Social Media Risk Assessment Process - Part 2

The first step in the Social Media Risk Assessment Process ("SMRAP") is to identify the social media-related threats that can adversely affect the organization.  While these threats can be technology-based, they are most dangerous when they originate from human acts.

The ubiquitous use of social media has brought social media-related threats to the forefront.  Among the threats associated with social media are:

• Disclosure of Confidential Customer Information by Employees;
• Disclosure of Confidential Company Information by Employees;
• Systems Outages Due to Social Media-Based Virus/Malware Infections;
• Remediation Expenses Related to  Social Media-Based Virus/Malware Infections;
• Loss of Branding Content Contained on Social Media Platforms;
• Lawsuits Related to Alleged Improper Use of Social Media in the Hiring Process;
• Lawsuits Related to Alleged Improper Use of Social Media in the Termination Process;
• Loss of Opportunity to Hire Star Employees Due to Information Contained on Social Media Platforms;
• Spam/Malware/Virus Attacks Against Social Media Platform Friends/Followers; and, 
• Excessive/Inappropriate Use of Social Media by Employees.

The SMRAP in and of itself does not assure adequate protection against social media-related risks.  Rather, the SMRAP is part of the organization’s overall Risk Management Program that includes the written policies, guidelines, employee awareness/training and an independent review of the organization’s social media practices.


The SMRAP concludes with a determination of the adequacy of existing controls relative to the identified threats and vulnerabilities.  The SMRAP allows management to determine the need for additional controls to reduce the Bank’s risk exposure. 

Since threats and vulnerabilities change over time, the SMRAP must be updated and reviewed on a regular basis to ensure the appropriateness and effectiveness of the controls in place.  Updates are minor changes to the existing risk profile.  These include changes resulting from the implementation and/or removal of a control, or when the effectiveness of a control changes.  Updates occur when the following events take place:

• New control is implemented;
• An incident highlights a minor discrepancy in the current risk profile (i.e., the likelihood or severity of a threat requires minor adjusting or the effectiveness of a control requires adjustment);
• A risk is no longer applicable; and,
• A new risk emerges.

The SMRAP should generally occur on an annual basis.  The SMRAP should also take place when the following occurs:

• Increase in security risks/exposures due to an event or series of events (i.e., significant change in organization's social media strategy, development/implementation of in-house social network, etc.);
• Cumulative updates indicate the need for a review;
• Changes in regulatory requirements; and,
• Serious social media-related incident.

The results of the initial SMRAP and periodic SMRAP updates should be provided to the appropriate party within the organization such as the organization's Audit Committee and Board of Directors. 


Part 3 of this series will discuss risks, threats and vulnerabilities.


Series:
Social Media Risk Assessment Process - Part 1