses on a range of social media, including wikis, blogs, social networks, and other Internet-based capabilities. The DTM imposes restrictions on the use of social media, including requirements for disclaimers when personal opinions are expressed, imposition of records management policies on posted content, and limitations on personal use of these tools. o Clinger-Cohen Act – enacted in 1996, this Act focuses on improving the efficiency of the manner in which the Federal government procures and manages its IT resources. While not focused on security issues per se, the Act does focus on information architectures that could have an impact on Federal information security. o Information Security and Identity Management Committee – offers a forum to support the Federal CIO Council on matters related to identity management and information security issues.PROPOSED REGULATIONS• Secure Federal File Sharing Act (H.R. 4098) This Act would require the Director of the OMB to work with the Federal Chief Information Officers Council to issue guidelines on the use of peer-to-peer (P2P) file-©2012 Osterman Research, Inc. 5
  7. 7. Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications sharing programs. This Act contains several provisions, including a) an approval process for P2P file-sharing programs that are necessary for use by Federal agencies, b) prohibition on the use of unauthorized programs by government employees or its contractors, and c) management of P2P file-sharing programs by government employees and contractors on their home computers when used in telecommuting situations.• United States Information and Communications Enhancement Act of 2009 (S. 921) This bill would amend Chapter 35 of Title 44 of the United States Code to improve the US Federal government’s awareness of information security policies, practices and procedures. Specifically, the bill would eliminate subchapters II and III from Chapter 35 and replace it with text that focuses on the importance of information security and a recognition that security focuses on any information system, including telecommunications systems, among many other provisions. This bill would establish the National Office for Cyberspace.• Protection of privacy and security for commercial data brokers’ information (S. 1490) This proposed bill would enhance the punishment for identity theft. Specifically, this bill would impose a fine and/or prison sentence for up to five years on anyone who has an obligation to report a security breach and fails to do so.OTHER IMPORTANT CONSIDERATIONS• GAO Report on Social Media In June 2011, the General Accounting Office (GAO) published Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminatexiii. This report, in response to a request from members of Congress, set out to accomplish two goals: a) study how federal agencies are using commercial social media services, and b) determine the extent of these agencies’ policies and procedures for managing social media use. The performance audit that was conducted between July 2010 and June 2011, results of which were published in this report, discussed the key challenges that federal agencies face in managing social media use, including fulfilling their records management obligations and the security threats they face when using social media. Moreover, the report provides a set of high-level recommendations for specific government agencies in the context of their social media use.• Guidelines for Secure Use of Social Media by Federal Departments and Agencies This documentxiv, released in September 2009, discusses the risks that government agencies face from the use of social media, Web tools, and other capabilities. It also offers recommendations about how to mitigate these risks, including the creation and enforcement of policies focused on appropriate use of communications tools, acquisition controls that will help agencies to determine the specific types of tools and capabilities that should be implemented, the training that employees should©2012 Osterman Research, Inc. 6
  8. 8. Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications undergo, and the network- and host-level controls that should be implemented to protect against attacks.• Intelligence Community Directive Number 503 This documentxv establishes “Intelligence Community policy for information technology systems security risk management, certification and accreditation.” This document focuses on a strategic and holistic process for managing risk among interconnected systems used primarily in the defense and intelligence communities.• Office of Management and Budget Circular A-123 This memorandumxvi, published in late 2004, focuses on internal management controls in Federal agencies necessitated by the passing of the Sarbanes-Oxley (SOX) Act of 2002. In essence, it defines the federal version of SOX.What You Must Do to Mitigate the RisksThere are several issues that any government agency must address with respect tomanaging their employees’ and others’ use of instant messaging, social networking andother tools. We have developed six basic points that every decision maker shouldseriously consider as they attempt to minimize the risks that their agency faces fromunfettered use of these tools, while at the same time maximizing the value they canderive from them.CONTROL USE OF UNAUTHORIZED TOOLSAn Osterman Research report published in August 2010 found that only 34% of ITdecision makers consider Twitter to be a legitimate tool for use in a business context,but 50% allow it to be used in their organizations. We found a similar pattern for avariety of other tools, as shown in the following figure.©2012 Osterman Research, Inc. 7
  9. 9. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsIT Views on Legitimacy of Various ApplicationsAs demonstrated in the figure above, IT departments allow far more use ofcommunications and information tools than they consider to be legitimate, resulting inthe potential for serious risk if the content from unauthorized use of these tools is notlogged or otherwise managed properly. It is imperative that financial services firmsimplement capabilities that can control use of communications and information tools sothat only authorized users can use specific tools.Underscoring the severity of the problem is a February 2011 Osterman Researchsurveyxvii of mid-sized and large organizations in multiple industries that found thatrelatively few organizations have implemented policies focused on social media andother tools. For example, the survey found that only 18% of organizations have adetailed and thorough policy focused on employees’ use of Twitter and Facebook, whileonly 15% of organizations have such a policy focused on the use of LinkedIn.LOG ALL CONTENT, INCLUDING POSTS TO SOCIAL NETWORKINGSITESIt is absolutely vital to log all content sent through instant messaging clients, unifiedcommunications systems, social networking tools and websites, even if the use of thesetools is unofficial and not sanctioned formally by either the IT department or anagency’s senior management. A failure to log traffic sent to or received from anycommunications or information venue can result in serious consequences with auditorsand others.©2012 Osterman Research, Inc. 8
  10. 10. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsFor example, an employee of a Federal agency could offer his or her opinion on apending case via Twitter, perhaps inadvertently, and thereby reveal sensitiveinformation that had not yet been made public. To help manage the use of these tools,the content posted or received from any social networking, instant messaging, or othertool must be logged so that an agency can a) monitor these communications for policyenforcement purposes, and b) correct errant employee behavior, if only after the fact.However, some tools, such as Twitter, do not offer logging capabilities.BLOCK THREATSThe threat landscape is becoming significantly more serious on several fronts:• Social engineering techniques can fool even very experienced users. For example, a Twitter account that becomes infected by a worm can result in tweets sent to hundreds or thousands of individuals. If any of these recipients clicks on the link that could be sent by the compromised account, tens of thousands of users could end up being infected.• Because the Web and Web 2.0 applications are generally less well-defended than email systems and because many government users install consumer-oriented Web 2.0 applications on their work or home computers, the Web is a more fertile field for hackers and other criminals.• Spearfishing, whaling and phishing attacks are becoming more common and more numerous. Some government agencies have been successfully breached via these attacks.There is a broad range of threats that can be distributed through social networking,instant messaging, unified communications, and other tools. For example, an OstermanResearch survey published in August 2010 found that in 12% of organizations, malwarehad successfully infiltrated the corporate network through Web 2.0 applications duringthe one-year period ended Spring 2010. Sixty-two percent of organizations hadexperienced malware infiltration through the Web – often through Web 2.0 applicationslike Twitter – during the same period.The key, then, is to monitor the use of all communications venues and block threatsfrom being propagated throughout the network while allowing legitimate traffic to bepassed through unencumbered.PREVENT DATA LEAKAGEOne of the most important capabilities that any agency must enable is the monitoringand prevention of the leakage of sensitive, confidential, or other information that couldbe damaging to the owner of that information. This might include any information thatis overtly sensitive, such as taxpayer information or the healthcare records of Medicarepatients. However, it can also include seemingly innocuous posts to Twitter or othersocial networking sites that recipients could piece together to gather intelligence aboutan investigation or corporate audit. The bottom line here is that sensitive information ofany kind sent through any communications or information channel must be protected.©2012 Osterman Research, Inc. 9
  11. 11. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsARCHIVE CONTENTAnother critical component of any information management strategy is the ability toarchive all content sent or received regardless of the tools that are used to send it. Thisobviously includes emails, instant messages and other electronic content. The need toarchive is driven in no small part by Federal Freedom of Information Act (FOIA)requirements that demand the preservation of content.INTEGRATE WITH EXISTING ARCHIVING SYSTEMSClosely related to the point above is that it is imperative not only to archive content forany communications or information system, but also to integrate this archived contentwith existing archiving tools in the organization. Because Federal agencies must archivecontent for FOIA compliance, among other reasons, it is clearly a best practice tointegrate other content archives into the primary archive already being used. This cansave significant amounts of time when searching for content and can ensure a commoninterface is used to search for and access content, regardless of its source.SummaryFederal agencies must manage content in a manner that is consistent with the growingnumber of Federal regulations focused on information security and content retention.This includes the traditional content medium of paper, of course, but more recently,content sent electronically through email and instant messages. However, as modes ofcommunications evolve and new technologies are introduced, users in Federal agencieshave been presented with a growing array of new communications alternatives,including unified communications systems that can store voice content as easily as theycan retain emails or instant messaging conversations; social networking tools likeTwitter, Facebook or LinkedIn; or telephony alternatives like Skype that combine voiceand instant messaging capabilities.While the regulation of these new forms of communication has not always kept pacewith their use, there are a variety of reasons for agencies to embrace use of these newtechnologies in order to reduce costs and provide better customer service. At the sametime, however, there are a number of best practices that any Federal agency shouldfollow to ensure that it will be compliant with current and anticipated regulations andthat it will minimize the risks associated with use of these tools.VantageVantage is the de facto platform for granular security and policy controls for real-timecommunications – providing management for the broadest set of applications andmodalities, including Microsoft Lync, public instant messaging platforms such asWindows Live Messenger and Skype, Web conferencing, and industry-focused networkslike Thomson Reuters Messenger, Bloomberg, and YellowJacket.©2012 Osterman Research, Inc. 10
  12. 12. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsUnified Security GatewayActiance Unified Security Gateway (USG) complements Vantage by blocking the use ofother applications that bypass corporate security policies and introduce additional risk tothe organization. USG provides granular control of Web 2.0 applications, monitoring,securing, and recording content to reduce outbound data leaks and to enablecompliance with industry regulations, legal discovery requirements, and corporate policystandards. USG also logs social media conversations in compliance with the strictestrequirements for record-keeping and tamper-proof data auditing for customers in highlyregulated industries such as financial services, insurance, energy, education, andhealthcare.InsightActiance Insight interfaces with USG and Vantage to provide enterprise datavisualization of user behavior, browsing patterns, and Web application usage trends.Ideal for managing enterprise networks which encompass multiple locations, thedynamic, multi-dimensional graphical interface provided by Actiance Insight providescomplete visibility into Internet and real-time application usage that has not previouslybeen possible with legacy reporting applications for Web security and data compliance.SocialiteSocialite is Actiance’s security, management, and compliance solution for SocialNetworks, providing granular control of Facebook, LinkedIn, and Twitter. It not onlycontrols access to 180 different features across social networks, but Socialite can alsomoderate, manage, and archive any social media traffic routed through the solution,which can either be on-premise or hosted.©2012 Osterman Research, Inc. 11
  13. 13. Important Issues for Federal Agencies to Consider When Using Social Media and Unified CommunicationsAbout Actiance, Inc.Actiance enables the safe and productive use of unified communications, collaboration,and Web 2.0, including blogs and social networking sites. Formerly FaceTimeCommunications, Actiance’s award-winning platforms are used by 9 of the top 10 USbanks and more than 1,600 organizations globally for the security, management, andcompliance of unified communications, Web 2.0, and social media channels. Actiancesupports all leading social networks, unified communications providers, and IMplatforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft,IBM, and Cisco.Actiance, Inc.1301 ShorewaySuite 275Belmont, CA 94002USAToll-free: +1 888 349 3223Phone: +1 650 631 6300Fax: +1 650 598 2820info@actiance.comwww.actiance.comFor Web and Unified Communications security news, follow Actiance on Twitter,©2012 Osterman Research, Inc. 12
  14. 14. Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications© 2012 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it be distributed without the permissionof Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., withoutprior written authorization of Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall thisdocument or any software product or other offering referenced herein serve as a substitute for the reader’s compliancewith any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executiveorder, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warrantyregarding the completeness or accuracy of the information contained in this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIEDREPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS AREDETERMINED TO BE ILLEGAL.i Source: PHIPrivacy.netv Source: PHIPrivacy.netvi Source: DataBreaches.netvii Source: FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002viii U.S. Digital Year in Review 2010, comScorex U.S. Digital Year in Review 2010, comScorexi Messaging Policy Market Trends 2010-2013, Osterman Research, Inc.©2012 Osterman Research, Inc. 13