Your SlideShare is downloading. ×
Building A  Modern  Security  Policy For  Social  Media and Government
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Building A Modern Security Policy For Social Media and Government


Published on

In this presentation, we discuss the considerations for an effective social media policy in Government.

In this presentation, we discuss the considerations for an effective social media policy in Government.

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Mike’s blog is at teaches for Potomac Forum information for Mike is at the end of this presentation.
  • Dan is the founder of blogs at and http://ArielSilverstone.comDan teaches for Potomac Forum
  • Transcript

    • 1. Building a Modern Security Policy for Social Media
      Page 1
    • 2. Who is Michael Smith?
      • 8 years active duty army
      • 3. Graduate of Russian basic course, Defense Language Institute, Monterey, CA
      • 4. DotCom survivor
      • 5. Infantryman, deployed to Afghanistan (2004)
      • 6. CISSP #50247 (2003), ISSEP (2005)
      • 7. Former CISO, Unisys Federal Service Delivery Center
      • 8. Currently a Manager in a Big Four Firm
    • Who is Dan Philpott?
      • Lifelong technologist ocused on FISMA, cybersecurity, risk management, cloud computing, and social Media
      • 9. CISSP (2007), CAP (2007)
      • 10. Federal Information Security Architect for Tantus Technology
      • 11. Founder of and FISMA arts
    • Goals
      Understand the tradeoff between Security, Transparency, and Engagement
      Provide an understanding of the frameworks social media policy must inhabit
      Describe models of social media policy
      Detail security goals and controls social media policy should address or include
      Page 4
    • 12. A Quick Poll
      Page 5
      • Are you using service provider hosting?
      • 13. Are you using Government-owned hosting?
      • 14. Do you don’t know how/where you’re being hosted?
      • 15. Have you ever ignored the IT Security Staff because they just “get in the way”?
    • Not a Real CISO But It Could Be
      Page 6
      “I’ve spent my entire 30-year career keeping information from getting into the public domain and keeping your desktop safe from all the malware on social media sites. Now you want to take everything and put it there intentionally?”
      The problem for social media practitioners is based on the nature of our security culture.
    • 16. NIST Risk Management Framework
      Page 7
    • 17. Defining the Problem Space: SDLC
      Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media?
      Page 8
    • 18. Understanding Your Objectives
      Page 9
      • Tone: Official v/s comfortable
      • 19. Hosting: CO-CO v/s GO-GO
      • 20. Security: Enabler v/s Roadblock
      • 21. Simplicity: Engagement v/s “Shiny Objects”
      • 22. Be willing to negotiate with the security staff
    • Four-Quadrant Government Social Software Framework1
      Page 10
      More Guidance Exists
      Less Guidance Exists
      1 Social Software and National Security: An Initial Net Assessment, M. Drapeauand L. Wells via Federal CIO Council Guidelines for the Use of Social Media
    • 23. Threat Landscape
      Government to Government:
      Internal social media services within or between agencies
      Government (internally hosted) to Public:
      Social media services on government sites
      Government (externally hosted) to Public:
      External social media services used by the government
      Government users in public:
      Social media services used by government users
      Page 11
    • 24. Getting to a Good SocMed Policy
      Engage early, engage often
      Policy should focus on risk, not technology
      Social media technology changes constantly
      Data protection requirement is constant
      Consider the business case
      Consider the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation
      Make risk-based decisions goals
      Page 12
    • 25. Primary Resources
      CIO Council
      Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0
      Terms of Service Agreements with New Media Providers
      Records Management Policy and Guidance
      Page 13
    • 26. Primary Resources - FISMA
      NIST SP 800-37 Rev. 1
      DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
      NIST SP 800-39
      DRAFT Managing Risk from Information Systems: An Organizational Perspective
      SP 800-53 Rev. 3
      Recommended Security Controls for Federal Information Systems and Organizations
      Page 14
    • 27. Related Requirements
      Communications Policy
      508 Compliance Policy
      Federal Records Management Policy
      Page 15
    • 28. Risk Management Hierarchy
      Page 16
      • Risk Executive Function
      (Oversight and Governance)
      • Risk Assessment Methodologies
      • 29. Risk Mitigation Approaches
      • 30. Risk Tolerance
      • 31. Risk Monitoring Approaches
      • 32. Linkage to ISO/IEC 27001
      Risk Management Strategy
      TIER 1
      SP 800-39
      TIER 2
      Mission / Business Process
      TIER 3
      Information System
    • 33. Risk Management Hierarchy
      Page 17
      Risk Management Strategy
      TIER 1
      SP 800-39
      TIER 2
      Mission / Business Process
      TIER 3
      Information System
      • Mission / Business Processes
      • 34. Information Flows
      • 35. Information Categorization
      • 36. Information Protection Strategy
      • 37. Information Security Requirements
      • 38. Linkage to Enterprise Architecture
    • Risk Management Hierarchy
      Page 18
      • Linkage to SDLC
      • 39. Information System Categorization
      • 40. Selection of Security Controls
      • 41. Security Control Allocation
      and Implementation
      • Security Control Assessment
      • 42. Risk Acceptance
      • 43. Continuous Monitoring
      TIER 1
      SP 800-37
      TIER 2
      Mission / Business Process
      Risk Management Framework
      TIER 3
      Information System
    • 44. Policy Controls
      Social Media Communications Strategy
      Acceptable Use Policies (AUP)
      Content Filtering and Monitoring
      Privacy and Security Support
      Integration with NIST SP 800-39 and NIST SP 800-37 Risk Management
      Page 19
    • 45. Policy Controls – NIST Guidance
      AC-20 Use of External Information Systems
      AC-22 Publicly Accessible Content
      IA-2 Identification and Authentication (Organizational Users)
      IA-5 Authenticator Management
      IA-7 Cryptographic Module Authentication
      IA-8 Identification and Authentication (Non-Organizational Users)
      Page 20
    • 46. Policy Controls – NIST Guidance
      IR-5 Incident Monitoring
      IR-6 Incident Reporting
      IR-7 Incident Response Assistance
      IR-8 Incident Response Plan
      PL-4 Rules of Behavior
      PL-5 Privacy Impact Assessment
      RA-1 Risk Assessment Policy and Procedures
      SI-12 Information Output Handling and Retention
      Page 21
    • 47. Acquisition Controls
      Strong Authentication
      Social Media services security practice
      Comment moderation and monitoring social media
      Ensure federal security requirements are met by using dedicated resources from vendors
      Modify user’s public profiles from .gov or .mil email addresses to provide stronger security
      Page 22
    • 48. Acquisition Controls
      Partner with social media services to:
      Provide traceability to federal employee accounts
      Improve communications between providers and Security Operations Centers (SOC)
      Allow independent monitoring of social media service providers
      Encourage use of validated and signed code
      Ensure social media provider maintains appropriate configuration, patch and technology refresh levels
      Page 23
    • 49. Acquisition Controls
      Ensure an independent risk assessment
      Records management in accordance with NARA record schedules, FOIA requests and e-discovery litigation holds
      Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats
      Page 24
    • 50. Acquisition Controls – NIST Guidance
      SA-1 System and Services Acquisition Policy and Procedures
      SA-2 Allocation of Resources
      SA-3 Life Cycle Support
      SA-4 Acquisitions
      SA-5 Information System Documentation
      SA-9 External Information System Services
      Page 25
    • 51. Acquisition Controls – GSA Guidance
      Terms of Service Agreements
      Social media services standard Terms of Service (TOS) Agreements present legal problems
      Many services are free, making it hard to encourage services to negotiate new TOS
      On behalf of the government, GSA has negotiated new TOS for many social media services
      Page 26
    • 52. Training Controls
      Provide awareness, guidance and training on:
      Information to that can be shared, can not be shared and with whom it can be shared
      Social media policies and guidelines including AUP
      Blurring of personal and professional life as appropriate
      For Operations Security (OPSEC) on risks of social media
      Federal employees self-identification on social media sites, depending on roles
      Page 27
    • 53. Training Controls
      Provide awareness, guidance and training on:
      Privacy Act requirements and restrictions
      Specific social media threats before granting access to social media sites
      Possible negative outcomes of information leakage, social media misuse and password reuse
      Possible impact on security clearance
      Page 28
    • 54. Training Controls – NIST Guidance
      AT-2 Security Awareness:
      Add social media usage related awareness training
      AT-3 Security Training:
      Create specific role-based training for those with social media responsibility
      AT-5 Contacts with Security Groups and Associations:
      Establish contacts with security groups addressing web application and social media security
      Page 29
    • 55. Host Controls
      Require use of a hardened Common Operating Environment (COE):
      Federal Desktop Core Configuration (FDCC)
      Security Content Automation Protocol (SCAP)
      Encourage use of strong authentication for greater assurance of a user’s identity:
      Two-factor authentication (e.g., HSPD-12 & PIN)
      Page 30
    • 56. Host Controls
      Ensure strong change management, patch management, configuration management:
      Includes applications and Operating Systems
      Enforces strong logging
      Reports to SOC
      Desktop virtualization technologies:
      Allows safer viewing of potentially malicious websites
      Virtual sandbox protects base operating system
      Page 31
    • 57. Host Controls
      Browser versioning:
      Ensure use latest browsers which include additional security measures
      Encourage use of signed code or white listing:
      Provides higher level of assurance software comes from approved vendor or is approved software
      Page 32
    • 58. Host Controls – NIST Guidance
      Audit and Accountability (AU) Family of controls, as applicable
      AC-1 Access Control Policy and Procedures
      AC-7 System Use Notification
      CM-1 Configuration Management Policy and Procedures
      CM-2 Baseline Configuration
      CM-6 Configuration Settings
      CM-7 Least Functionality
      Page 33
    • 59. Host Controls – NIST Guidance
      • SA-7 User-Installed Software
      SI-1 System and Information Integrity Policy and Procedures
      SI-2 Flaw Remediation
      SI-3 Malicious Code Protection
      SI-5 Security Alerts, Advisories, and Directives
      Page 34
    • 60. Network Controls
      Federal Trusted Internet Connection (TIC) program protections:
      Reduced number of internet connections
      Einstein traffic inspection
      Security Operations Center (SOC) and Network Operations Center (NOC):
      Visibility and centralized control for incident response and risk reduction
      These should all be provided to you as “infrastructure”
      Page 35
    • 61. Network Controls
      Web content filtering:
      Beyond Einstein protections
      Granular control of web applications, data and protocols
      Trust Zones dependent on security assurance requirements
      DNSSEC to better ensure website name resolution integrity
      Page 36
    • 62. Network Controls
      Focus on data-centric protection
      URL Shortening:
      Page 37
    • 63. Network Controls – NIST Guidance
      SC-1 System and Communications Protection Policy and Procedures
      SC-7 Boundary Protection
      SC-13 Use of Cryptography
      SC-14 Public Access Protections
      SC-15 Collaborative Computing Devices
      SC-20 Secure Name /Address Resolution Service (Authoritative Source)
      Page 38
    • 64. Questions, Comments, or War Stories?
      Michael Smith: rybolov(a)
      Dan Philpott: danphilpott(a)