Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

WHITE PAPER

Important Issues for Federal Agencies
to Consider When Using Social Media
and Unified Communications
ON An Osterman Research White Paper
Published February 2012

SPONSORED BY

sponsored by
SPON

sponsored by
Osterman Research, Inc.
P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • info@ostermanresearch.com
www.ostermanresearch.com • twitter.com/mosterman

Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

Why You Should Read This White Paper
FEDERAL AGENCIES ARE AT RISK
A July 2007 United States Government Accountability Office (GAO) reporti found that
almost all of the 24 major US federal agencies had significant information security
control vulnerabilities, most notably focused on access control, continuity of operations
and configuration management. The report found that these security holes could put at
risk, among other items, federal payments and collections, critical defense and
emergency services operations, sensitive taxpayer data and Social Security records, and
agency missions of various types.

The US Federal government is the United States’ largest single employer, employing
2.15 million people in 2010, or 1.6% of the US workforceii. Information security is of
vital importance to the Federal government, partly because of the very large amount of
sensitive data that the US government has under its control. For example, the US
government maintains tax records on most individuals living in the United States, it
maintains health records for tens of millions of Americans, and it maintains a variety of
other types of protected information.

DATA BREACHES ARE NOT UNCOMMON IN THE FEDERAL GOVERNMENT
Not surprisingly, there have been a sizable number of data breaches that have occurred
within the US government, some recent examples of which are shown below:

• In late October 2010, the General Services Administration (GSA) announced that six
weeks earlier an employee of the GSA emailed the names and Social Security
numbers of all 12,000+ staff members at the GSA to a personal email addressiii.

• A report in January 2011 showed that a client computer at the Veteran’s Affairs
Medical Center in White River Junction, VT, allowed individuals to anonymously log
onto a network, giving them access to sensitive patient informationiv.

• The Orthopedics department of a Veteran’s Affairs facility in Chicago, IL, used
Yahoo! to track patient scheduling, including the names, dates and types of surgery
performed on 878 patients. This began in July 2007 and was shut down only in late
November 2010v.

• A report in December 2010 showed that a subcontractor for the Social Security
Administration Office of Temporary Disability Assistance in New York, NY, accessed
and stored roughly 15,000 Social Security numbers, including (possibly) the
addresses, telephone numbers and birthdates of these individualsvi.

• In June 2010, a partial search of the National Highway Traffic Safety Administration’s
public complaint database revealed the names, addresses, birthdates, vehicle
identification numbers and driver’s license numbers in up to 792,000 complaint
cases.

As a result of the growing potential for data breaches, the increasing number of
information tools and assets maintained by the Federal government, as well as a general

©2012 Osterman Research, Inc. 1


recognition that information security is critically important from a national security
perspective, the US government has been ratcheting up its information security posture
over the past decade. For example, the US government spent roughly $68 billion on
information technology and $6.2 billion on information security in 2008 alonevii. These
figures are expected to increase significantly over the next several years.

ABOUT THIS WHITE PAPER
This white paper sets out to do the following:

• Discuss some of the technologies in use by the US Federal government

• Offer an overview of some of the variety of regulations imposed upon Federal
agencies

• Offer advice on what Federal agencies should do to mitigate the risks created by use
of established and new communications technologies

This white paper also discusses the sponsor of this white paper, Actiance, and its
offerings that specifically address the security and compliance issues addressed in this
document.

Communications Practices in the Federal Government
GROWING ADOPTION OF UNIFIED COMMUNICATIONS
Both voicemail integration and enterprise instant messaging hold the promise of
speeding up processes and streamlining communication between people in many
industries, particularly in the Federal government, given its size and the scope of the
services it offers. Voicemail integration with email inboxes means that end users can
get their voicemail from wherever they receive their email, thus eliminating voice
messages as a separate and siloed repository. Enterprise instant messaging, when
combined with presence, gives a clear indication of when people are available for
interaction, irrespective of their location or time zone. This is particularly important for
government agencies that are often distributed nationally or internationally with
sometimes hundreds of field offices that must share information and work jointly on
projects.

There are myriad problems associated with managing email systems; real-time
communications systems, such as instant messaging; as well as unified communications,
social networking, and the like. As shown in the following table from an Osterman
Research survey conducted in 2010, organizations face a variety of problems in this
regard.



Top Ten Security Concerns
% Responding a Serious or Very Serious Concerns

Problem %
Malware being introduced from employees’ Web surfing 56%
Phishing attacks 42%
Data loss from employees sending confidential info via email 41%
Malware being introduced from employees’ home computers 40%
Virus/worm/malware infections 38%
Users complaining about mailbox quotas 36%
Breaches of sensitive customer data 35%
Malware being introduced from employees’ personal Webmail 34%
Spam – the amount that your organization receives 34%
Breaches of sensitive internal data 34%

Skype is another important service that is finding more users, including those in
government. For example, as of mid-2010, there were 560 million total Skype
accountsviii.

SOCIAL NETWORKING TOOLS ARE BECOMING IMPORTANT
Social networking tools are exploding in popularity. Consider the following:

• Facebook had 153.9 million unique visitors in December 2010 in the United States
alone, an increase of 38% from December 2009ix. December 2010 also saw 26.6
million US visitors and 23.6 million visitors to Twitter, representing increases of 30%
and 18%, respectively, compared to a year earlier.

• Further, the penetration of social media sites continues to increase. For example,
while the number of unique visitors to Facebook increased by 38% during the year
ended December 2010, total minutes spent on the site increased by 79%x.

Many Federal agencies are significant users of social networking tools. A growing
number of Federal agencies have a social networking presence, including the Federal
Emergency Management Agency (FEMA), the Centers for Disease Control (CDC), the
Department of Homeland Security (DHS), the Environmental Protection Agency (EPA),
the National Aeronautics and Space Administration (NASA), the National Science
Foundation (NSF), and many others. For example, the Veteran’s Administration uses
social media to develop a consistent voice for its practice and policies and also to obtain
feedback on its performancexi; FEMA will be expanding its use of social media in order to
better respond to disastersxii.

Some Federal government social networking accounts are among the top sites followed:
the NASA Twitter account, for example, has more than 800,000 followers as of February
2010 and ranks 429th out of the millions of accounts on Twitter. The CDC uses social
media for distributing information on a variety of health issues and has more than
95,000 followers on Twitter and more than 78,000 “likes” on Facebook. FEMA uses
Twitter and Facebook to distribute information on emergency situations and
preparedness activities with more than 30,000 followers on Twitter.



The Growing Risk of Non-Compliance
REGULATIONS GOVERNING USE OF COMMUNICATIONS TOOLS
There are a variety of Federal government regulations and recommendations that focus
on the use of communications tools and the output generated by them. Among the
more important of these regulations are the following:

• Federal Information Security Management Act of 2002 (FISMA)
FISMA is a far-reaching law that requires every agency within the United States
Federal government to develop and manage an information security plan for every
information asset it owns, as well as those that support its operations. A key part of
FISMA is the requirement for an annual review by CIOs, inspectors general and
others, and a submission of this audit to the Office of Management and Budget
(OMB). OMB, in turn, prepares a report on information technology compliance for
submission to Congress.

Key components of FISMA include the ability for information systems used by the
Federal government to meet minimum security standards, a system security plan
that must be periodically reviewed and updated, and continuous monitoring of key
information system components. Important publications that are relevant to all
Federal agencies include Special Publication 800-53 (Recommended Security
Controls for Federal Information Systems) and Federal Information Processing
Standards Publication 200 (Minimum Security Requirements for Federal Information
and Information Systems).

• National Industrial Security Operating Manual (NISPOM)
NISPOM was issued as part of the National Industrial Security Program (NISP) to
codify the “requirements, restrictions, and other safeguards to prevent unauthorized
disclosure of classified information” by the Federal government. NISPOM is focused
on the Executive Branch of the US government and its agencies and focuses on how
information is disclosed to its contractors. Focus areas of NISPOM include Restricted
Data, Formerly Restricted Data, sources of intelligence and the methods used to
obtain this information, Special Access Program (SAP) information, and Sensitive
Compartmented (SC) Information. Management of NISP is the responsibility of the
National Security Council. A key part of NISPOM is Chapter 8, Information System
Security.

• Director of Central Intelligence Directive 6/3
This directive created the US government’s security policies and procedures for
managing classified intelligence information in government-operated information
systems, specifically those systems that manage SAP and SC information as noted
above. This directive encompasses any information system that involves the
management, transmission, storage, interchange or other processing of both voice
and data information. As such, it applies to virtually any type of information system
that might be operated by the Federal government that is focused on SAP or SC
information.



• National Archives and Records Administration (NARA)
NARA is the official archivist of the US Federal government. As such, it has been
given the responsibility to archive all official records of legislation, executive orders,
Federal regulations and other content. NARA has been among the more proactive of
the US Federal agencies in terms of how it uses social networking and social media
technologies. For example, in 2009, the US National Archives launched a channel on
YouTube to make archived content of public interest more accessible, and it
launched a Flickr account to share US government-archived photographs with the
public.

• National Institute of Standards and Technology (NIST)
This agency provides guidance to federal agencies for information systems and
security policies and procedures, offers technical assistance regarding compliance
with various standards, and it develops standards for information categorization.

• Other regulations, committees, etc.
Other regulations focused on Federal information security include:

o National Security Directive 42 – established what is now known as the
Committee on National Security Systems, an interagency organization focused on
providing guidance for system security to executive-branch agencies. The
committee is represented by several Cabinet-level departments.

o Public Law 107-347 – established the position of Federal Chief Information
Officer within the OMB to oversee the management of electronic systems in use
by the Federal government.

o Directive-Type Memorandum (DTM) 09-026– focuses on a range of social
media, including wikis, blogs, social networks, and other Internet-based
capabilities. The DTM imposes restrictions on the use of social media, including
requirements for disclaimers when personal opinions are expressed, imposition of
records management policies on posted content, and limitations on personal use
of these tools.

o Clinger-Cohen Act – enacted in 1996, this Act focuses on improving the
efficiency of the manner in which the Federal government procures and manages
its IT resources. While not focused on security issues per se, the Act does focus
on information architectures that could have an impact on Federal information
security.

o Information Security and Identity Management Committee – offers a
forum to support the Federal CIO Council on matters related to identity
management and information security issues.

PROPOSED REGULATIONS
• Secure Federal File Sharing Act (H.R. 4098)
This Act would require the Director of the OMB to work with the Federal Chief
Information Officers Council to issue guidelines on the use of peer-to-peer (P2P) file-



sharing programs. This Act contains several provisions, including a) an approval
process for P2P file-sharing programs that are necessary for use by Federal
agencies, b) prohibition on the use of unauthorized programs by government
employees or its contractors, and c) management of P2P file-sharing programs by
government employees and contractors on their home computers when used in
telecommuting situations.

• United States Information and Communications Enhancement Act of 2009
(S. 921)
This bill would amend Chapter 35 of Title 44 of the United States Code to improve
the US Federal government’s awareness of information security policies, practices
and procedures. Specifically, the bill would eliminate subchapters II and III from
Chapter 35 and replace it with text that focuses on the importance of information
security and a recognition that security focuses on any information system, including
telecommunications systems, among many other provisions. This bill would
establish the National Office for Cyberspace.

• Protection of privacy and security for commercial data brokers’
information (S. 1490)
This proposed bill would enhance the punishment for identity theft. Specifically, this
bill would impose a fine and/or prison sentence for up to five years on anyone who
has an obligation to report a security breach and fails to do so.

OTHER IMPORTANT CONSIDERATIONS
• GAO Report on Social Media
In June 2011, the General Accounting Office (GAO) published Social Media: Federal
Agencies Need Policies and Procedures for Managing and Protecting Information
They Access and Disseminatexiii. This report, in response to a request from members
of Congress, set out to accomplish two goals: a) study how federal agencies are
using commercial social media services, and b) determine the extent of these
agencies’ policies and procedures for managing social media use.

The performance audit that was conducted between July 2010 and June 2011,
results of which were published in this report, discussed the key challenges that
federal agencies face in managing social media use, including fulfilling their records
management obligations and the security threats they face when using social media.
Moreover, the report provides a set of high-level recommendations for specific
government agencies in the context of their social media use.

• Guidelines for Secure Use of Social Media by Federal Departments and
Agencies
This documentxiv, released in September 2009, discusses the risks that government
agencies face from the use of social media, Web tools, and other capabilities. It also
offers recommendations about how to mitigate these risks, including the creation
and enforcement of policies focused on appropriate use of communications tools,
acquisition controls that will help agencies to determine the specific types of tools
and capabilities that should be implemented, the training that employees should



undergo, and the network- and host-level controls that should be implemented to
protect against attacks.

• Intelligence Community Directive Number 503
This documentxv establishes “Intelligence Community policy for information
technology systems security risk management, certification and accreditation.” This
document focuses on a strategic and holistic process for managing risk among
interconnected systems used primarily in the defense and intelligence communities.

• Office of Management and Budget Circular A-123
This memorandumxvi, published in late 2004, focuses on internal management
controls in Federal agencies necessitated by the passing of the Sarbanes-Oxley
(SOX) Act of 2002. In essence, it defines the federal version of SOX.

What You Must Do to Mitigate the Risks
There are several issues that any government agency must address with respect to
managing their employees’ and others’ use of instant messaging, social networking and
other tools. We have developed six basic points that every decision maker should
seriously consider as they attempt to minimize the risks that their agency faces from
unfettered use of these tools, while at the same time maximizing the value they can
derive from them.

CONTROL USE OF UNAUTHORIZED TOOLS
An Osterman Research report published in August 2010 found that only 34% of IT
decision makers consider Twitter to be a legitimate tool for use in a business context,
but 50% allow it to be used in their organizations. We found a similar pattern for a
variety of other tools, as shown in the following figure.



IT Views on Legitimacy of Various Applications

As demonstrated in the figure above, IT departments allow far more use of
communications and information tools than they consider to be legitimate, resulting in
the potential for serious risk if the content from unauthorized use of these tools is not
logged or otherwise managed properly. It is imperative that financial services firms
implement capabilities that can control use of communications and information tools so
that only authorized users can use specific tools.

Underscoring the severity of the problem is a February 2011 Osterman Research
surveyxvii of mid-sized and large organizations in multiple industries that found that
relatively few organizations have implemented policies focused on social media and
other tools. For example, the survey found that only 18% of organizations have a
detailed and thorough policy focused on employees’ use of Twitter and Facebook, while
only 15% of organizations have such a policy focused on the use of LinkedIn.

LOG ALL CONTENT, INCLUDING POSTS TO SOCIAL NETWORKING
SITES
It is absolutely vital to log all content sent through instant messaging clients, unified
communications systems, social networking tools and websites, even if the use of these
tools is unofficial and not sanctioned formally by either the IT department or an
agency’s senior management. A failure to log traffic sent to or received from any
communications or information venue can result in serious consequences with auditors
and others.



For example, an employee of a Federal agency could offer his or her opinion on a
pending case via Twitter, perhaps inadvertently, and thereby reveal sensitive
information that had not yet been made public. To help manage the use of these tools,
the content posted or received from any social networking, instant messaging, or other
tool must be logged so that an agency can a) monitor these communications for policy
enforcement purposes, and b) correct errant employee behavior, if only after the fact.
However, some tools, such as Twitter, do not offer logging capabilities.

BLOCK THREATS
The threat landscape is becoming significantly more serious on several fronts:

• Social engineering techniques can fool even very experienced users. For example, a
Twitter account that becomes infected by a worm can result in tweets sent to
hundreds or thousands of individuals. If any of these recipients clicks on the link
that could be sent by the compromised account, tens of thousands of users could
end up being infected.

• Because the Web and Web 2.0 applications are generally less well-defended than
email systems and because many government users install consumer-oriented Web
2.0 applications on their work or home computers, the Web is a more fertile field for
hackers and other criminals.

• Spearfishing, whaling and phishing attacks are becoming more common and more
numerous. Some government agencies have been successfully breached via these
attacks.

There is a broad range of threats that can be distributed through social networking,
instant messaging, unified communications, and other tools. For example, an Osterman
Research survey published in August 2010 found that in 12% of organizations, malware
had successfully infiltrated the corporate network through Web 2.0 applications during
the one-year period ended Spring 2010. Sixty-two percent of organizations had
experienced malware infiltration through the Web – often through Web 2.0 applications
like Twitter – during the same period.

The key, then, is to monitor the use of all communications venues and block threats
from being propagated throughout the network while allowing legitimate traffic to be
passed through unencumbered.

PREVENT DATA LEAKAGE
One of the most important capabilities that any agency must enable is the monitoring
and prevention of the leakage of sensitive, confidential, or other information that could
be damaging to the owner of that information. This might include any information that
is overtly sensitive, such as taxpayer information or the healthcare records of Medicare
patients. However, it can also include seemingly innocuous posts to Twitter or other
social networking sites that recipients could piece together to gather intelligence about
an investigation or corporate audit. The bottom line here is that sensitive information of
any kind sent through any communications or information channel must be protected.



ARCHIVE CONTENT
Another critical component of any information management strategy is the ability to
archive all content sent or received regardless of the tools that are used to send it. This
obviously includes emails, instant messages and other electronic content. The need to
archive is driven in no small part by Federal Freedom of Information Act (FOIA)
requirements that demand the preservation of content.

INTEGRATE WITH EXISTING ARCHIVING SYSTEMS
Closely related to the point above is that it is imperative not only to archive content for
any communications or information system, but also to integrate this archived content
with existing archiving tools in the organization. Because Federal agencies must archive
content for FOIA compliance, among other reasons, it is clearly a best practice to
integrate other content archives into the primary archive already being used. This can
save significant amounts of time when searching for content and can ensure a common
interface is used to search for and access content, regardless of its source.

Summary
Federal agencies must manage content in a manner that is consistent with the growing
number of Federal regulations focused on information security and content retention.
This includes the traditional content medium of paper, of course, but more recently,
content sent electronically through email and instant messages. However, as modes of
communications evolve and new technologies are introduced, users in Federal agencies
have been presented with a growing array of new communications alternatives,
including unified communications systems that can store voice content as easily as they
can retain emails or instant messaging conversations; social networking tools like
Twitter, Facebook or LinkedIn; or telephony alternatives like Skype that combine voice
and instant messaging capabilities.

While the regulation of these new forms of communication has not always kept pace
with their use, there are a variety of reasons for agencies to embrace use of these new
technologies in order to reduce costs and provide better customer service. At the same
time, however, there are a number of best practices that any Federal agency should
follow to ensure that it will be compliant with current and anticipated regulations and
that it will minimize the risks associated with use of these tools.

Vantage
Vantage is the de facto platform for granular security and policy controls for real-time
communications – providing management for the broadest set of applications and
modalities, including Microsoft Lync, public instant messaging platforms such as
Windows Live Messenger and Skype, Web conferencing, and industry-focused networks
like Thomson Reuters Messenger, Bloomberg, and YellowJacket.



Unified Security Gateway
Actiance Unified Security Gateway (USG) complements Vantage by blocking the use of
other applications that bypass corporate security policies and introduce additional risk to
the organization. USG provides granular control of Web 2.0 applications, monitoring,
securing, and recording content to reduce outbound data leaks and to enable
compliance with industry regulations, legal discovery requirements, and corporate policy
standards. USG also logs social media conversations in compliance with the strictest
requirements for record-keeping and tamper-proof data auditing for customers in highly
regulated industries such as financial services, insurance, energy, education, and
healthcare.

Insight
Actiance Insight interfaces with USG and Vantage to provide enterprise data
visualization of user behavior, browsing patterns, and Web application usage trends.
Ideal for managing enterprise networks which encompass multiple locations, the
dynamic, multi-dimensional graphical interface provided by Actiance Insight provides
complete visibility into Internet and real-time application usage that has not previously
been possible with legacy reporting applications for Web security and data compliance.

Socialite
Socialite is Actiance’s security, management, and compliance solution for Social
Networks, providing granular control of Facebook, LinkedIn, and Twitter. It not only
controls access to 180 different features across social networks, but Socialite can also
moderate, manage, and archive any social media traffic routed through the solution,
which can either be on-premise or hosted.



About Actiance, Inc.
Actiance enables the safe and productive use of unified communications, collaboration,
and Web 2.0, including blogs and social networking sites. Formerly FaceTime
Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US
banks and more than 1,600 organizations globally for the security, management, and
compliance of unified communications, Web 2.0, and social media channels. Actiance
supports all leading social networks, unified communications providers, and IM
platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft,
IBM, and Cisco.

Actiance, Inc.
1301 Shoreway
Suite 275
Belmont, CA 94002
USA

Toll-free: +1 888 349 3223
Phone: +1 650 631 6300
Fax: +1 650 598 2820
info@actiance.com
www.actiance.com

For Web and Unified Communications security news, follow Actiance on Twitter,
http://www.twitter.com/actiance



© 2012 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission
of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without
prior written authorization of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this
document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance
with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive
order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty
regarding the completeness or accuracy of the information contained in this document.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED
REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE
DETERMINED TO BE ILLEGAL.

i
http://www.gao.gov/new.items/d07837.pdf
ii
http://www.bls.gov/news.release/empsit.nr0.htm
iii
http://www.nytimes.com/2010/11/07/us/07breach.html
iv
Source: PHIPrivacy.net
v
Source: PHIPrivacy.net
vi
Source: DataBreaches.net
vii
Source: FY 2008 Report to Congress on Implementation of The Federal Information Security Management
Act of 2002
viii
http://online.wsj.com/article/SB10001424052748703293204576106132286203062.html
ix
U.S. Digital Year in Review 2010, comScore
x
U.S. Digital Year in Review 2010, comScore
xi
http://fcw.com/articles/2011/02/14/feat-citizen-outreach-social-media.aspx
xii
http://www.dailyfinance.com/story/taxes/can-twitter-help-fema-respond-to-disasters/19807666/
xiii
http://www.gao.gov/new.items/d11605.pdf
xiv
http://www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf
xv
http://www.dni.gov/electronic_reading_room/ICD_503.pdf
xvi
http://www.whitehouse.gov/omb/circulars_a123_rev/
xvii
Messaging Policy Market Trends 2010-2013, Osterman Research, Inc.


Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

More Related Content

What's hot

Viewers also liked

Similar to Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

More from Osterman Research, Inc.

Recently uploaded

Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications