Federal CIO Council (US)

The working group Web 2.0 Security Working Group under the authority of the Information Security and Identity Management Committee (ISIMC) as chartered by the Federal CIO Council

Figure 2.9: The four use cases of social media use of [25] and the amount of associated guidance for them. From [25].

(FCIOC) of the US, has published “Guidelines for Secure Use of Social Media by Federal De-partments and Agencies” [25]. These guidelines are created with the intent to minimize the risk coupled with initiatives under President Obama to communicate with and include the general population using e.g. social media.

The guidance gives “recommendations for the creation of a government-wide policy for social media, addressing policy controls, acquisition controls, training controls, and host and network controls” and do so with a general, non-vendor or -technology specific approach.

The guidance identifies four use cases for social media within the guide’s context of federal organs.

They are depicted in Figure 2.9 and described as (from [25]):

Inward sharing is “[. . . ] sharing of internal organizational documents [data] through internal collaboration sites [. . . ]”.

Examples: Internally hosted SharePoint or wiki’s.

Inbound sharing is exemplified with crowdsourcing.

Example: Change.gov (used for directing questions and proposals directly to the adminis-tration of the US).

Outward sharing is federal information to be shared with e.g. “state and local governments, law enforcement, large corporations, and individuals.”. Also called “inter-institutional sharing”.

Examples: Agency communication to the public using social media during emergencies or STAR-TIDES, a knowledge sharing research project.

Outbound sharing “is federal engagement on public commercial social media websites.”.

Example: Interaction by a Secretary of State with foreign media through Twitter.

The use cases are referenced from Gartner Research, but this source cannot be identified currently.

The use cases generalizes what type of social media interaction exist. They can be useful for

distinguishing between advice for different scenarios such that guidance subsequently can be presented in the right scenarios and to the right persons.

The guidance notes how inward sharing has a lot of guidance already, including standards with associated controls, whereas “[l]ess federal guidance exists for inbound, outward, and outbound sharing use cases, and the guidance that does exist is relatively recent.” [25].

The recommendations of the guidance is split into controls for policies, acquisition, training, network and hosts; relevant parts are included in the following subsections. They interested reader should review them in full in the original guide.

2.3.6.1 Policy controls

This Section notes that the safe use and navigation of social media as behavioral issue, not a technology issue. This is because users will find a wide variety of platforms and these are subject to constant changes. Thus policies should be in place regulating access and distribution of data in both personal and private settings.

Federal agencies following this guidance are to develop guidelines for social media; one such example from the US Air Force is found in [12]. Directions to specific NIST publications concerning risk assessment and other parts also seen in the ISMS of DS/ISO 27001 is given; these are included in Sec. 2.3.3.

2.3.6.2 Acquisition controls

Apart from technical controls and controls directed at specific services, this Section suggests a special rule-set for using e.g. .milor.gov-addresses. They primarily aim to have the social media hosting provider implement this, but evidently a policy on using such highly specific addresses would also be valuable to adopt. Such an address is supposedly the employee’s organizational email address and thus necessary to use in most cases, but there is no need to use it to for the contact sheet of the local brass band. If it has to be used on social media, the control says how details of employment/work, location, resume, skills and similar should not be included (I believe this should be extended to most info really, because private information can also quickly become a valuable stepping stone for a social engineer to gain confidence through e.g. “shared interests”).

2.3.6.3 Training controls

This guidance is very critical of users ability to protect sensitive information; it reads:

“Users are almost always the weakest link in an information system, and may inadvertently divulge sensitive information through a social network. Few effective technical security controls exist that can defend against clever social engineering attacks. Often the best solution is to provide periodic awareness and training of policy, guidance, and best practices. The proper use of social media [. . . ] should be part of annual security awareness training.” [25].

Specifically, the training controls should include:

• An official policy/guidance on use of social media. The US Air Force’s “New media guide”

[12] is given as an example; to the reader, it can be used as inspiration, but no specific advice usable to this project is found in it.

• Training employees “[. . . ] to be mindful of blurring their personal and professional life”

and to not engage with external professionals that might do the same.

• Guidance on how to present themselves online; similar to the previous Section on acquisition controls, some roles may require disclosing some details, while others are not in a position to do so.

In addition, this Section suggests working with the organizational culture and general awareness training of cyber attack scenarios as also e.g. CPNI advocates (see Sec. 2.3.4).

2.3.6.4 Network and host controls

This Section only contains technical controls. It suggests use of both US-specific federal solutions and more regularly available technologies like establishing a Security/Network Operation Cen-ter (SOC/NOC), web filCen-tering, network segregation, use of strong authentication, sandboxing (executing files on a virtual machine to avoid infections) etc. It is not relevant here.