The Federal CIO Council's Information Security and Identity Management Committee (ISIMC), Web 2.0 Security Working Group just released a document that will come as a boon to government security folks struggling to develop social media policy. The "Guidelines for Secure Use of Social Media by Federal Departments and Agencies" "Guidelines" was released on September 17, 2009 and states that "The goal of the IT organization should not be to say 'No' to social media Web sites and block them completely, but to say 'Yes, following security guidance,' with effective and appropriate information assurance security and privacy controls." Isn't that beautiful? More fundamentally, isn't that what information security has always been about?
The document validates what many of us have been saying for some time now that the decision to use social media technologies should be a risk-based business decision and not an IT security decision. Further, it states that "The safe use of social media is fundamentally a behavioral issue, not a technology issue." Everybody say 'Amen! Not only do the "Guidelines" recommend developing organizational policy for the use of social media, but that the policy should focus on personal and professional user behavior when using government information. The "Guidelines" call for, among other things, augmented training requirements for employees and additional security monitoring and configuration controls. I can already see CISO's across the nation smiling.
The "Guidelines" aren't important so much for the content (although it is!) but also for the standard and stimulus it establishes for government organizations. With "Transparency and Open Government" the name of the game and on the top of every CIO's agenda, the "Guidelines" acknowledge that social media is not without risk and that, unless actively managed, can introduce self-inflicted organizational wounds. Read that again - social media is not without risk and that, unless actively managed, can introduce self inflicted organizational wounds. Specifically, the "Guidelines" provide risk mitigation strategies and recommendations that include: Policy Controls; Acquisition Controls; Training Controls; Network Controls; and Host Controls that, in concert, help to minimize social media cyber-threats.
These "Guidelines" are a good document that will give CISO's and security professionals at all levels of government the support necessary to justify a firm social media policy that focuses on security risk and user responsibility. Read it and tell me what you think.