4 Tips for Writing a Great Social Media Security Policy

Facebook now claims 300 million active users. Naturally, social media growth has also been seen in the workplace, both with regard to employee use as well as functioning as a communication and/or marketing tool for some companies. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, the number of enterprises with a social media policy in place has jumped dramatically, too, in just twelve months. The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives. Also see The Seven Deadly Sins of Social Networking Security Jack Phillips, IANS co-founder and CEO, said when IANS conducted the same survey in 2008, the majority of respondents did not have a social media policy. "They really hadn't done the hard thinking," said Phillips. "But then jumping forward to 2009 we saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies." Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. Instead, said Phillips, use this as an opportunity to draw attention to existing policies. "Most purists will say: This stuff isn't really new.

He shared with CSO four things he thinks organizations should consider when putting together policies and practices for use of Facebook, Twitter, Linked In and other social media within an organization. 1. Don't start from scratch The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. It should be part of our HR and acceptable use policies," said Phillips. "The same sort of norms apply to this new world that has applied to the world before today." (See How to Write an Information Security Policy for more on the basics of effective policy.) Phillips noted most of the organizations IANS polled with a social media policy already in place said they had not named specific medias because of changing pace of new media. "It's Twitter today, but it may be something else tomorrow," he said. 2. Use social media policies to raise security awareness "This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips. For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important. IANS is dispelling what Phillips says is age-old advice for enterprises when it comes to adapting to change. Same holds true this time around, said Phillips. "We are finding some innovative awareness tactics that focus on these technologies because they are front and center.

The percentages are so low in terms of success of awareness campaigns, this is an opportunity to jump in." 3. Use social media access to raise security's positive profile within the organization While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective. A Twitter campaign, or a Facebook campaign, a Linked In campaign, can all have real impact in terms of receptivity. Also see Security Awareness Programs: Now Hear This! "The advice we have given is, instead of just knee-jerk blocking everything, we find that this as an opportunity to record usage and activity among the employee base," said Phillips. "When the original data-loss-protection technologies were introduced, they were not in blocking mode, but in monitoring mode." Phillips believes the new technology of social media gives information security what he calls "an interesting opportunity" to see how critical these technologies are to the enterprise. "That kind of information is quite useful to other functions of the enterprise," he said "Sales, marketing, HR are all going to be interested and that raises information security's profile among management." 4. Be prepared for the next phase As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. As it stands now, he said, he finds his clients are more comfortable with some mediums and with others; not so much. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

Most organizations find Linked In to be the most controllable and with the least potential for damage. Particularly, said Phillips, because many employees are not respecting that line between personal and enterprise. "Because these technologies are so different, it is at some point we expect policies are going to have to get granular," he said. "Our sense is high-performing teams will have to create unique Facebook, Twitter, Linked In and Google Docs policies. But Facebook, with its security vulnerabilities, and the nature of its content, still makes many uncomfortable. And they are going to have to get that granular about what is appropriate and inappropriate with each tool. "We will end up with an open environment, but we will end up with some asterisks that say, it's open, but not 100 percent open. For example, some might say: 'It is not appropriate to use the company's name on your Facebook profile.'

Acadia, Cisco, EMC, VMware data center cloud unveiled

Cisco, EMC and VMware last week unveiled the much rumored joint venture to sell their products to companies wanting to build internal clouds. Vblocks will be sold by Cisco, EMC and VMware to their largest enterprise customers and through the channel by systems integrators, service providers and solution providers. Called Acadia (for who knows what reason), the joint venture is a collaboration between the three companies that will launch in 2010 and sell what they call Vblocks, preconfigured packages of Cisco UCS blade servers, EMC storage gear, VMware virtualization software and EMC Ionix management software.

Already the coalition of Cisco, EMC and VMware has inked deals with six integrators, six service providers and nine solution providers. The company Acadia, which is being formed as we speak, will hire its own CEO and is hiring sales representatives. At the moment, Vblocks are pr-built, pretested and preconfigured packages that include Cisco's recently announced UCS blade servers, the company's networking switches, EMC Symmetrix V-Max or Clariion arrays and VMware's vSphere virtualization software. No one yet knows (or they aren't talking about it) where the company will be based. Vblock's consists of three configurations: * Vblock 2 is a high-end configuration supporting up to 3,000-6,000 virtual machines that is targeted at large enterprises and service providers. Acadia has investments from Cisco, VMware and EMC and minority investments from Intel.

It uses Cisco's Unified Computing System (UCS), Nexus 1000v and Multilayer Directional Switches (MDS), EMC's Symmetrix V-Max storage and the VMware vSphere platform.* Vblock 1 is a midsized configuration supporting 800 up to 3,000 virtual machines that uses Cisco's UCS, Nexus 1000v and MDS, EMC's CLARiiON storage and the VMware vSphere platform.* Vblock 0 will be an entry-level configuration available in 2010, supporting 300 up to 800 virtual machines that uses Cisco's UCS and Nexus 1000v, EMC's Unified Storage and the VMware vSphere platform.

Facebook groups disrupted but not hijacked, Facebook says

A group calling itself "Control Your Info" appears to have taken control of several dozen Facebook groups, inserting its own logo and stating "Hello, we hereby announce that we have officially hijacked your Facebook group." 12 tips for safe social networkingWith a link back to a site, the apparent members - using the names "Bella Roregit," "Burstin Woltan" and "Janis Roukkos" - began leaving their mark on various Facebook groups intended for topics that include entertainment, business and sports. If we wanted, we could make you appear in a bad way which could damage you severely." According to the Control Your Info Web site, the group's mission is to bring attention to security weaknesses in social media. "Social media has become a natural part of most people's daily lives. The Control Your Info statements declared: "This means we control a certain part of the information about you in Facebook.

Unfortunately, the security aspects of social media have been more or less neglected." Control Your Info did not immediately respond to a request for comment about its activities. The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Facebook, however, has issued a statement about the incident that says, "There has been no hijacking and there is no confidential information at risk. Group administrators have no access to private user information and group members can leave a group at any time. The names of large groups cannot be changed nor can anyone message all members.

For small groups, administrators can simply edit a group name or info, moderate discussion and message group members. In the rare instances when we find a group has been changed inappropriately, we will disable the group, which is the action we plan for these groups." Some users in the groups affected by the Control Your Info takeover were obviously displeased about the turn of events and scornful of Control Your info's explanation about how it's making a point about security by taking control. "I have an idea, why don't I teach you about traffic safety by running you over with my car? wrote one irate Facebook user in a group that had been commandeered by Control Your Info. "Is that how it works? That's because the person who creates a group of this sort on Facebook is by default the administrator, and when this individual decides to abandon that by de-listing as the admin, anyone else in the group can step in to promote themselves be the administrator. Michael Sutton, vice president of security research at zScaler, said he doesn't think the Control Your Info takeovers constitute a major security concern. That's the way Facebook designed this type of group and is clear about it, though other types of Facebook groups, such as closed ones, have different security procedures.

In that case, the Control Your Info people simply did a search to discover the type of Facebook groups that had the administrator position abandoned, and stepped in with their dramatic hijacking routine. "This is really making a mountain out of a molehill," he said.

As driving summit opens, AT&T launches anti-texting campaign

AT&T Inc. announced a campaign today to warn cell-phone users, especially teens, about the dangers of texting while driving in advance of a federal Distracted Driving Summit that kicks off in Washington on Wednesday. AT&T will also revise its policies to expressly prohibit texting while driving for its employees who drive as part of their job. The carrier said it will put warnings about texting on phones it sells before the holiday season and on signs in its stores.

AT&T is one of the country's largest employers, with 290,000 workers. Information about the dangers of texting while driving is being included in defensive driving classes. U.S. Transportation Secretary Ray LaHood is expected to attend the two-day meeting as well as federal highway safety officials and researchers on cell phone use while driving. Public service announcements are also planned to bring home the message to the public. All the major wireless carriers have campaigns opposing texting while driving, although the companies vary on their views about laws banning the practice.

The campaign will be announced today by AT&T CEO Randall Stephenson at the Detroit Economic Club, AT&T said. "Our goal is to send a simple, yet vital, message to all wireless users: Don't text and drive," Stephenson said in a statement. AT&T and others carriers want to take advantage of the timing before the summit, which AT&T will attend and support. Pending in the U.S. Senate is a bill to require states to ban texting while driving or face the partial loss of federal highway funds. "We think the decision as to whether there is specific legislation required is up to the public and to their legislators," the spokesman said in an e-mail today. But an AT&T spokesman said the carrier has decided to let the public decide its position on proposed legislation. The bill, called the ALERT Driving Act , was introduced in July and would require states to ban drivers from sending text or e-mail messages or risk losing 25% of their federal highway funds each year they fail to comply. Verizon Wireless supports the legislation, while Sprint Nextel said it hadn't taken a position, but has long argued for better driver education to urge drivers not to text and drive.

AT&T said in July, before it had reviewed the ALERT legislation, that it was generally supportive of legislation prohibiting texting while driving, but did not explain its apparent shift today. The financial sanctions in the bill caused the Governors Highway Safety Association to oppose the measure. One recent study found that the risk of getting into an accident is 23 times higher when texting while driving. Currently, 14 states have various laws that ban texting while driving, which some research studies have found greatly impairs a driver's ability to drive safely. Some groups argue that more laws won't help.

Vlingo's view is that laws are hard to enforce, making hands-free technology all that more important. Vlingo Corp., which makes a mobile voice application, today released data from a survey of 4,800 people that showed little or no impact from state bans on driver behavior.