Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to deal with the social networks (Facebook, Twitter, Myspace, etc.) and what the “best practices” are, I came out of my shell to reply.
(We’ll skip over the oxymoron “best practices” since “Context is Everything“.)
The phrase
“Use of corporate resources …”
is a wonderful one to use to prefix just about any policy statement or justification. In one workshop on policy development that I ran someone pointed out that it applied to access to the company parking lot!
The issue here isn’t “social networking”, no matter how much the media and ZDNet would have you believe. It boils down to a few very clear and easy to enumerate issues:
- These are corporate resources being used.
Even if it is the individual’s “smart phone” being used to twitter, its still being done on company time. - Either the individual is talking about the company or not.
If they are, then they are acting as a spokesperson for the company. Is that allowed? If not, see #1. - What is your policy for individuals doing things like setting up doctor/dentist/psychiatrist/podiatrist/liposuction appointments using “corporate resources” such as the telephone?
How about with web-based interfaces? How about planning/booking vacations?
Buying and selling stocks, never mid goods on eBay.If it comes to that, do you simply grant unfettered Internet access?
Do you log access? Do you restrict access to certain sites?Do you have policy that clearly says you are doing this?
No, its not as simple as “social networking”. It is easy to ask those questions but they drag in a whole gunnysack of other policy and business and liability matters that have to be resolved first. Many of them are not ones we in InfoSec, or even the IT people, are able to address.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2901fa58-bb0b-4154-9b8d-c1ea6a761911)
Hi Anton.
There’s more to social networking from an information security perspective than simple misuse of corporate IT resources and time. What about the leakage of sensitive corporate or private information, for example, or social media malware, or social engineering? Misuse of resources is trivial in comparison, and is really a people management or HR issue, not infosec.
Regards,
Gary
The way I look at it Gary, “misuse” means “not for the purpose it was intended”. While that statement might be simple, its ramifications cover matters such as leakage/disclosure, downloading things you shouldn’t - aka malware - and most of the forms of being a victim of social engineering that I can think of.
Yes, “Don’t Do That!” is a people problem, but I don’t think you can simply move people out of the InfoSec process. It is people who build and who use the technology. If Policy is an InfoSec issue, if Awareness is an InfoSec issue then so are these.