To Get a Grip on Social Media Security, Start by Creating a Policy


By the end of 2013, half of all companies will have been asked to produce material from social media websites for e-discovery, according to Gartner. This means that you'll need not only a legal strategy encompassing social media content, but a social media policy.

While you're at it, start pulling together a social media governance strategy. And if you may attempt financial transactions via social media, plan to bring your auditors into this effort too. As Garter notes in a different report on social media policy development, social media disrupts the long-standing rules of business in many ways.

This shouldn't be a sudden revelation. Governance and policy form the foundation of all IT security and corporate security. wiredFINANCE addressed social media security in October.

Now let's look at how you actually develop a social media policy.

As noted here in October, social media is so new that people don't even know enough to be concerned. They reveal information they wouldn't ordinarily reveal and expose themselves and the business in ways they wouldn't usually, often without even realizing they're doing it. Part of the problem is that social media blurs the line between what's personal and what's business, between private behavior and professional conduct.

So, the first thing a social media policy needs to do is make clear that the organization considers social media an extension of the workplace. As such it expects everyone involved in social media to behave in an appropriate, business-like way, which includes following policies and procedures. As Gartner notes, those who participate in social media need guidance from their employer about the rules, responsibilities, norms, and behaviors expected of them. This should be explicitly spelled out in the social media policy.

To write a social media policy, start by forming a committee of key stakeholders. People from legal and IT definitely should be involved. Marketing, as probably the largest user, should be included too. Since the CFO gets deeply involved in GRC, he or she should be involved.

Then the policy committee needs to determine why the organization feels it needs to be involved in social media in the first place. Policies may differ if social media is primarily a way to interact with existing and prospective customers or is really a way to communicate with suppliers and partners. Or, social media may be intended as a technical support vehicle. One thing is certain: Whatever the committee decides initially, social media usage assuredly will expand.

From there you need to define the governance of the policy itself. Who is in charge of the policy, who is authorized to make changes, and all the other governance procedural questions.

After that, the policy should lay out the do's and don'ts of behavior. Specify how the policy is to be communicated, how compliance with policy is to be monitored and enforced, and how employees will be educated and trained in the policy and how often. Once is not nearly enough. Make sure everyone understands that nothing stays a secret with social media. Additionally, managers will need not only to be trained in the policy, but in how to coach their employees in the policy.

Finally, to make it all stick, a policy committee member of some stature needs to lay out the case for the organization's use of social media and the importance of good social media behavior.

Discuss this Blog Entry 0

Post new comment
or to use your Business Finance ID
What's wiredFINANCE?

wiredFINANCE provides the Business Finance community with reporting and commentary on IT-finance related issues.

Blog Archive