CIO Council Issues Social Media GuidanceAgencies' Use of Social Media is Not an IT Decision Alone
The decision to engage or not to engage in social media use should not be made by the IT department alone; rather, it must be developed by a risk-management process by the management team with recommendations by a wide-range of players, including the mission's owner as well as departmental or agency CIO, chief information security officers, legal counsel and privacy and public affairs officers, the CIO Council document says.
"This decision can only be made with a full understanding of the threats, risks, and mission needs," the CIO Council guidance say. "The goal of an agency's information security organization should be to securely enable the resources necessary to achieve mission objectives. This document recommends the creation of a government-wide policy based on the risks and mitigating controls presented, to provide appropriate guidance for the secure use of social media by federal departments and agencies."
The document will be useful for non-federal governmental organizations as well, says California CISO Mark Weatherford. In Weatherford's blog, he writes:
"The document validates what many of us have been saying for some time now that the decision to use social media technologies should be a risk-based business decision and not an IT security decision. Further, it states that 'The safe use of social media is fundamentally a behavioral issue, not a technology issue.' Everybody say 'Amen!' Not only do the guidelines recommend developing organizational policy for the use of social media, but that the policy should focus on personal and professional user behavior when using government information. The guidelines call for, among other things, augmented training requirements for employees and additional security monitoring and configuration controls. I can already see CISO's across the nation smiling."
Weatherford says the CIO Council report isn't important so much for its content, though it is, but for the standard and stimulus it establishes for governmental organizations. The CIO Council recommendations provide risk mitigation strategies by offering policy, acquisition, training, network and host controls.
"With transparency and open government the name of the game and on the top of every CIO's agenda, the guidelines acknowledge that social media is not without risk and that, unless actively managed, can introduce self-inflicted organizational wounds."
The CIO Council counsels diligence in safeguarding government IT assets. "As security tools become more sophisticated, so do attackers," the guidance says. "As departments improve their security capabilities ... attackers may shift to more advanced mechanisms to target specific users."