4 Tips for Writing a Great Social Media Security Policy

Facebook now claims 300 million active users. Naturally, social media growth has also been seen in the workplace, both with regard to employee use as well as functioning as a communication and/or marketing tool for some companies. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, the number of enterprises with a social media policy in place has jumped dramatically, too, in just twelve months. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives. Also see The Seven Deadly Sins of Social Networking Security Jack Phillips, IANS co-founder and CEO, said when IANS conducted the same survey in 2008, the majority of respondents did not have a social media policy. "They really hadn't done the hard thinking," said Phillips. "But then jumping forward to 2009 we saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies." Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. Instead, said Phillips, use this as an opportunity to draw attention to existing policies. "Most purists will say: This stuff isn't really new.

He shared with CSO four things he thinks organizations should consider when putting together policies and practices for use of Facebook, Twitter, Linked In and other social media within an organization. 1. Don't start from scratch The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. It should be part of our HR and acceptable use policies," said Phillips. "The same sort of norms apply to this new world that has applied to the world before today." (See How to Write an Information Security Policy for more on the basics of effective policy.) Phillips noted most of the organizations IANS polled with a social media policy already in place said they had not named specific medias because of changing pace of new media. "It's Twitter today, but it may be something else tomorrow," he said. 2. Use social media policies to raise security awareness "This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips. For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important. IANS is dispelling what Phillips says is age-old advice for enterprises when it comes to adapting to change. Same holds true this time around, said Phillips. "We are finding some innovative awareness tactics that focus on these technologies because they are front and center.

The percentages are so low in terms of success of awareness campaigns, this is an opportunity to jump in." 3. Use social media access to raise security's positive profile within the organization While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective. A Twitter campaign, or a Facebook campaign, a Linked In campaign, can all have real impact in terms of receptivity. Also see Security Awareness Programs: Now Hear This! "The advice we have given is, instead of just knee-jerk blocking everything, we find that this as an opportunity to record usage and activity among the employee base," said Phillips. "When the original data-loss-protection technologies were introduced, they were not in blocking mode, but in monitoring mode." Phillips believes the new technology of social media gives information security what he calls "an interesting opportunity" to see how critical these technologies are to the enterprise. "That kind of information is quite useful to other functions of the enterprise," he said "Sales, marketing, HR are all going to be interested and that raises information security's profile among management." 4. Be prepared for the next phase As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. As it stands now, he said, he finds his clients are more comfortable with some mediums and with others; not so much. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

Most organizations find Linked In to be the most controllable and with the least potential for damage. Particularly, said Phillips, because many employees are not respecting that line between personal and enterprise. "Because these technologies are so different, it is at some point we expect policies are going to have to get granular," he said. "Our sense is high-performing teams will have to create unique Facebook, Twitter, Linked In and Google Docs policies. But Facebook, with its security vulnerabilities, and the nature of its content, still makes many uncomfortable. And they are going to have to get that granular about what is appropriate and inappropriate with each tool. "We will end up with an open environment, but we will end up with some asterisks that say, it's open, but not 100 percent open. For example, some might say: 'It is not appropriate to use the company's name on your Facebook profile.'

Acadia, Cisco, EMC, VMware data center cloud unveiled

Cisco, EMC and VMware last week unveiled the much rumored joint venture to sell their products to companies wanting to build internal clouds. Vblocks will be sold by Cisco, EMC and VMware to their largest enterprise customers and through the channel by systems integrators, service providers and solution providers. Called Acadia (for who knows what reason), the joint venture is a collaboration between the three companies that will launch in 2010 and sell what they call Vblocks, preconfigured packages of Cisco UCS blade servers, EMC storage gear, VMware virtualization software and EMC Ionix management software.

Already the coalition of Cisco, EMC and VMware has inked deals with six integrators, six service providers and nine solution providers. The company Acadia, which is being formed as we speak, will hire its own CEO and is hiring sales representatives. At the moment, Vblocks are pr-built, pretested and preconfigured packages that include Cisco's recently announced UCS blade servers, the company's networking switches, EMC Symmetrix V-Max or Clariion arrays and VMware's vSphere virtualization software. No one yet knows (or they aren't talking about it) where the company will be based. Vblock's consists of three configurations: * Vblock 2 is a high-end configuration supporting up to 3,000-6,000 virtual machines that is targeted at large enterprises and service providers. Acadia has investments from Cisco, VMware and EMC and minority investments from Intel.

It uses Cisco's Unified Computing System (UCS), Nexus 1000v and Multilayer Directional Switches (MDS), EMC's Symmetrix V-Max storage and the VMware vSphere platform.* Vblock 1 is a midsized configuration supporting 800 up to 3,000 virtual machines that uses Cisco's UCS, Nexus 1000v and MDS, EMC's CLARiiON storage and the VMware vSphere platform.* Vblock 0 will be an entry-level configuration available in 2010, supporting 300 up to 800 virtual machines that uses Cisco's UCS and Nexus 1000v, EMC's Unified Storage and the VMware vSphere platform.

Facebook groups disrupted but not hijacked, Facebook says

A group calling itself "Control Your Info" appears to have taken control of several dozen Facebook groups, inserting its own logo and stating "Hello, we hereby announce that we have officially hijacked your Facebook group." 12 tips for safe social networkingWith a link back to a site, the apparent members - using the names "Bella Roregit," "Burstin Woltan" and "Janis Roukkos" - began leaving their mark on various Facebook groups intended for topics that include entertainment, business and sports. If we wanted, we could make you appear in a bad way which could damage you severely." According to the Control Your Info Web site, the group's mission is to bring attention to security weaknesses in social media. "Social media has become a natural part of most people's daily lives. The Control Your Info statements declared: "This means we control a certain part of the information about you in Facebook.

Unfortunately, the security aspects of social media have been more or less neglected." Control Your Info did not immediately respond to a request for comment about its activities. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Facebook, however, has issued a statement about the incident that says, "There has been no hijacking and there is no confidential information at risk. Group administrators have no access to private user information and group members can leave a group at any time. The names of large groups cannot be changed nor can anyone message all members.

For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups." Some users in the groups affected by the Control Your Info takeover were obviously displeased about the turn of events and scornful of Control Your info's explanation about how it's making a point about security by taking control. "I have an idea, why don't I teach you about traffic safety by running you over with my car? wrote one irate Facebook user in a group that had been commandeered by Control Your Info. "Is that how it works? That's because the person who creates a group of this sort on Facebook is by default the administrator, and when this individual decides to abandon that by de-listing as the admin, anyone else in the group can step in to promote themselves be the administrator. Michael Sutton, vice president of security research at zScaler, said he doesn't think the Control Your Info takeovers constitute a major security concern. That's the way Facebook designed this type of group and is clear about it, though other types of Facebook groups, such as closed ones, have different security procedures.

In that case, the Control Your Info people simply did a search to discover the type of Facebook groups that had the administrator position abandoned, and stepped in with their dramatic hijacking routine. "This is really making a mountain out of a molehill," he said.

As driving summit opens, AT&T launches anti-texting campaign

AT&T Inc. announced a campaign today to warn cell-phone users, especially teens, about the dangers of texting while driving in advance of a federal Distracted Driving Summit that kicks off in Washington on Wednesday. AT&T will also revise its policies to expressly prohibit texting while driving for its employees who drive as part of their job. The carrier said it will put warnings about texting on phones it sells before the holiday season and on signs in its stores.

AT&T is one of the country's largest employers, with 290,000 workers. Information about the dangers of texting while driving is being included in defensive driving classes. U.S. Transportation Secretary Ray LaHood is expected to attend the two-day meeting as well as federal highway safety officials and researchers on cell phone use while driving. Public service announcements are also planned to bring home the message to the public. All the major wireless carriers have campaigns opposing texting while driving, although the companies vary on their views about laws banning the practice.

The campaign will be announced today by AT&T CEO Randall Stephenson at the Detroit Economic Club, AT&T said. "Our goal is to send a simple, yet vital, message to all wireless users: Don't text and drive," Stephenson said in a statement. AT&T and others carriers want to take advantage of the timing before the summit, which AT&T will attend and support. Pending in the U.S. Senate is a bill to require states to ban texting while driving or face the partial loss of federal highway funds. "We think the decision as to whether there is specific legislation required is up to the public and to their legislators," the spokesman said in an e-mail today. But an AT&T spokesman said the carrier has decided to let the public decide its position on proposed legislation. The bill, called the ALERT Driving Act , was introduced in July and would require states to ban drivers from sending text or e-mail messages or risk losing 25% of their federal highway funds each year they fail to comply. Verizon Wireless supports the legislation, while Sprint Nextel said it hadn't taken a position, but has long argued for better driver education to urge drivers not to text and drive.

AT&T said in July, before it had reviewed the ALERT legislation, that it was generally supportive of legislation prohibiting texting while driving, but did not explain its apparent shift today. The financial sanctions in the bill caused the Governors Highway Safety Association to oppose the measure. One recent study found that the risk of getting into an accident is 23 times higher when texting while driving. Currently, 14 states have various laws that ban texting while driving, which some research studies have found greatly impairs a driver's ability to drive safely. Some groups argue that more laws won't help.

Vlingo's view is that laws are hard to enforce, making hands-free technology all that more important. Vlingo Corp., which makes a mobile voice application, today released data from a survey of 4,800 people that showed little or no impact from state bans on driver behavior.

Google Street View Battle Highlights Privacy Challenge

Google is being sued by a Swiss watchdog agency for allegedly failing to take adequate measures to protect privacy. The debate in Switzerland is over Google's Street View image indexing. The legal battle in Switzerland is just the latest in a long line of privacy issues with Google and illustrates the challenge of providing as much information as possible without violating privacy concerns.

Hanspeter Thuer, the Swiss Federal Data Protection and Information Commissioner (FDPIC) made recommendations to Google to address concerns with Street View images displaying car license plates and people's faces. This isn't the first time Street View has gotten into trouble over privacy. Google claims it has taken strides to comply with those recommendations, but the FDPIC doesn't feel Google has done enough. Google has also faced backlash over Street View in the United Kingdom, Canada, Greece, and Japan. Greece is distressed by how long Google plans to maintain the Street View images in its database.

One concern in Japan, which has been echoed in Switzerland, is that the height of the car-mounted Street View cameras is capable of seeing over fences and into homes. Google's privacy issues are not restricted to the Street View images, though. Google recently launched a new feature allowing you to set up alerts that can notify you when a friend is nearby. Google Latitude, a GPS mapping and tracking service, keeps track of your location in real-time and maintains a mapped database of previous locations. The cool factor is tempered with a creepy Big Brother vibe. There are privacy issues related to Google Social Search, Google recently modified indexing of Gmail messages to address concerns over transcribed Google Voice emails showing up in the search engine, and even the embryonic Chrome OS has raised privacy concerns.

The list goes on and on. Google recently unveiled the Google Dashboard to address privacy concerns. But, the Google Dashboard itself also has privacy and security implications as well. The Google Dashboard displays all of the information associated with your Google profile, providing you with an at-a-glance resource to see just how much Google knows about you. It is a difficult balance for Google to manage.

Technology has brought us to the point where, unless you live in an unmarked cabin in the Rockies and live off the land, data about you is being indexed virtually everywhere. If you read books like Database Nation by Simson Garfinkel, or The Soft Cage by Christian Parenti, you come to the realization that privacy is largely an illusion at this point. Privacy is a myth. On the contrary, perhaps it suggests we need to be more vigilant about protecting what little privacy we might have left. That doesn't mean we should all just give up and accept that we have no privacy. Google has to struggle with the conflict of interest between indexing all of the data in the world, and protecting privacy.

My fellow PC World writer David Coursey has pointed out that Google has not yet done anything to lead us to believe it has evil intentions for our data, but the data is still there on the Google Servers. Not only that, but Google must also to tailor its indexing and business practices on a country by country basis to comply with local data protection and privacy regulations. Coursey ponders what might happen following another 9/11-caliber terrorist attack "Would Google provide information it has about suspects? If it did, how long would it be before we knew? Use its data and profiling capability to find more suspects?

And where, exactly, is the line between patriotism and invasion of privacy?" That is a valid question. Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page . Google has to continue strike a balance between information and privacy, and users need to grasp that the convenience provided by Google's products and services comes at a cost.

Do collaboration tools enable collaboration?

At the recent IT Roadmap conference in Washington D.C. there was a panel discussion about how the younger generation uses tools such as texting to stay in touch with friends. Another implication was that as the younger generation enters the workforce, they will bring their collaborative approach with them to the workforce and this will drive the existing workforce to be more collaborative. One of the implications of the discussion was that the younger generation is more facile with collaboration than is the current workforce. We want to use this newsletter to express an alternative opinion.

However, most people that we know that are currently in the workforce also text – perhaps not as much as the younger generation, but they do. Ford driving Exchange 2010 into collaboration plans There is no doubt that the younger generation, the kids that are currently in grammar school and high school, are very facile with collaboration tools such as texting. Hence, we do not see that age is a barrier that keeps the current generation of workers from texting. In fact, in some cases, they seem to prefer to send texts back and forth vs. having a conversation. One concern that we have is that young people often use texting as an alternative to face-to-face communications.

Is this really collaboration or is it running away form collaboration? That is a form of collaboration – but a very low level form. Collaboration tools such as texting, instant messaging, and twitter are well suited to support a simplex or at best half duplex conversation, such as sending a text to inform someone that you will be late for a meeting. Let's set up a hypothetical situation. The company pulls together a project team comprised of people in different organizations, including someone from the WAN organization, from the software development group, security and compliance, and one or more business units. A company is considering using a software-as-a-service provider for some new application.

The various members of the team have different, and in some cases, conflicting goals.  For example, the people who represent the business units want to get the solution running as soon as possible; the security and compliance people are worried that they will not be able to pass an audit if the solution is deployed; the person from the software organization feels their organization is being bypassed, and the person from the WAN organization is concerned about how much extra traffic will now transit the WAN. The disparate goals of the project team members will not be resolved by sending text messages, IMs, or tweets. One IT professional we talked with told us that his organization had used traditional videoconferencing for years. That is not to say that there are not collaboration tools that can help. He added that he believes that telepresence is more powerful than traditional videoconference in part because the picture quality allows you to see body language and facial expressions as well as you could in person. It does, however, have a better chance of succeeding than a text that reads: OMG, c u @ 10:15.

Of course, telepresence does place a tremendous burden on the WAN. Just seeing body language and facial expression may not resolve the fact that the project team members have disparate goals.

Vendor group forms cloud storage initiative

The Storage Networking Industry Association (SNIA) announced today the formation of the Cloud Storage Initiative (CSI) in order to establish a lexicon of cloud-computing terminology, publish use cases, white papers and technical specifications, and to create reference implementation models for grid-storage architectures. The organization also plans to perform market outreach highlighting the virtues of cloud storage. The CSI will coordinate and deliver educational materials for cloud storage vendors and user communities. The group is developing a single specification as part of its efforts.

The SNIA made the announcement at the Storage Networking World conference, which is co-sponsored by Computerworld . "Part of the challenge with cloud is where does the data live? The Cloud Data Management Interface (CDMI) will be an application programming interface to which vendors can write management software that will allow interoperability between heterogeneous cloud storage offerings, according to Wayne Adams, SNIA's chairman emeritus. And how are you able to manage it once it's in the cloud, and can you get it back in the same format that you now have," said Mark Carlson, a SNIA Technical Council member said. "There's this idea of how portable is my data that once I get it out there can I get it back in a format that can be ingested by another vendor?" Carlson said the CSI will focus on disseminating information about technology to build both public cloud service, such as Amazon's S3 service, and private cloud architectures in data centers. The CSI will complement the technical innovation and de velopment from the SNIA Cloud Storage Technical Working Group , which has more than 140 members representing over 50 commercial vendors, service providers and educational institutions. CSI published cloud storage cases and requirements for cloud storage in June.

The CSI will aid the Technical Working Group in bringing specifications and technical developments to international standards development organizations. It is also releasing a joint white paper with the Open Grid Forum (OGF) focused on cloud storage for cloud computing all developed by the working group. "It's both encouraging and timely to see this new initiative from SNIA," said Simon Robinson, research director of storage for research firm The 451 Group. "It's gratifying to see this co-operative effort around standards and education, since those are two of the current impediments to fast adoption as technologies mature and become integrated into more vendor offerings." For example, the CSI will promote and deliver a new cloud storage tutorial to be unveiled at Storage Networking World this week.