Join Us
Federal CIO Council Seeks to Advance Trustworthy Social Media
Reprinted by the author from Forum One's Influence Blog.
In the absence of social media compliance and regulatory standards, social networking technologies face increased scrutiny in both the government and commercial sectors. While many government leaders and corporate executives recognize the ability for social media to enable organizations to “tap into the vast amounts of knowledge … in communities across the country” and around the world, many organizations (especially ones with Enterprise IT Departments) harbor serious reservations with respect to workplace use of external social networking sites by employees:
- Deloitte: 6th Annual Global Security Survey found that 53% of its respondent businesses (i.e. global banks, insurance companies, and financial institutions) prohibit the use of social networking technologies due in large part to data protection concerns.
- U.S. Strategic Command: Stark announcement warned the rest of the military it was considering a Defense Department-wide ban on the Web 2.0 sites, due to network security concerns.
- Websense Security Labs: Survey of over 130,000 IT Professionals from around the world revealed that the majority of IT managers are still unsure what constitutes Web 2.0, and are ill-equipped to combat security concerns associated with social media.
- Sophos: Two-thirds of systems administrators worried that employees are sharing too much information on social networking sites and threatening the security of corporate systems
Confronted with a
Memorandum for Transparency and Open Government
and
, the US Federal Government faces a unique challenge. It must work to quickly overcome the difficult social media challenge in order to: 1) Support the President’s OpenGov objectives; 2) Ensure the security and privacy of US Federal Government IT.
Fortunately, the CIO Council is rising to the occasion. Just last week, the council released “
Guidelines for Secure Use of Social Media by Federal Departments and Agencies
,” intended to provide “guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public.”
In drafting the document, the CIO Council chose to neither fully endorse nor censure social media and related social networking technologies; instead taking the wiser approach of acknowledging:
- The decision to embrace social media technology is a risk-based decision, not a technology-based decision. It must be made based on a strong business case, supported at the appropriate level for each department or agency, considering its mission space, threats, technical capabilities, and potential benefits. The goal of the IT organization should not be to say ‘No’ to social media websites and block them completely, but to say ‘Yes, following security guidance,’ with effective and appropriate information assurance security and privacy controls.
Rather than take a position on one side of this potentially divisive topic, the report strives to provide a high-level overview of the risk associated with social media technologies (ex. spear phishing, social engineering, and web application security) and a series of recommended policy controls (ex. policy; acquisition; training; host; network) to mitigate these vulnerabilities. It also recommends that the senior technology official at each federal agency “develop a social media communications strategy, with the support of their communication office that accurately addresses the guidelines in this document in conjunction with (existing) government-wide policy” and proposes the creation of an overarching government wide policy on social media.
A section of the report that is getting a lot of attention is the series of recommendations made under “Acquisition Controls.” These include:
Since these recommendations could place considerable cost directly upon service providers, it begs the question: How can the government ensure social networking sites meet demanding security and privacy requirements without commercial mandates when so many vendor platforms operate free of cost to users (including the US Federal Government)?
While challenging, it certainly is not impossible for the US Federal Government to overcome the non-user fee based revenue model of many social media vendors. For example, the US Federal Government could support the creation of a national certification process for social media vendors. This would require: 1) Creating a rigorous set of public guidelines; 2) Fostering the development of 3rd party certification agent(s) for these standards; 3) Rewarding social networking vendors who elect to undergo (and pass) testing with a branded certification that they can then use in consumer and B2B marketing; 4) Fast-tracking certified cloud-based services to be listed under social media applications on Apps.gov; 5) Promoting global acceptance of the new certification in concert with private enterprises.
- The downside: A new certification process requires an up-front investment on the part of the Federal Government.
The upside: A respected certification would encourage the wider adoption of social networking technologies by government entities and private businesses without undermining future innovation.
In seeking to advance secure social media in the US Federal Government, the CIO Council’s Web 2.0 Security Working Group (W20SWG) should weigh the relative costs and benefits of a number of options, including a new certification process, as part of future policies on social media and related social networking technologies. The US Federal Government also should work closely with established (ex. Facebook; Twitter; YouTube) and emerging (ex. act.ly; Hi5; Bebo) social networking sites and technologies to elicit their feedback on how best to advance trustworthy social media, sustain private sector innovation, and encourage social media adoption by government (and commercial companies).
