Wednesday, February 22, 2012

Social Media Risk Assessment Process - Part 4

The Social Media Risk Assessment Process ("SMRAP") should be incorporated as a component of the organization’s overall risk management strategy.  

Generally, a revised social media risk assessment should be conducted on an annual basis.  The fundamental basis of the SMRAP is to balance the Bank’s desire and need to utilize social media with other factors associated with doing business.  The organization must recognize that some risk must be accepted to make use of social media business.  The organization must also recognize that some social media risks exist regardless of the organization's social media strategy.  As such, the risk assessment program provides a practical approach to efficiently and cost-effectively identifying risks associated with social media use - regardless of the look and feel of the organization's social media strategy.

Risk assessments help ensure that employees comply with the organization's requirements as outlined in its  social media policy, code of conduct and other related policies.  The SMRAP also raises employee awareness regarding social media risks associated with their business unit’s use of social media.  Additionally, the SMRAP assists the organization in making informed decisions about the need for additional risk mitigation controls. 

The SMRAP can be conducted by a centralized department or rolled out to departments and sites on a decentralized basis.  Each organization must determine how to best disseminate the SMRAP.  The goal of the SMRAP is to identify threats and vulnerabilities posed by social media.  This may be difficult to do through a centralized approach if the organization is large and/or spread out geographically.

Those responsible for performing the SMRAP must determine each threat and associated vulnerabilities.  For each vulnerability the manager must determine the controls in place to prevent the vulnerability from exploiting severity of impact upon the organization and determine the likelihood of the vulnerability exploit occurring given existing internal controls.  It is important to note that this process requires a certain level of subjectivity.  As such, the success or failure of the SMRAP hinges upon the knowledge and understanding of the individual(s) performing the SMRAP.  As such, the organization should select individuals with experience in assessing risks and business impact.  The use of junior staff to conduct the SMRAP may under- or overestimate the conclusions - unless the staff are well supervised.  Part 5 of this series will describe an easy manner to document the SMRAP.

Once the risk level is determined for each threat/vulnerability pair, organizations may consider additional controls for moderate- and high-risk levels.  After the control enhancements have been incorporated, the risk threat/vulnerability pair is re-evaluated to determine the residual risk after the  control is implemented. 

The outcome of the SMRAP process is the mitigation of risk to acceptable levels, thereby providing adequate protection to the organization.  As such, to the extent that moderate- and high-risk levels exist after the implementation of mitigating controls, a discussion of the threat should be elevated to senior management for further discussion.  It is important to note that operating under moderate- or high-risk levels is not uncommon.  However, under such circumstances it is important to ensure that the appropriate parties are aware of the risks in order to ensure that all options have been considered as well as to ensure that all parties are aware of the risks.  This awareness is crucial for line units - particularly during periods of duress.  Consider it a form of CYA!

In cases in which additional controls must be implemented to mitigate moderate and high risks, the organization should consider the development of a formal written action plan that documents the controls.  The action plan should include the steps to be taken, the time frame for completion and the individuals responsible for implementation of the controls.

It is highly recommended that the SMRAP be evaluated by the appropriate parties within the organization.  This may include the CEO, CIO, IT Steering Committee, Compliance Committee, Audit Committee and the Board of Directors.  The purpose of the review should be to share the strengths and weaknesses of the organization’s social media strategy from a risk perspective.  Identified organizational vulnerabilities should be addressed with the appropriate personnel for the purpose of implementing corrective actions.

The SMRAP focuses on strategic and operational issues.  Organizational vulnerabilities are weaknesses related to the organization’s policies or practices that can result in the manifestation of a threat.  Part 5 of this series will drill down into specific threats and vulnerabilities.  Part 5 of this series will provide as a template  the most common threats and vulnerabilities.  However, the framework that will be introduced in Part 5 provides sufficient flexibility to allow the user of the SMRAP to customize the  process with organization-specific threats and vulnerabilities.

Tuesday, February 21, 2012

Social Media Risk Assessment Process - Part 3

Risk is the possibility of an act or event occurring that would have an adverse effect on the organization.  Risk can also be the potential that a given threat will exploit vulnerabilities to cause loss of, or damage to, the organization.  Risk is generally measured by a combination of severity and likelihood of occurrence.

A threat is an action or event that might jeopardize the organization.  It is a sequence of circumstances and events that allow a human (disgruntled employee, etc.) or other agent (virus, Trojan horse, etc.) to cause a misfortune by exploiting vulnerabilities.  A vulnerability is a weakness that allows a threat to manifest itself. 

Considerations to keep in mind when determining threats:

  • Determining the legal implications and contingent liability associated with any identified risks.  For example, if hackers successfully access the organization’s Facebook account and use it to subsequently attack followers/friends, the organization may be liable for damages incurred by the party that is attacked.
  • Capability and motivation are important attributes of threats.  Threats need both attributes (capability and motivation) to be credible.  For example, a skilled hacker seeking access to a Facebook account is considered a credible threat because the hacker has the capability (skills) and motivation (financial/ideological gain from the use of the organization's Facebook account).
  • Interested parties.  Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime rings or even agents of espionage pose a potential threat.
  • Poor security program/poor employee security awareness.  Hackers often exploit well-known weaknesses in creating secure passwords.

Internal controls are mechanisms that enable the organization to achieve its business objectives.  With appropriate controls in place the organization is able to effectively mitigate the risk posed by a threat.  With respect to social media, internal controls are designed to meet three main objectives:

  • Confidentiality:  Preventing the disclosure of sensitive information;
  • Integrity:  Preventing unauthorized modifications to information and maintaining internal and external consistency; and,
  • Availability:  Ensuring that the systems are working and that the data is accessible to users as required.

In addition to requiring the documentation of threats and vulnerabilities, the SMRAP also requires the documentation of associated controls.  To maintain an effective social media risk assessment process the organization must ensure that the organization has adequately considered the implementation of the following types of controls:

  • Preventative Controls:  These controls are established to avoid occurrences of unwanted events.  This type of control may include passwords, policies, procedures, security awareness program, etc.  These controls are considered “proactive.”
  • Detective Controls:  These controls alert and identify violations after the fact.  These controls can include social media monitoring and other information that provides notification after the event has occurred.  These controls are considered “reactive.”
  • Corrective Controls:  These controls are intended to remedy unauthorized events and to restore the original controls.  For example, the ability to reset the custodian of a social media account that has been locked-out due to some adverse event is considered a corrective control.
  • Deterrent Controls:  These controls discourage violations. For example, a policy statement that states that violators may be terminated for non-compliance with the social media policy is considered a deterrent control.

Part 4 of this series will begin discussion on the risk assessment process.

Monday, February 20, 2012

Social Media Risk Assessment Process - Part 2

The first step in the Social Media Risk Assessment Process ("SMRAP") is to identify the social media-related threats that can adversely affect the organization.  While these threats can be technology-based, they are most dangerous when they originate from human acts.

The ubiquitous use of social media has brought social media-related threats to the forefront.  Among the threats associated with social media are:

  • Disclosure of Confidential Customer Information by Employees;
  • Disclosure of Confidential Company Information by Employees;
  • Systems Outages Due to Social Media-Based Virus/Malware Infections;
  • Remediation Expenses Related to  Social Media-Based Virus/Malware Infections;
  • Loss of Branding Content Contained on Social Media Platforms;
  • Lawsuits Related to Alleged Improper Use of Social Media in the Hiring Process;
  • Lawsuits Related to Alleged Improper Use of Social Media in the Termination Process;
  • Loss of Opportunity to Hire Star Employees Due to Information Contained on Social Media Platforms;
  • Spam/Malware/Virus Attacks Against Social Media Platform Friends/Followers; and, 
  • Excessive/Inappropriate Use of Social Media by Employees.

The SMRAP in and of itself does not assure adequate protection against social media-related risks.  Rather, the SMRAP is part of the organization’s overall Risk Management Program that includes the written policies, guidelines, employee awareness/training and an independent review of the organization’s social media practices.

The SMRAP concludes with a determination of the adequacy of existing controls relative to the identified threats and vulnerabilities.  The SMRAP allows management to determine the need for additional controls to reduce the Bank’s risk exposure. 

Since threats and vulnerabilities change over time, the SMRAP must be updated and reviewed on a regular basis to ensure the appropriateness and effectiveness of the controls in place.  Updates are minor changes to the existing risk profile.  These include changes resulting from the implementation and/or removal of a control, or when the effectiveness of a control changes.  Updates occur when the following events take place:

  • New control is implemented;
  • An incident highlights a minor discrepancy in the current risk profile (i.e., the likelihood or severity of a threat requires minor adjusting or the effectiveness of a control requires adjustment);
  • A risk is no longer applicable; and,
  • A new risk emerges.

The SMRAP should generally occur on an annual basis.  The SMRAP should also take place when the following occurs:

  • Increase in security risks/exposures due to an event or series of events (i.e., significant change in organization's social media strategy, development/implementation of in-house social network, etc.);
  • Cumulative updates indicate the need for a review;
  • Changes in regulatory requirements; and,
  • Serious social media-related incident.

The results of the initial SMRAP and periodic SMRAP updates should be provided to the appropriate party within the organization such as the organization's Audit Committee and Board of Directors. 

Part 3 of this series will discuss risks, threats and vulnerabilities.

Social Media Risk Assessment Process - Part 1

Sunday, February 19, 2012

Social Media Risk Assessment Process - Part 1

Do you hear that?  There it is again.  Did you hear it that time?!  Oh man, it's worse than I thought.  The bank examiners are updating their examination procedures to include "social media" and the industry is not ready for it.  What does that mean?  Low Hanging Fruit Time.  Noooooooooo....   

This post is about the development of a Social Media Risk Assessment Process (“SMRAP”).  The SMRAP provides organizations with a systematic approach to evaluating exposure to social media-related risks.  The SMRAP focuses on five components: Threats, Vulnerabilities, Controls, Likelihood of Occurrence and Impact.

Social Media Risk Assessment Matrix

The SMRAP is intended to achieve one basic goal: the protection of the organization's reputation.

Management is responsible for ensuring that systems and data are adequately protected.  Historically this has related to the systems and data maintained within the organization's walls.  Unfortunately, as an organizations are increasingly moving to third-party social media platforms such as Facebook, Twitter and LinkedIn (and for good reasons), management must now take measures to adequately controls risks related to external systems.

Management is also responsible for protecting the organization's reputation from intentional and unintentional acts that may cause harm to the organization.  Unfortunately, reputational harm can come from many directions, including public outcry (think Bank of America's debit card debacle or Occupy Wall Street).

An organizational key business objective is to maintain a set of policies and procedures that protect and mitigate against risks related to day-to-day operations.  Social media risks have become part of the day-to-day risks of any organization.  As has been previously stated, organizations cannot determine whether or not to participate in social media.  Social media happens.  And it has been happening for some time.  The question is whether or not management has realized this fact and has moved to mitigate the risks before the risks mitigate the organization.

The SMRAP is used to identify, evaluate, document, monitor and manage social media risks.  Through the SMRAP the organization is able to identify and prioritize social media-related risks and develop appropriate risk management strategies.  Such strategies include the establishment of appropriate policies and the selection of cost-effective controls that implement the policies.

Part 2 of this series will begin the process of identifying the social media threats that must be evaluated as part of a risk assessment process.