The document discusses the need for a comprehensive approach to social media implementation and auditing, highlighting risks such as unauthorized information access and loss of reputation versus rewards like increased brand recognition. It emphasizes the importance of defining policy, training, and ongoing assessments to mitigate risks while leveraging social media's benefits. Regulatory compliance and strategic alignment with business objectives are also key considerations for effective social media management.

1. Bridging the Social Media
Implementation/Audit Gap
Jerod Brennen, CISSP
CTO and Principal Security Consultant, Jacadis

2. Agenda
•
•
•
•
•
Perspective
Preparation
Implementation
Monitoring
Resources

3. The Five W’s
•
•
•
•
•
•
Who?
What?
When?
Where?
Why?
How?
[Image courtesy of Master Isolated Images / FreeDigitalPhotos.net]

4. Strategy (Who + Why + When)
• Risk vs. Reward
▫
▫
▫
▫
Customer interaction
Revenue streams
Malware attack vectors
Legal and HR concerns
• While revenue may be on the
rise…
▫ … so are social engineering
attacks
Image from http://www.isaca.org/About-ISACA/Pressroom/News-Releases/2010/PublishingImages/SocialMedia-Business-Risks.JPG

5. Risk vs. Reward
Risks
•
•
•
•
•
•
•
Disclosure of corporate assets and
sensitive (privileged) information
accessible to unauthorized parties
Violations of legal and regulatory
requirements
Loss of competitive advantage
Loss of customer confidence
Loss of reputation
Dissemination of false or fraudulent
information
Inappropriate or unapproved use of
company intellectual property such as
logos or trademarked material
Rewards
•
•
•
•
•
•
Increasing brand recognition
Increasing sales
Immediately connecting with
perspective customers
Exploring new advertising
channels
Monitoring competition
Researching perspective
employees
FromWAPSM-Social-Media-Research-1Feb2011.doc, pages 11-12

6. Regulatory Concerns
• FINRA (Financial Industry Regulatory Authority)
▫ Regulatory Notice 10-06
▫ Regulatory Notice 11-39
• Advertisements
▫ Public websites & banner ads
• Sales Literature
▫ Email or IM to 25+ prospective retail customers
▫ Password-protected websites
• Correspondence
▫ Email or IM to 1 customer
▫ Email or IM to 1+ existing customers and/or <25 prospective retail
customers
• Public Appearances
▫ “Content posted in a real-time interactive electronic forum”
From http://www.finra.org/industry/issues/advertising/p006118

7. Scope (What + Where)

8. Scope, per ISACA
• Current social media tools include:
▫ Blogs (e.g., WordPress, Drupal™, TypePad®)
▫ Microblogs (e.g., Twitter, Tumblr)
▫ Instant messaging (e.g., AOL Instant Messenger [AIM™],
Microsoft® Windows Live Messenger)
▫ Online communication systems (e.g., Skype™)
▫ Image and video sharing sites (e.g., Flickr®, YouTube)
▫ Social networking sites (e.g., Facebook, MySpace)
▫ Professional networking sites (e.g., LinkedIn, Plaxo)
▫ Online communities that may be sponsored by the
company itself (Similac.com, “Open” by American Express)
▫ Online collaboration sites (e.g., Huddle)
FromWAPSM-Social-Media-Research-1Feb2011.doc, page 11

9. Implementation (How)
• Begin at the beginning
▫ Meet with Marketing, HR, Legal, and IT to discuss risks and benefits
• Define policy
▫ More on this later…
• Document training requirements
▫ Employees
▫ Consultants & Contractors
▫ Vendors & Partners
• Document procedures and controls
▫ Access Requests
▫ Monitoring
▫ Assessing

10. Audit/Assurance Program (1 of 3)
• Available at http://www.isaca.org/Knowledge-Center/ITAF-ITAssurance-Audit-/Audit-Programs/Documents/WAPSM-SocialMedia-Research-1Feb2011.doc
• Aligned with COBIT (cross-references)
• Planning and Scoping the Audit
▫
▫
▫
▫
▫
▫
▫
▫
Define the audit/assurance objectives
Define the boundaries of the review
Identify and document risk
Define the change process
Define assignment success
Define the audit/assurance resources required
Define deliverables
Communicate

11. Audit/Assurance Program (2 of 3)
• Strategy and Governance
▫ Risk Management
▫ Policies
• People
▫ HR Function
▫ Training/Awareness
▫ Staffing

12. Audit/Assurance Program (3 of 3)
• Processes
▫ Social Media Alignment With Business Processes
▫ Social Media Brand Protection
▫ Access Management of Social Media Data
• Technology
▫ Social Media Technology Infrastructure
▫ Monitoring Social Media and Effect on
Technology

13. Policy and Training
• Personal use in the workplace:
▫
▫
▫
▫
Whether it is allowed
The nondisclosure/posting of business-related content
The discussion of workplace-related topics
Inappropriate sites, content or conversations
• Personal use outside the workplace:
▫
▫
▫
The nondisclosure/posting of business-related content
Standard disclaimers if identifying the employer
The dangers of posting too much personal information
• Business use:
▫
▫
▫
▫
▫
Whether it is allowed
The process to gain approval for use
The scope of topics or information permitted to flow through this channel
Disallowed activities (installation of applications, playing games, etc.)
The escalation process for customer issue
From http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper26-May10-Research.pdf?id=c1f7b9d8-516d-40c1-8087-e3b0e6cd138c

14. Recurring Assessments
• Risk Assessment
▫ SOX, PCI, HIPAA, etc.
▫ Did your previous assessment(s) include social
media?
• Penetration Test
▫ Is social engineering in-scope?

15. Preventative Controls
• Antivirus > Endpoint Security
▫ Prevent devices from being infected with malware
▫ Also, host-based firewall and URL filtering
• URL Filtering
▫ Prohibit access to certain websites from corporate devices
• Training
▫ How to use social media responsibly
▫ How to identify and respond to social engineering attacks
• Data Loss/Leakage Prevention
▫ Prevent sensitive corporate information from being transmitted
via email, instant messaging, file uploads, etc.

16. Detective Controls
• Content Filtering
▫ Configure email and web security solution to monitor for
patterns in outbound messages
• Google Hacking
▫ Using powerful customized Google search queries to gather
information
• Monitoring Tools (e.g., Maltego)
▫ Open source intelligence and forensics tool
• Monitoring Services (e.g., RiskIQ)
▫ Monitor web-based content for threats and fraud

17. Resources
• ISACA documents
▫ Social Media Audit/Assurance Program
 http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/AuditPrograms/Documents/WAPSM-Social-Media-Research-1Feb2011.doc
▫ Social Media: Business Benefits and Security, Governance, and Assurance
Perspectives
 http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-WhPaper-26-May10-Research.pdf
• Related Documents
▫ CDC – Social Media Security Mitigations
 http://www.cdc.gov/socialmedia/tools/guidelines/pdf/securitymitigations.pdf
▫ Ponemon – Global Survey on Social Media Risks
 http://www.websense.com/content/ponemon-institute-research-report-2011.aspx
▫ Social Media Standard, State of California
 http://www.cio.ca.gov/Government/IT_Policy/pdf/SIMM_66B.pdf
▫ Wikipedia – List of Active Social Networking Sites
 http://en.wikipedia.org/wiki/List_of_social_networking_websites

18. Resources
• FINRA
▫ Regulatory Notice 10-06
 http://www.finra.org/Industry/Regulation/Notices/2010/P120760
▫ Regulatory Notice 11-39
 http://www.finra.org/Industry/Regulation/Notices/2011/P124187
▫ Advertising Information
 http://www.finra.org/Industry/Issues/Advertising/index.htm
• Securing Social Media Profiles
▫ Facebook
 http://slandail.posterous.com/four-steps-to-secure-your-facebook-profile
▫ Twitter
 http://www.mediabistro.com/alltwitter/twitter-security-101_b11985
▫ LinkedIn
 http://www.cio.com/article/485489/LinkedIn_Privacy_Settings_What_
You_Need_to_Know

19. Resources
• Securing Corporate Blogs
▫ Hardening WordPress
 http://codex.wordpress.org/Hardening_WordPress
▫ 11 Best Ways to Improve WordPress Security
 http://www.problogdesign.com/wordpress/11-best-ways-to-improvewordpress-security/
• Tools and Services
▫ Google Hacking Database (GHDB)
 http://www.hackersforcharity.org/ghdb/
▫ Maltego
 http://www.paterva.com/web5/
▫ Risk IQ
 http://www.riskiq.com/
▫ Jacadis
 http://www.jacadis.com/

20. Questions?
Jerod Brennen, CISSP
contact@jacadis.com
614.819.0151
http://www.linkedin.com/in/slandail
http://twitter.com/#!/slandail