The FASTForward Blog » US government tackles social media security head-on: Enterprise 2.0 Blog: News, Coverage, and Commentary

US government tackles social media security head-on

by Joe McKendrick

October 23, 2009 at 8:02 pm · Filed under Social Media

The US government knows social networking is the key to better collaboration between agencies and employees, but has held back because of security concerns. Recently, the government developed security guidelines to make social media more secure.

In a new post, ReadWriteWeb’s Jolie O’Dell describes how US Navy CIO Rob Carey wants to use social media is a resource for the US military to build trust and collaboration across all four branches.

However, the mainly unregulated, Wild West aspect to social media has put off a super security-conscious and disciplined operation such as the military. That’s doesn’t mean social media — with its powerful collaboration capabilities — doesn’t have a place in the military, Carey says. O’Dell cites a recent podcast in which Carey observed that “most social networking tools come with no rules of the road. As the Internet moves towards user-generated content, we thought there was a void we could fill… to mitigate some of the security risks associated with social media.”

Carey urges the military to engage social media full force:

“Social media is an inherent part of the toolbox for members of the millennial workforce, while baby boomers are just adopting it. Social media tools should become the standard by which we can share and collaborate on information inside and outside the network boundaries.”

Carey’s comments com eon the heels of last month’s release, by the federal CIO Council, of the Guidelines for Secure Use of Social Media by Federal Departments and Agencies. (PDF download)

The Guidelines address the information security risk head on:

“The decision to embrace social media technology is a risk-based decision, not a technology-based decision. It must be made based on a strong business case, supported at the appropriate level for each department or agency, considering its mission space, threats, technical capabilities, and potential benefits. The goal of the IT organization should not be to say “No” to social media websites and block them completely, but to say “Yes, following security guidance,” with effective and appropriate information assurance security and privacy controls. The decision to authorize access to social media websites is a business decision, and comes from a risk management process made by the management team with inputs from all players, including the CIO, CISO, Office of General Counsel(OGC), privacy official and the mission owner.”

The government breaks social media usage into four categories: Inward Sharing, Outward Sharing, Inbound Sharing, and Outbound Sharing:

Inward Sharing: “The sharing of internal organizational documents through internal collaboration sites such as SharePoint portals and internal wikis.”

Outward Sharing: “Also known as inter-institutional sharing, enables Federal Government information to be shared with external groups, such as state and local governments, law enforcement, large corporations, and individuals.”

Inbound Sharing: “Also known as “crowdsourcing,” is similar to conducting a large online collaborative poll.”

Outbound Sharing: “Federal engagement on public commercial social media Websites.”

The report makes the following recommendations for secure social media adoption by federal agencies:

Policy control: “The senior technology official at each federal agency should develop a social media communications strategy, with the support of their communication office, that accurately addresses the guidelines in this document in conjunction with government-wide policy.”

Acquisition controls: “Federal agencies should require enhanced security and privacy controls through contracted social media services, such as… supporting support stronger authentication mechanisms for federal employee and agency user profiles, including multi-factor authentication…. Ensuring social media websites consider basic security best practices, such as input validation, code security reviews, and strong cookie management.”

Training controls: “Often the best solution is to provide periodic awareness and training of policy, guidance, and best practices. The proper use of social media in the Federal Government should be part of annual security awareness training… [such as providing] “specialized training to educate users about what information to share, with whom they can share it, and what not to share…. Providing guidance and training based on updated agency social media policies and guidelines, including an updated Acceptable Use Policy (AUP) specific to social media websites…. Providing guidance to employees to be mindful of blurring their personal and professional life. Don’t establish relationships with working groups or affiliations that may reveal sensitive information about their job responsibilities.”

Network controls: “The Federal Trusted Internet Connection (TIC) program provides a series of inspection, monitoring, detection, and blocking technologies that ensure additional security and visibility to defend against a wide array of attacks, including those discussed from a social media perspective…. Current technologies allow for increasingly granular control of web applications, data, and protocols, in accordance with departmental policy. Web content filtering technologies for all Internet traffic should be located in the department TIC or provided as an add-on for offices granted access to social media websites.”

Host controls: “The establishment of a hardened Common Operating Environment (COE) will ensure consistent and comprehensive host configuration and hardening policies across the Federal Government. Hosts may be configured using the Federal Desktop Core Configuration (FDCC), and validated through a Security Content Automation Protocol (SCAP) compatible scanner…. Two-factor authentication reduces the likelihood an attacker will gain unauthorized access to an information system through a username and password…. Federal agencies should ensure they have strong patching for operating system and application vulnerabilities, and that updating anti-virus signature files and system logging is enabled to report to the SOC on workstations in real time.”

Share and Enjoy:

Permalink

51 Tweets

52 Comments »

Scott WrightOctober 25th, 2009 at 7:38 am

Nice article. Lots of good content. It’s good to see people focusing on how the Government is using and trying to control the use of Social Media, from a security point of view.

I’ve been writing a lot on my website The Streetwise Security Zone (a place for non-technical users and IT managers to learn about security awareness and get training on it), as well as hosting a new podcast with Tom Eston and Kevin Johnson, called The Social Media Security Podcast. We just published Episode 3, with some technical and some non-technical explanations and tips.

Please drop by and check us out. We’d love to receive some public comments and reviews on what we are doing. Perhaps a Government-focused episode would be of interest. Let us know.

Thanks

Scott Wright
The Streetwise Security Coach