The Federal CIO Council's Information Security and Identity Management Committee (ISIMC), Web 2.0 Security Working Group just released a document that will come as a boon to government security folks struggling to develop social media policy. The "Guidelines for Secure Use of Social Media by Federal Departments and Agencies" "Guidelines" was released on September 17, 2009 and states that "The goal of the IT organization should not be to say 'No' to social media Web sites and block them completely, but to say 'Yes, following security guidance,' with effective and appropriate information assurance security and privacy controls." Isn't that beautiful? More fundamentally, isn't that what information security has always been about?
The document validates what many of us have been saying for some time now that the decision to use social media technologies should be a risk-based business decision and not an IT security decision. Further, it states that "The safe use of social media is fundamentally a behavioral issue, not a technology issue." Everybody say 'Amen! Not only do the "Guidelines" recommend developing organizational policy for the use of social media, but that the policy should focus on personal and professional user behavior when using government information. The "Guidelines" call for, among other things, augmented training requirements for employees and additional security monitoring and configuration controls. I can already see CISO's across the nation smiling.
The "Guidelines" aren't important so much for the content (although it is!) but also for the standard and stimulus it establishes for government organizations. With "Transparency and Open Government" the name of the game and on the top of every CIO's agenda, the "Guidelines" acknowledge that social media is not without risk and that, unless actively managed, can introduce self-inflicted organizational wounds. Read that again - social media is not without risk and that, unless actively managed, can introduce self inflicted organizational wounds. Specifically, the "Guidelines" provide risk mitigation strategies and recommendations that include: Policy Controls; Acquisition Controls; Training Controls; Network Controls; and Host Controls that, in concert, help to minimize social media cyber-threats.
These "Guidelines" are a good document that will give CISO's and security professionals at all levels of government the support necessary to justify a firm social media policy that focuses on security risk and user responsibility. Read it and tell me what you think.
It's a boring when people agree, but ... I agree. The phrasing used in the guidelines has been a long time coming. Historically (and unfortunately), attemps to govern individual action, such as by implementing "appropriate use" policies, have been mislabled as an IT concern when it's really an HR problem. It's not IT that can dictate what you can and can't "say" - classified environments have always recognized (and honored) this distinction. Protection against that kind of breach is addressed through OPSEC. Social networking is just an electronic transposition of speech, and I'm glad to see that these Guidelines primarly promote this non-technical type of approach.
Mark,
Thanks for bringing this topic to our attention. But after reading the actual "Guidelines for Secure Social Media Use by Federal Departments and Agencies" that you referenced, I was pretty disappointed. I think they did a nice job on the "secure" part of this topic but not much on the basic "use" part.
In other words, they identified all kinds of cyber threats associated with social media sites, but they included almost nothing on personal/professional balance guidelines or recommendations when it comes to using sites like Facebook at work. They basically told federal agencies (and others) that policies are needed on these matters.
Here's an example: "The risk of using social media tools should be addressed by policies and procedures focusing on information confidentiality, integrity and availability, and user behavior, both personal and professional, when accessing data or distributing information." (Most of us already knew that.)
No doubt, this is an "OK" start on a difficult new topic and a decent 1.0 document. However, I suspect that federal agencies still have many questions. I certainly do.
Nice blogging,
Dan
Social media is not without risk and that, unless actively managed, can introduce self inflicted organizational wounds -
Concur. Once upon a time, counterintelligence and police built Association Matrixes on suspects; today it's called facebook.
In a perfect world, setting policies is sufficient. Of course, in a perfect world, there is no need for police or judges.
Somehow the lyrics from King Crimson seem appropriate here.. ;)
Hi Dan,
While I agree with your general comment, I guess my response is that...I don't think that was the intent of the paper. It is the "Guidelines for Secure Use..."
On the other hand, the personal-professional balance issue you raise is one that I haven't seen anyone address to my satisfaction. In fact, I'm not convinced it's even solveable and like the elephant in the room, most people will just choose to ignore it until it becomes a problem. Like in the early days when we gave everyone a computer with Internet access and then told them that they couldn't surf the web...how naive was that? Now we are telling people that it's OK to use social media at work. It will take an army of hall monitors to make sure each of our hundreds of users don't spend more than xx % of their total allotted social media time (part of the policy right?) doing personal stuff. It's a difficult problem and like you, I have dozens of stories of users abusing Internet 'privileges." Thanks for the thought provoking comments.
Thanks Keith and I love your King Crimson reference. Maybe an entry on a government tech blog will generate an entirely new class of KC groupies! Still dig these guys!