Thursday, March 1, 2012

Social Media Risk Assessment Process - Part 5

Ahhhh. The fifth and final part of this series on the Social Media Risk Assessment Process ("SMRAP").  I hope you've enjoyed the series up to this point.  I know I've enjoyed bringing it to you.

This last segment is all about completing the SMRAP.  I've created a fairly basic yet effective social media risk assessment model.  As you will note from the graphic below, my model uses the concept of "Threat/Vulnerability" pairs to isolate weaknesses that can result in disaster.  In a nutshell, here's the deal:  there are threats and there are vulnerabilities.


Threats are actions or events that can cause harm to the organization.  For example, when it comes to social media risks, an example of a threat is the disclosure of confidential customer information over social media.

Vulnerabilities are simply weaknesses in the system.  They are the chinks in the armor.  Vulnerabilities are what enable the threats to take form.  For example, a vulnerability related to the threat above could be a lack of understanding of social media-related information security risks by employees.

Therefore, using the same threat example above, a way for the threat to manifest or occur can be due to a lack of adequate employee training.  In other words, an employee does not know that it is a bad idea to post confidential employee information on social media sites and as such, the employee post information or takes part in conversations that reveal confidential customer information.

This is what I refer to as the Threat/Vulnerability pair.  A threat creates havoc and a vulnerability permits the threat to wreak havoc.  It must be noted that threats in of themselves are fairly harmless.  Without a vulnerability threats have no life.


STEP 1:  Determine the threats that apply to the organization's social media environment.  I have created a social media risk assessment template that contains the majority of "high level" organizational threats.  You can download the social media risk assessment document here.

STEP 2: Determine the vulnerabilities (weaknesses) that can create an environment in which the threats can manifest.  In some cases a threat will have only one vulnerability associated with it.  However, in the majority of cases there will be multiple vulnerabilities associated with each threat.  If you inspect the template social media risk assessment you will see multiple vulnerabilities per threat (see graphic above).

STEP 3:  Once the threats and vulnerabilities have been identified it is time to determine the internal controls that are in place.  Internal controls are the practices and processes that will keep the vulnerability from turning the threat into a reality.  The template provided contains common controls.  It is not likely that every organization will have every control listed.  The greater the number and breadth of controls in place, the less likely the threat will take place.  Each control should be listed on the risk assessment as shown in the template document.

STEP: 4:  Based upon the internal controls in place and the nature of the threat and vulnerability, the organization must determine the likelihood that the threat will take place.  A sample Likelihood Matrix is such as the one shown below is contained in the template.


STEP 5:  Next, the organization must determine the severity of the effect of the threat if it were to manifest based upon the existing controls.  Similar to the Likelihood Matrix, the template contains a Severity Matrix such as the one below.


STEP 6: Finally, the organization uses both the Likelihood of Occurrence and the Impact of Severity to determine the Risk Level.  The template also contains a matrix to assist in the determination of risk.


STEP 7:  After completing the social media risk assessment it should be reviewed.  Considerations in the review include a risk level that is too high relative to the organization's risk appetite.  For example, it may be the policy that all "moderate" and "high" risk areas be reviewed with senior management to discuss further internal controls that can be implemented to reduce the risks. It is generally a good idea to summarize the risk assessment process and deliver a report to the organization's Audit Committee and possibly the Board of Directors.  Along with the report may be recommendations or action items that will be taken to increase the number of internal controls to reduce the overall risk.  Once such action items are completed the organization can again perform the risk assessment to determine if the internal controls have been effective in reducing the risk level.

It must be noted that there are many ways to conduct a risk assessment.  This method is just one.  There is no right or wrong methodology as long as the end result provides an assessment of the residual risk and considers all of the practical threats.

I encourage you to take this template and turn it into your own.  I also ask that you return to this post with you recommended revisions/enhancements to the template so that others may also benefit.

Enjoy.

17 comments:

  1. Hey, that is a really comprehensive process you have there - well done

    ReplyDelete
  2. Your article rates a blue ribbon in my opinion. This is great quality content.Internal Auditor CV Templates

    ReplyDelete
  3. Thanks for completing out the risks assessment of social media. It's a good guide for social media marketeers out there. social media services

    ReplyDelete
  4. very nice article. i learned a lot from this article

    ReplyDelete
  5. The earliest process to be performed should be a risk assessment of social media that will identify the risks showing the threats, possibilities of the threat. gain instagram followers free

    ReplyDelete
  6. The first several months of my site there were no comm ents; just give it time; now they come in like crazy every day! Thanks. social media management michigan

    ReplyDelete
  7. I wish more authors of this type of content would take the time you did to research and write so well.
    instagram photos

    ReplyDelete
  8. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    high pr backlinks

    ReplyDelete
  9. I did a search on the subject and found nearly all persons will go along with with your blog.
    fans to buy

    ReplyDelete
  10. This is very educational content and written well for a change.
    طراحی سایت ارزان

    ReplyDelete
  11. This is also a very good post which I really enjoyed reading. It is not every day that I have the possibility to see something like this
    Free Search Engine Submission

    ReplyDelete
  12. I really enjoyed exploring your site. good resource...
    Agence referencement rouen

    ReplyDelete
  13. I love the blog cotent it is very helfull for us. Plant Safety Assessment professional from Australian Risk Services can be of particular assistance at this stage. Being now familiar with your workplace, they can provide details on the best controls and practices for your situation.

    ReplyDelete
  14. Jesse, thanks so much for the template. It saved me a ton of time when completing the social media risk assessment required by our state's InfoSec division. I added a table to define the four risk management strategies and the application, based on risk level. I then color-coded the risk level table to correspond to the management strategy to make it clear how the strategy applied to the framework. For the assessment, I added a final column "strategy" to complete the assessment.

    ReplyDelete
  15. Hi, I just gone through this blog, the information was really very valuable, would love to see more from you. i have also plenty of the same kind of content You can explore my blog by clicking the link below
    Best digital marketing course in delhi
    Advance digital marketing course in delhi
    Advance digital marketing Institute in delhi
    High Class digital marketing Institute in delhi
    High Class digital marketing course in delhi

    ReplyDelete
  16. Thanks for sharing the info, keep up the good work going.... I really enjoyed exploring your site. good resource... Buy Facebook Event Joins

    ReplyDelete