| FaceBook at work? |
|
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
Here is a question from a client:
How should we address web 2.0 and social media in our Computer Terms of Use policy?
There is no doubt about it Social Media has its good points and its bad points. Businesses can use it to reach their customers better. Local government can use it to better reach it's citizens. Social Media can be used to promote you organization and deliver the information you want to interested parties. Social Media is especially good for local governments who want to promote transparency in government.
Social media sites can also help with productivity. I often use FaceBook and other sites for collaborative research on various topics. Most recently I used FaceBook and associated friends to do some research on privacy issues of social media sites.
The downside is employees may spend all day on social media sites to the neglect of their work. Social Media sites are addictive, that is why they are a great medium for getting information out fast. In fact, this blog is listed on various social media sites such as blogs, FaceBook, YouTube, Twitter and LinkedIn. As a result of its addictive nature people have found themselves spending hours on social media sites not realizing they have been on the site for hours. At work this could mean the loss of countless hours of productivity.
What should organizations do with this dilemma? Do they restrict all access, do they allow unlimited access and hope employees do the right thing? Maybe there is a way to strike a balance between the two extremes.
There are two issues to address, one as to whether or not the organization will use social media as a way to communicate to interested parties and second as to whether employees will have access to such sites during work hours and on work computers.
Here are three ways to handle the use of social media sites for employees.
Option 1
The best case scenario is to have the most liberal approach possible. By that I mean a policy like the following:
"Employees are considered professionals and are expected to act professionally, ethically and legally. Employees will be treat as professional. Failure to act professionally, ethically and legally will result in disciplinary action. Employees use of such services should be incidental and not interfere with their normal job duties or deadlines."
This policy obviously has a lot of gray area but it provides enough room for reasonable use and restrictions. It gives plenty of room for interpretation and for that reason it should have a training component included with it. For example security awareness training that covers security and privacy issues of such sites and services. You may even consider ethics training similar to that required for CPAs and other professionals.
Note: We use this type of management philosophy and Maze & Associates and attorneys often advise a less flexible approach.
Option 2
Not all organization can have a policy with that much latitude. Allowing limited access to social media site in conjunction with a more defined policy. In those cases there are a number of considerations you look for in a use policy. If you have use polices they should be reviewed and you should add stipulations for the use of social media sites and services and to what extent they can be used and accessed.
Things to consider:
Option 3
Blocking all social media sites is another option but not a very good one. Remember legitimate uses social media sites. Blogs such as this one provide information that can be used by staff in conjunction with their normal duties. In addition, many sites use YouTube to deliver technical training. If you block all such sites you will limit access to information staff may need to complete their tasks efficiently.
In addition, restricting access to such site creates a perceived attitude that management does not trust employees to do the right thing. Remember happy employees are more productive than unhappy ones. Not to mention the stress employees feel from police state type of controls. If you can avoid restricting all access your organization will be better off.
Conclusion
Whatever path you chose to go down don't ignore the issue. Bring it up, make a decision and implement your approach. If you ignore it, it will become a problem.
Remember, if you are reading this blog, you are using social media.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
Subscribe to LearnSecurity Blog using your favorite feed reader by 
Latest News
| With an average of 25 new vulnerabilities discovered every week, regular system scans can help ensure that your system is safe. We provide periodic system scans with reports that suggest how to mitigate found vulnerabilities. We are a PCI ASV Approved Scanning Vendor. Contact us for a free quote! |