Social Media Security Auditing
Defining the content of a policy is the first great challenge. Currently, there are no international standards bodies (such as Institute of Electrical and Electronics Engineers or IEEE) to help with this problem. The government is trying to adapt NIST SP 800-53 Rev 3, which is a government standard on information security procedures, to take into account some form of accreditation for services such as Twitter or YouTube as a network system. As these are hosted services, however, you have no control over them; you have to rely on the administrator of Twitter and YouTube to maintain security protocols.
Any regulatory requirements and legal requirements that social media use could impact
Managing internal and external hosted applications, including monitoring and reporting tools and techniques and testing and auditing
Codes of conduct and acceptable use
Roles and responsibilities for the Community Manager
Education and training
Policy management, reporting, and monitoring
The policy framework has to take into account the following major security concepts when dealing with a third-party application:
Social media is generally based on third-party “cloud” applications and, therefore, your company can’t control their security.
Social media web applications and downloadable applications have the same security challenges as all other web-based applications and other installed software applications.
The general public is as involved with your company’s use of social media as you are, and your policy has to give guidance to your employees on how to handle public interactions.
Your company should have a public version of your social media policy that explains your positions on social media.
Sharing of data is a must in social media, but data sharing is also a key aspect of attacks from both a technological hacking perspective as well as a content perspective.
Malicious code is easier to share via social media portals and downloadable applications that can then connect back to the corporate environment to introduce viruses, Trojans, and other malware.
Reputation management is often more important than secure technology-based controls when addressing the risks due to social media.
Enable encrypted communications to the social media site when possible. This is not easy with most sites, but applications are available that can help with this task. One example is HTTPS Everywhere from the Electronic Frontier Foundation (https://www.filanza.org/https-everywhere).