By Tommie Singleton, Ph.D., CISA, CGEIT
The first key element of understanding social media is to understand the platform and its purpose and audience. For example, professionals usually choose LinkedIn or a similar platform, rather than Facebook, as a career option. One reason is the fact that as an individual, so many classmates and friends will ask to be friends that there is a risk one’s image will get muddled, confusing or downright damaged by what others are posting. However, entities do make effective use of Facebook (e.g., the “like” feature to build a community).But, care should be taken to choose the social platform that is the best fit for the objective being sought.
Perhaps the second key element is really the first, but the IT auditor needs to understand the risk associated with social media. Risk exists even if your entity chooses to not be actively involved with any social media. That is, disgruntled or malicious people can post negative and damaging comments on Facebook and other social media. Therefore, management of any entity needs to establish some kind of proactive approach to browse for negative comments, and to have some plan in place on how to mitigate the negative impact such postings can produce. IT auditors may be key in assisting management in coming up with the former, and is certainly supportive in the latter. A fairly extensive list of threads was included in my recent ISACA® Journal article, “IT Audit Basics: What Every IT Auditor Should Know About Auditing Social Media
Another aspect is the use of social media by employees during business hours. It would not be surprising to learn that a significant portion of employees spend more work time engaged in social media activities than management would like. That is, there is a very high probability that some employees are abusing their use of social media at work. Then, one must consider what they do while engaged with social media. Employees could click on a link to malicious content mistakenly. They could also post negative things about their own employer.
The above two illustrations are true whether the entity engages in social media or not. But there is additional risk if the entity is engaged. The most straightforward need is for the IT auditor to measure the effective use of social media, in some respects much like IT auditors do for any new technology. Management may also wish to consult with the IT auditors in choosing the specific platform. IT auditors may be asked to do a risk assessment of social media platforms.