Tips for Addressing Social Media Risks
By Lisa Young, CISA
Does your organization use social media? How do you know for sure? Social media usually require no special technology, little or no involvement from IT, and no official project plan or explicit permissions to get started. Social media involve the creation and dissemination of information through social networks using the Internet. Social media tools include blogs, product review sites, Twitter, Facebook, LinkedIn, YouTube, Wikipedia and many other outlets. Any Internet site that allows individual users to supply content can be considered a type of social media.
Managing the risks from social media requires that the organization have a social media strategy, sound policy and a plan to address the risks that accompany social media technology. Here are some considerations for using social media in your organization:
- Understand that blocking access to social media sites is not sufficient to prevent their use since many organizations use the tools to interact with customers or prospective employees. Blocking access also does not preclude the use of social media on employee-owned equipment.
- Conduct a risk assessment to map the risks to the organization from the use of social media. The top five risks from social media as identified by ISACA® include:1
• Brand hijacking
• Lack of control over content
• Unrealistic customer expectations of “Internet-speed” service
• Noncompliance with record management regulations
- Develop policies to address the risks of social media. Existing policies on conflict of interest, professional conduct, acceptable use, privacy, client confidentiality, intellectual property and similar issues can and should be extended to apply in the context of social media. Things to cover in these policies include:
• Whether these sites are allowed for business use
• Personal use in the workplace and personal use outside the workplace
• The process to gain approval for use
• Standard disclaimers if the organization is identified
• Copyright or other content rights to information posted to these sites
• Scope of business-related content allowed
• What is inappropriate
• Escalation procedures for customer issues
• Disciplinary procedures for violation of policy
- Ensure that the business processes that utilize social media are aligned with the policies and standards of the organization.
- Social media are just other forms of electronic communication. Understand the retention regulations or e-discovery requirements. Poor policies governing the use of social media increase the costs of social media forensics coming from an external inquiry, litigation or audit request and may result in regulatory sanctions, fines or adverse legal actions.
- Include social media training in the organization’s regular awareness communications or information security training curriculum. Users need to understand what is (and is not) appropriate and how to protect themselves and the organization when using social media.
Click here for a complimentary download of ISACA’s white paper Social Media: Business Benefits and Security, Governance and Assurance Perspectives and to read more on this topic.
Lisa R. Young, CISA, is the past president of the ISACA West Florida Chapter in Tampa, Florida, USA, and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force for the Risk IT: Based on COBIT® publications.
1 ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives, 2010
ISACA Knowledge Center Tips and Tricks: Setting Discussion Alerts
The new ISACA® web site was launched earlier this year with many new and exciting features. Many of the new features are located within the Knowledge Center, in which participants can consume information, exchange expertise and experience, and build new understanding through collaboration on many topics for IT professionals. By joining a topic, members can add documents and links and can participate in the topic’s discussions. One way to stay connected with the activity within a discussion is to establish an alert or an RSS feed.The following are tips for joining a Knowledge Center discussion:
- Log into the web site and join a topic
- Navigate to the discussion overview page by clicking the “more” link.
- On the discussion overview page, click on the bell icon to subscribe to alerts for all discussions within this topic. Or, to set an alert for a specific discussion, click on the discussion title to navigate to the discussion’s homepage and then click on the bell.
- You will receive an e-mail at the address stored in your MyISACA profile every time activity occurs within the discussion. Click here to learn more about managing your online profile.
- If you have an RSS reader, set up a feed to the discussion page by clicking on the RSS icon.
- Click “My Alerts” in the utility navigation at the very top of the ISACA web site to manage your alerts.
- Click here for more information, including FAQs on how to use the ISACA web site.
IT GRC Conference Is a Resource for Driving Value, Managing Risk, Achieving Objectives
ISACA’s IT Governance, Risk and Compliance (IT GRC) Conference provides you with an opportunity to learn from the collected experiences of knowledgeable practitioners in the best traditions of ISACA® thought leadership, frameworks and professional guidance. By learning from others and sharing your experiences, you can avoid traps and pitfalls and deliver greater value to your organization. You will learn how to better enhance the value IT provides to your organization and ensure that IT-related risks are managed and outcomes, including performance and compliance, are assured.The program includes select topics aligned with the six domains of the Certified in the Governance of Enterprise IT® (CGEIT®) designation. Sessions will address:
- IT governance frameworks
- Strategic alignment
- Value delivery
- Risk management
- Resource management
- Performance measurement
Each stream has a unique focus to help you learn more about these six areas and get the most personal value from the program. The first stream is designed for chief information officers (CIOs) and other senior IT leaders to engage more effectively with their business colleagues and lead their teams to deliver more business value. The other two streams are designed for senior practitioners and operational leaders. One focuses on implementing and building key capabilities; the other focuses on running, refining and continuously improving key capabilities. Running throughout the event is ISACA’s IT Governance Forum for professionals who implement, maintain and improve IT governance in the organization.
Each session within the forum or a stream builds upon the next, creating a learning arc that provides practical, actionable education to deliver measurable return on your learning investment. Each stream and the forum end with special sessions designed to send you on your way with solid insights to bring more benefit to your organization. These capstone sessions reinforce and enhance your choice to dedicate your time and effort to gain new knowledge, make new contacts and participate in this collaborative environment.
Click here for more information on IT GRC, including preconference workshops and sessions.
Shape the Profession—Volunteer With ISACA
The ISACA® Invitation to Participate for 2011-12 is now available. Through an extensive network of oversight boards, technical committees and subcommittees, volunteers help ensure successful certification programs, comprehensive professional conferences, timely education programs, insightful research, thorough and appropriate online resources, representative professional standards, and financially sound infrastructures. In short, ISACA volunteers ensure that members receive the high-quality resources they have come to expect from ISACA.
Members who would like to consider volunteering with ISACA at the international level should review the information contained in the brochure to identify which volunteer opportunities are of most interest. The brochure lists boards, committees and subcommittees—all of which require strong and talented participants. Volunteer applications are due 25 February 2011. Click here for additional information, including the new online application form.
Hard copies of the brochure will be mailed to all members with volume 6 of the ISACA Journal, which begins mailing in November.
IFAC SMP Committee Publishes Quality Control Implementation Guide
The Small and Medium Practices (SMP) Committee of the International Federation of Accountants (IFAC) has issued the second edition of its Guide to Quality Control for Small- and Medium-Sized Practices (QC Guide) The implementation guide is intended to help SMPs understand and efficiently apply the redrafted International Standard on Quality Control (ISQC) 1, Quality Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements.
The new edition conforms to IFAC’s revised and redrafted Code of Ethics for Professional Accountants and includes various improvements based on feedback from users of the first edition. It features an integrated case study, practical checklists and forms, and two sample quality control manuals.
Click here to download a complimentary PDF version of the guide.
Translation of COBIT 4.1 Makes IT Governance Good Practices More Accessible
With the newest translation of COBIT® 4.1 in Simplified Chinese, this authoritative, international set of generally accepted IT governance practices has become even more accessible worldwide.
COBIT 4.1 helps business and IT professionals increase the value of IT and reduce related risks. Used widely as a tool for compliance with Sarbanes-Oxley and many other global standards, COBIT predates the control legislation being enacted around the world. It is a product of more than 15 years of research and cooperation among global IT and business experts.
Click here to access a complimentary download of COBIT 4.1 in Simplified Chinese as well as many other languages.