Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to deal with the social networks (Facebook, Twitter, Myspace, etc.) and what the “best practices” are, I came out of my shell to reply.
(We’ll skip over the oxymoron “best practices” since “Context is Everything“.)
“Use of corporate resources …”
is a wonderful one to use to prefix just about any policy statement or justification. In one workshop on policy development that I ran someone pointed out that it applied to access to the company parking lot!
The issue here isn’t “social networking”, no matter how much the media and ZDNet would have you believe. It boils down to a few very clear and easy to enumerate issues:
- These are corporate resources being used.
Even if it is the individual’s “smart phone” being used to twitter, its still being done on company time.
- Either the individual is talking about the company or not.
If they are, then they are acting as a spokesperson for the company. Is that allowed? If not, see #1.
- What is your policy for individuals doing things like setting up doctor/dentist/psychiatrist/podiatrist/liposuction appointments using “corporate resources” such as the telephone?
How about with web-based interfaces? How about planning/booking vacations?
Buying and selling stocks, never mid goods on eBay.
If it comes to that, do you simply grant unfettered Internet access?
Do you log access? Do you restrict access to certain sites?
Do you have policy that clearly says you are doing this?
No, its not as simple as “social networking”. It is easy to ask those questions but they drag in a whole gunnysack of other policy and business and liability matters that have to be resolved first. Many of them are not ones we in InfoSec, or even the IT people, are able to address.