Building A Modern Security Policy For Social Media and Government


Published on

In this presentation, we discuss the considerations for an effective social media policy in Government.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Mike’s blog is at teaches for Potomac Forum information for Mike is at the end of this presentation.
  • Dan is the founder of blogs at and http://ArielSilverstone.comDan teaches for Potomac Forum
  • Building A Modern Security Policy For Social Media and Government

    1. 1. Building a Modern Security Policy for Social Media<br />Page 1<br />
    2. 2. Who is Michael Smith?<br /><ul><li>8 years active duty army
    3. 3. Graduate of Russian basic course, Defense Language Institute, Monterey, CA
    4. 4. DotCom survivor
    5. 5. Infantryman, deployed to Afghanistan (2004)
    6. 6. CISSP #50247 (2003), ISSEP (2005)
    7. 7. Former CISO, Unisys Federal Service Delivery Center
    8. 8. Currently a Manager in a Big Four Firm</li></li></ul><li>Who is Dan Philpott?<br /><ul><li>Lifelong technologist ocused on FISMA, cybersecurity, risk management, cloud computing, and social Media
    9. 9. CISSP (2007), CAP (2007)
    10. 10. Federal Information Security Architect for Tantus Technology
    11. 11. Founder of and FISMA arts</li></li></ul><li>Goals<br />Understand the tradeoff between Security, Transparency, and Engagement<br />Provide an understanding of the frameworks social media policy must inhabit<br />Describe models of social media policy<br />Detail security goals and controls social media policy should address or include<br />Page 4<br />
    12. 12. A Quick Poll<br />Page 5<br /><ul><li>Are you using service provider hosting?
    13. 13. Are you using Government-owned hosting?
    14. 14. Do you don’t know how/where you’re being hosted?
    15. 15. Have you ever ignored the IT Security Staff because they just “get in the way”?</li></li></ul><li>Not a Real CISO But It Could Be<br />Page 6<br />“I’ve spent my entire 30-year career keeping information from getting into the public domain and keeping your desktop safe from all the malware on social media sites. Now you want to take everything and put it there intentionally?”<br />The problem for social media practitioners is based on the nature of our security culture.<br />
    16. 16. NIST Risk Management Framework<br />Page 7<br />
    17. 17. Defining the Problem Space: SDLC<br />Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media?<br />Page 8<br />
    18. 18. Understanding Your Objectives<br />Page 9<br /><ul><li>Tone: Official v/s comfortable
    19. 19. Hosting: CO-CO v/s GO-GO
    20. 20. Security: Enabler v/s Roadblock
    21. 21. Simplicity: Engagement v/s “Shiny Objects”
    22. 22. Be willing to negotiate with the security staff</li></li></ul><li>Four-Quadrant Government Social Software Framework1<br />Page 10<br />Internal<br />More Guidance Exists<br />Sharing<br />Direction<br />Less Guidance Exists<br />External<br />Interaction<br />Level<br />Group<br />Individual<br />1 Social Software and National Security: An Initial Net Assessment, M. Drapeauand L. Wells via Federal CIO Council Guidelines for the Use of Social Media<br />
    23. 23. Threat Landscape<br />Government to Government:<br />Internal social media services within or between agencies<br />Government (internally hosted) to Public:<br />Social media services on government sites<br />Government (externally hosted) to Public:<br />External social media services used by the government<br />Government users in public:<br />Social media services used by government users<br />Page 11<br />
    24. 24. Getting to a Good SocMed Policy<br />Engage early, engage often<br />Policy should focus on risk, not technology<br />Social media technology changes constantly<br />Data protection requirement is constant<br />Consider the business case<br />Consider the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation<br />Make risk-based decisions goals<br />Page 12<br />
    25. 25. Primary Resources<br />CIO Council<br />Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0<br /><br />GSA<br />Terms of Service Agreements with New Media Providers<br /><br />NARA<br />Records Management Policy and Guidance<br /><br />Page 13<br />
    26. 26. Primary Resources - FISMA<br />NIST SP 800-37 Rev. 1<br />DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach<br />NIST SP 800-39<br />DRAFT Managing Risk from Information Systems: An Organizational Perspective<br />SP 800-53 Rev. 3<br />Recommended Security Controls for Federal Information Systems and Organizations<br /><br />Page 14<br />
    27. 27. Related Requirements<br />Communications Policy<br />508 Compliance Policy<br />Federal Records Management Policy<br />Page 15<br />
    28. 28. Risk Management Hierarchy<br />Page 16<br /><ul><li> Risk Executive Function</li></ul>(Oversight and Governance)<br /><ul><li> Risk Assessment Methodologies
    29. 29. Risk Mitigation Approaches
    30. 30. Risk Tolerance
    31. 31. Risk Monitoring Approaches
    32. 32. Linkage to ISO/IEC 27001</li></ul>Risk Management Strategy<br />TIER 1<br />Organization<br />NIST<br />SP 800-39<br />TIER 2<br />Mission / Business Process<br />TIER 3<br />Information System<br />
    33. 33. Risk Management Hierarchy<br />Page 17<br />Risk Management Strategy<br />TIER 1<br />Organization<br />NIST<br />SP 800-39<br />TIER 2<br />Mission / Business Process<br />TIER 3<br />Information System<br /><ul><li> Mission / Business Processes
    34. 34. Information Flows
    35. 35. Information Categorization
    36. 36. Information Protection Strategy
    37. 37. Information Security Requirements
    38. 38. Linkage to Enterprise Architecture</li></li></ul><li>Risk Management Hierarchy<br />Page 18<br /><ul><li> Linkage to SDLC
    39. 39. Information System Categorization
    40. 40. Selection of Security Controls
    41. 41. Security Control Allocation</li></ul> and Implementation<br /><ul><li> Security Control Assessment
    42. 42. Risk Acceptance
    43. 43. Continuous Monitoring</li></ul>TIER 1<br />Organization<br />NIST<br />SP 800-37<br />TIER 2<br />Mission / Business Process<br />Risk Management Framework<br />TIER 3<br />Information System<br />
    44. 44. Policy Controls<br />Social Media Communications Strategy<br />Acceptable Use Policies (AUP)<br />Content Filtering and Monitoring<br />Privacy and Security Support<br />Integration with NIST SP 800-39 and NIST SP 800-37 Risk Management<br />Page 19<br />
    45. 45. Policy Controls – NIST Guidance<br />AC-20 Use of External Information Systems<br />AC-22 Publicly Accessible Content<br />IA-2 Identification and Authentication (Organizational Users)<br />IA-5 Authenticator Management<br />IA-7 Cryptographic Module Authentication<br />IA-8 Identification and Authentication (Non-Organizational Users)<br />Page 20<br />
    46. 46. Policy Controls – NIST Guidance<br />IR-5 Incident Monitoring<br />IR-6 Incident Reporting<br />IR-7 Incident Response Assistance<br />IR-8 Incident Response Plan<br />PL-4 Rules of Behavior<br />PL-5 Privacy Impact Assessment<br />RA-1 Risk Assessment Policy and Procedures<br />SI-12 Information Output Handling and Retention<br />Page 21<br />
    47. 47. Acquisition Controls<br />Strong Authentication<br />Social Media services security practice<br />Comment moderation and monitoring social media<br />Ensure federal security requirements are met by using dedicated resources from vendors<br />Modify user’s public profiles from .gov or .mil email addresses to provide stronger security<br />Page 22<br />
    48. 48. Acquisition Controls<br />Partner with social media services to:<br />Provide traceability to federal employee accounts<br />Improve communications between providers and Security Operations Centers (SOC)<br />Allow independent monitoring of social media service providers<br />Encourage use of validated and signed code<br />Ensure social media provider maintains appropriate configuration, patch and technology refresh levels<br />Page 23<br />
    49. 49. Acquisition Controls<br />Ensure an independent risk assessment<br />Records management in accordance with NARA record schedules, FOIA requests and e-discovery litigation holds<br />Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats<br />Page 24<br />
    50. 50. Acquisition Controls – NIST Guidance<br />SA-1 System and Services Acquisition Policy and Procedures<br />SA-2 Allocation of Resources<br />SA-3 Life Cycle Support<br />SA-4 Acquisitions<br />SA-5 Information System Documentation<br />SA-9 External Information System Services<br />Page 25<br />
    51. 51. Acquisition Controls – GSA Guidance<br />Terms of Service Agreements<br />Social media services standard Terms of Service (TOS) Agreements present legal problems<br />Many services are free, making it hard to encourage services to negotiate new TOS<br />On behalf of the government, GSA has negotiated new TOS for many social media services<br /><br />Page 26<br />
    52. 52. Training Controls<br />Provide awareness, guidance and training on:<br />Information to that can be shared, can not be shared and with whom it can be shared<br />Social media policies and guidelines including AUP<br />Blurring of personal and professional life as appropriate<br />For Operations Security (OPSEC) on risks of social media<br />Federal employees self-identification on social media sites, depending on roles<br />Page 27<br />
    53. 53. Training Controls<br />Provide awareness, guidance and training on:<br />Privacy Act requirements and restrictions<br />Specific social media threats before granting access to social media sites<br />Possible negative outcomes of information leakage, social media misuse and password reuse<br />Possible impact on security clearance<br />Page 28<br />
    54. 54. Training Controls – NIST Guidance<br />AT-2 Security Awareness:<br />Add social media usage related awareness training<br />AT-3 Security Training:<br />Create specific role-based training for those with social media responsibility<br />AT-5 Contacts with Security Groups and Associations:<br />Establish contacts with security groups addressing web application and social media security<br />Page 29<br />
    55. 55. Host Controls<br />Require use of a hardened Common Operating Environment (COE):<br />Federal Desktop Core Configuration (FDCC)<br />Security Content Automation Protocol (SCAP)<br />Encourage use of strong authentication for greater assurance of a user’s identity:<br />Two-factor authentication (e.g., HSPD-12 & PIN)<br />Page 30<br />
    56. 56. Host Controls<br />Ensure strong change management, patch management, configuration management:<br />Includes applications and Operating Systems<br />Enforces strong logging<br />Reports to SOC<br />Desktop virtualization technologies:<br />Allows safer viewing of potentially malicious websites<br />Virtual sandbox protects base operating system<br />Page 31<br />
    57. 57. Host Controls<br />Browser versioning:<br />Ensure use latest browsers which include additional security measures<br />Encourage use of signed code or white listing:<br />Provides higher level of assurance software comes from approved vendor or is approved software<br />Page 32<br />
    58. 58. Host Controls – NIST Guidance<br />Audit and Accountability (AU) Family of controls, as applicable<br />AC-1 Access Control Policy and Procedures<br />AC-7 System Use Notification<br />CM-1 Configuration Management Policy and Procedures<br />CM-2 Baseline Configuration<br />CM-6 Configuration Settings<br />CM-7 Least Functionality<br />Page 33<br />
    59. 59. Host Controls – NIST Guidance<br /><ul><li>SA-7 User-Installed Software </li></ul>SI-1 System and Information Integrity Policy and Procedures<br />SI-2 Flaw Remediation<br />SI-3 Malicious Code Protection<br />SI-5 Security Alerts, Advisories, and Directives<br />Page 34<br />
    60. 60. Network Controls<br />Federal Trusted Internet Connection (TIC) program protections:<br />Reduced number of internet connections<br />Einstein traffic inspection<br />Security Operations Center (SOC) and Network Operations Center (NOC):<br />Visibility and centralized control for incident response and risk reduction<br />These should all be provided to you as “infrastructure”<br />Page 35<br />
    61. 61. Network Controls<br />Web content filtering:<br />Beyond Einstein protections<br />Granular control of web applications, data and protocols<br />Trust Zones dependent on security assurance requirements<br />DNSSEC to better ensure website name resolution integrity<br />Page 36<br />
    62. 62. Network Controls<br />Focus on data-centric protection<br />URL Shortening:<br /><br />Page 37<br />
    63. 63. Network Controls – NIST Guidance<br />SC-1 System and Communications Protection Policy and Procedures<br />SC-7 Boundary Protection<br />SC-13 Use of Cryptography<br />SC-14 Public Access Protections<br />SC-15 Collaborative Computing Devices<br />SC-20 Secure Name /Address Resolution Service (Authoritative Source)<br />Page 38<br />
    64. 64. Questions, Comments, or War Stories?<br /><br />Michael Smith: rybolov(a)<br /><br />Dan Philpott: danphilpott(a)<br /><br />39<br />