Asaf Ahmad Fire and Rescue NSW

Disclaimer: The views expressed are my own and not of FRNSW.

? BBS

Bulletin Board System ? Internet Forums ? Web 2

Social media technology and network creation of content, and dissemination of content using the Internet Allowing consumers to share the content, comment, discuss and even distribute the news
4

Sources of Data
BLOGS - WordPress and TypePad, MICROBLOGS - Twitter and Tumblr, INSTANT MESSAGING AOL AIM, MS Live Messenger Online communication systems - (e.g., Skype) Image and video SHARING sites - Flickr and YouTube, SOCIAL NETWORKING sites - Facebook and MySpace, PROFESSIONAL NETWORKING sites - LinkedIn
5

Social media use is no longer an exception, but rather a rule! ? As a tool to simulate innovation, ? Create brand recognition, ? Provide Information ? Feedback, Views and Trends ? Hire and retain employees, ? Generate revenue, and ? Improve customer satisfaction.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives ENGAGEMENTdb, The Worlds Most Valuable Brands. Whos Most Engaged? Ranking the Top 100 Global Brands, www.engagementdb.com/downloads/ENGAGEMENTdb_Report_2009.pdf

A 2010 Burson-Marsteller study of Fortune 500 companies: ? 65% have active Twitter accounts ? 54% have Facebook fan pages ? 50% have Youtube video channels, and ? 33% have corporate blogs
According to the 2010 Social Media Marketing Report , 67% of marketers plan to increase their use of social media channels including blogs, Twitter, and Facebook.
2 Burson-Marsteller, The Global Social Media Check-up Insights: From the Burson-Marsteller Evidence-based Communications Group, www.burson-marsteller.com/ Innovation_and_insights/blogs_and_podcasts/BM_Blog/Documents/Burson-Marsteller%202010%20Global%20Social%20Media%20Check-up%20white%20paper.pdf

Distribution of tweets Breakdown of by/to @QPSMedia and intweets in the #qldfloods for the week of 10 Jan. 2011 Information

category

Crowd-sourcing crisis-relevant information and trends can be achieved from Twitter Data

Souece: #qldfloods and @QPSMedia: Crisis Communication on Twitter in the 2011 South East Queensland Floods Media Ecologies Project, ARC Centre of Excellence for Creative Industries & Innovation (CCI), http://cci.edu.au/ Axel Bruns and Jean Burgess Creative Industries Faculty, Queensland University of Technology Kate Crawford and Frances Shaw Journalism and Media Research Centre, University of New South Wales

missing teenager. Only he forgets to tell her mom first ? Drug Companies Wait for FDA Guidelines on Social Media Marketing - drug makers faced potential legal issues with the reporting of adverse events, negative information and libelous information ? Liability for libel Privacy violations and damage to brand recognition ? Information security risks

? A police officer happily tweets about the recovery of a

1 - http://www.techrepublic.com/blog/career/another-case-of-social-media-eating-the-brain-of-a-user/4136?tag=nl.e101

Structured Data - Format - Context

Un-Structured Data -No Format -Open context

Business Intelligence Define Access Semi-Structured Data Aggregate - Meta data Analyse Report

Social Media Data sources Event based Conversation Constituents Noise

10

Presumed lack of credibility or reliability, or an under estimation of its value

? Informal ? Data Quality ? Limited on membership ? Constraint due to technology ? Language and constituents dependency

11

Social Media Social Media Policy Discovery -Target audience -Objectives -Social capability -Governance

Social Media Risk Management Strategy -Listening -Social tools -Content strategy -Blog strategy Data Repository & Storage Information Management -Data Analytics -Goals & Benefits -Review

Business Intelligence Access and Analytics Information Techniques & Consumers Subject Area Action Knowledge

Data Integration Context

Data Sources Data

Metadata Security, Privacy, and Regulatory Compliance Project Management, Change Control, Information Management IT Infrastructure and Networks

12

Social media does have inherent risks that could negatively impact enterprise security
? Can be started without proper governance
? Without

? Without awareness and training

IT involvement ? Without proper project management ? Without Roles and Responsibilities

? Opportunity cost ? Risk of communicating with customers or constituents ? Risk to corporate network ? Risks from mobile devices ? Risks of social engineering ? Risks of violation of privacy and corporate policies ? Risk of employee personal use of social media from

home and personal computing devices.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives

13

 Require good governance and management of information and technology (IT) assets Create a social media strategy Have a plan to address the risks that accompany the technology
1 - ISACA = Information System Audit and Control Association ITGI = IT Governance Institute

14

COBIT1 - A Business Framework for the Governance and Management of Enterprise IT

Information is a key resource for all enterprises. Information is created, used, retained, disclosed and destroyed. Technology plays a key role in these actions. Technology is becoming pervasive in all aspects of business and personal life. What benefits does information and technology bring to enterprises?
1 - ISACA = Information System Audit and Control Association www.isaca.org ITGI = IT Governance Institute

15

When creating a social media strategy - some questions to consider are: Strategic benefit? Involvement of stakeholders? Risks Benefits Vs costs? Legal, Privacy and Regulatory issues and requirements? Ensure positive brand recognition? Awareness training? Handling of customers? Resources to support such an initiative?
ISACA develops and maintain the CobiT and Risk IT frameworks
16

1. Strategy and Governance Establish a policy that addresses social media use Policies to address all aspects of social media use in the workplace? Risk assessment 2. People Effective training for all users 3. Processes Review business process using social media Aligned with policies and standards of the enterprise? 4. Technology IT strategy and supporting capabilities to manage technical risks Technical controls and processes support social media policies and standards Established process to address the risk introduced by Social media and negatively impact on the enterprise?
Source: ISACAs Business Model for Information Security (BMIS) : The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. 17

? Personal use
it is allowed ? The nondisclosure/posting of business-related content ? The discussion of workplace-related topics ? In-appropriate sites, content or conversations ? Standard disclaimers if identifying the employer ? The dangers of posting too much personal information
? Whether

? Business use
? Whether

it is allowed ? The process to gain approval for use ? The scope of topics or information permitted to flow through this channel ? Disallowed installation of applications, playing games ? The escalation process for customer issues

18

RISK Use of personal account to communicate work-related information Posting of photographs of information that links users to their employees Excessive use of social media in the workplace

IMPACT Privacy violation Corporate reputation damage Loss of competitive advantage Brand damage Corporate reputation damage Network utilisation issue Loss of productivity Increased risk of exposure to virus and malware Infection of mobile devices Data theft from mobile devices Data leakage Bypassed enterprise controls

Use of company-supplied mobile devices to access social networking sires

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives

19

Threats & Vulnerability

Virus

Risks
Data leakage Zombies Downtime Cost Customer backlash Exposure of customer information Reputational damage Targeted phishing attacks Enterprise loss of control/legal rights Customer dissatisfaction Reputational damage Customer retention issue Regulatory sanctions and fines Adverse legal actions

Risk Mitigation Technique

Antivirus Content filtering Policies and Standards Awareness training Brand protection firms Periodic updates to customers

Hijacked corporate presence

Unclear and undefined contents rights Increase in customer service expectation

Legal to review contract Establish clear policies on posting Establish log capturing Ensure adequate staffing for handling social media traffic. Create notices that provide clear windows for customer response. Establish appropriate policies, processes and technologies to ensure that communications via social media that may be impacted by litigation or regulations are tracked and archived appropriately. Note that, depending on the social media site, maintaining an archive may not be a recommended approach.

Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery

20

Threats & Vulnerability

Use of personal account for work -related information Posting of enterprise linked picture Excessive employee use of social media in the workplace Employee access to social media via enterprise supplied mobile devices

Risks
Privacy violation Reputational damage Loss of competitive advantage Brand damage Reputational damage Network utilization issues Productivity loss Increased risk of exposure to viruses and malware Infection of mobile devices Data theft from mobile devices Circumvention of enterprise controls Data leakage

Risk Mitigation Technique

HR to establish policies that ensure HR to develop awareness training HR to develop a policy on appropriate use of enterprise images, assets, and intellectual property in their online presence. Manage accessibility to social media sites

Route enterprise mobile devices through corporate network filtering technology Ensure that appropriate updated controls are installed on mobile devices. Establish or update policies and standards regarding the use of mobile devices to access social media. Develop and conduct awareness training for risks involved with using social media sites.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives

21

? Consumer-oriented technology, ? An enterprises tool to drive business objectives ? Affords enterprises many potential benefits ? Inherent risks such as data leakage, malware

propagation and privacy infringement. ? Adopt a cross-functional, strategic approach that addresses risks, along with appropriate governance and assurance measures.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives

22

23