8/2/2019 Asaf Ahmad

1/23

Asaf Ahmad

Fire and Rescue NSW

Disclaimer: The views expressed are my own and not of FRNSW.

1

8/2/2019 Asaf Ahmad

2/23

?BBS Bulletin Board System

?Internet Forums

?Web 2

2

8/2/2019 Asaf Ahmad

3/23

3

8/2/2019 Asaf Ahmad

4/23

Social media technology and network creation of content, and dissemination of content using the Internet

Allowing consumers to share the content, comment,

discuss and even distribute the news

4

8/2/2019 Asaf Ahmad

5/23

BLOGS - WordPress and TypePad,

MICROBLOGS - Twitter and Tumblr,

INSTANT MESSAGING AOL AIM, MS Live Messenger

Online communication systems - (e.g., Skype)

Image and video SHARING sites - Flickr and YouTube,

SOCIAL NETWORKING sites - Facebook and MySpace,

PROFESSIONAL NETWORKING sites - LinkedIn

Sources of Data

5

8/2/2019 Asaf Ahmad

6/23

Social media use is no longer an exception,

but rather a rule!?As a tool to simulate innovation,

?Create brand recognition,

?Provide Information

?Feedback, Views and Trends?Hire and retain employees,

?Generate revenue, and

?Improve customer satisfaction.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance PerspectivesENGAGEMENTdb, The Worlds Most Valuable Brands. Whos Most Engaged? Ranking the Top 100 Global Brands,www.engagementdb.com/downloads/ENGAGEMENTdb_Report_2009.pdf 6

8/2/2019 Asaf Ahmad

7/23

A 2010 Burson-Marsteller study of Fortune 500companies:

?65% have active Twitter accounts

?54% have Facebook fan pages

?50% have Youtube video channels, and

?33% have corporate blogs

2 Burson-Marsteller, The Global Social Media Check-up Insights: From the Burson-Marsteller Evidence-based Communications Group, www.burson-marsteller.com/Innovation_and_insights/blogs_and_podcasts/BM_Blog/Documents/Burson-Marsteller%202010%20Global%20Social%20Media%20Check-up%20white%20paper.pdf

According to the 2010 Social Media Marketing Report , 67% of marketers plan toincrease their use of social media channels including blogs, Twitter, andFacebook.

7

8/2/2019 Asaf Ahmad

8/23

Souece: #qldfloods and @QPSMedia: Crisis Communication on Twitter in the 2011 South East Queensland FloodsMedia Ecologies Project, ARC Centre of Excellence for Creative Industries & Innovation (CCI), http://cci.edu.au/Axel Bruns and Jean Burgess Creative Industries Faculty, Queensland University of TechnologyKate Crawford and Frances Shaw Journalism and Media Research Centre, University of New South Wales

Distribution of tweets

by/to @QPSMediaand in #qldfloods forthe week of 10 Jan.2011

Breakdown oftweets in theInformationcategory

Crowd-sourcing crisis-relevant

information and trends can beachieved from Twitter Data

8

8/2/2019 Asaf Ahmad

9/23

?A police officer happily tweets about the recovery of amissing teenager. Only he forgets to tell her mom first

1

?Drug Companies Wait for FDA Guidelines on Social MediaMarketing - drug makers faced potential legal issues withthe reporting of adverse events, negative information and

libelous information?Liability for libel Privacy violations and damage to brand

recognition

?Information security risks

1 - http://www.techrepublic.com/blog/career/another-case-of-social-media-eating-the-brain-of-a-user/4136?tag=nl.e101

9

8/2/2019 Asaf Ahmad

10/23

Social MediaData sourcesEvent based

ConversationConstituents

Noise

Business Intelligence DefineAccessAggregateAnalyse Report

Structured Data- Format- Context

Semi-Structured Data- Meta data

Un-Structured Data-No Format

-Open context

10

8/2/2019 Asaf Ahmad

11/23

Presumed lack of credibility or reliability, or anunder estimation of its value

?Informal

?Data Quality

?Limited on membership

?Constraint due to technology

?Language and constituents dependency

11

8/2/2019 Asaf Ahmad

12/23

Business Intelligence

Metadata

Access andInformationConsumers

AnalyticsTechniques &Subject Area

Data SourcesData

Repository &Storage

DataIntegration

Action Knowledge Information Context Data

Security, Privacy, and Regulatory ComplianceProject Management, Change Control, Information Management

IT Infrastructure and Networks

Social Media

Social Media Policy Social Media Risk ManagementDiscovery-Target audience-Objectives-Social capability-Governance

Strategy-Listening-Social tools-Content strategy-Blog strategy

Management-Data Analytics-Goals & Benefits-Review

12

8/2/2019 Asaf Ahmad

13/23

?Can be started without proper governance?Without IT involvement

?Without proper project management

?Without Roles and Responsibilities?Without awareness and training

?Opportunity cost?Risk of communicating with customers or constituents?Risk to corporate network?Risks from mobile devices?Risks of social engineering

?Risks of violation of privacy and corporate policies?Risk of employee personal use of social media from

home and personal computing devices.

Social media does have inherent risks that could negatively

impact enterprise security

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives13

8/2/2019 Asaf Ahmad

14/23

Create a social media strategy Have a plan to address the risks that

accompany the technology

1 - ISACA = Information System Audit and Control AssociationITGI = IT Governance Institute

Require good governance and managementof information and technology (IT) assets

14

8/2/2019 Asaf Ahmad

15/23

1 - ISACA = Information System Audit and Control Associationwww.isaca.orgITGI = IT Governance Institute

COBIT1 -A Business Framework for the Governance and

Management of Enterprise IT

Information is a key resource for all enterprises.

Information is created, used, retained,

disclosed and destroyed. Technology plays a key role in these actions. Technology is becoming pervasive in all aspectsof business and personal life.

What benefits does information andtechnology bring to enterprises?

15

8/2/2019 Asaf Ahmad

16/23

When creating a social media strategy - some questionsto consider are: Strategic benefit? Involvement of stakeholders? Risks

Benefits Vs costs? Legal, Privacy and Regulatory issues and requirements? Ensure positive brand recognition? Awareness training? Handling of customers?

Resources to support such an initiative?

ISACA develops and maintain the CobiT and Risk IT frameworks

16

8/2/2019 Asaf Ahmad

17/23

1. Strategy and Governance

Establish a policy that addresses social media use Policies to address all aspects of social media use in the workplace? Risk assessment

2. People Effective training for all users

3. Processes Review business process using social media Aligned with policies and standards of the enterprise?

4. Technology IT strategy and supporting capabilities to manage technical risks Technical controls and processes support social media policies and

standards Established process to address the risk introduced by Social media

and negatively impact on the enterprise?Source: ISACAs Business Model for Information Security (BMIS) : The Business Model for Information Security, providesan in-depth explanation to a holistic business model which examines security issues from a systems perspective. 17

8/2/2019 Asaf Ahmad

18/23

?Personal use?

Whether it is allowed? The nondisclosure/posting of business-related content

? The discussion of workplace-related topics

? In-appropriate sites, content or conversations

? Standard disclaimers if identifying the employer

? The dangers of posting too much personal information

?Business use?Whether it is allowed

? The process to gain approval for use

? The scope of topics or information permitted to flow through this channel

?Disallowed installation of applications, playing games

? The escalation process for customer issues

18

8/2/2019 Asaf Ahmad

19/23

RISK IMPACT

Use of personal account to communicatework-related information

Privacy violationCorporate reputation damageLoss of competitive advantage

Posting of photographs of informationthat links users to their employees

Brand damageCorporate reputation damage

Excessive use of social media in theworkplace

Network utilisation issueLoss of productivityIncreased risk of exposure to virusand malware

Use of company-supplied mobile devicesto access social networking sires

Infection of mobile devicesData theft from mobile devices

Data leakageBypassed enterprise controls

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives19

8/2/2019 Asaf Ahmad

20/23

Threats &

Vulnerability

Risks Risk Mitigation Technique

Virus Data leakage Zombies Downtime Cost

Antivirus Content filtering Policies and Standards Awareness training

Hijacked corporatepresence

Customer backlash Exposure of customer information Reputational damage Targeted phishing attacks

Brand protection firms Periodic updates to customers

Unclear and undefinedcontents rights

Enterprise loss of control/legalrights

Legal to review contract Establish clear policies on posting Establish log capturing

Increase in customerservice expectation

Customer dissatisfaction Reputational damage Customer retention issue

Ensure adequate staffing for handling social mediatraffic. Create notices that provide clear windows forcustomer response.

Mismanagement ofelectroniccommunications that maybe impacted by retentionregulations or e-discovery

Regulatory sanctions and fines Adverse legal actions

Establish appropriate policies, processes andtechnologies to ensure that communications via socialmedia that may be impacted by litigation or regulationsare tracked and archived appropriately. Note that, depending on the social media site,maintaining an archive may not be a recommendedapproach.

20

8/2/2019 Asaf Ahmad

21/23

Threats &Vulnerability

Risks Risk Mitigation Technique

Use of personal accountfor work-relatedinformation

Privacy violation Reputational damage Loss of competitive advantage

HR to establish policies that ensure HR to develop awareness training

Posting of enterpriselinked picture

Brand damage Reputational damage

HR to develop a policy on appropriate use of enterpriseimages, assets, and intellectual property in their onlinepresence.

Excessive employee use ofsocial media in the

workplace

Network utilization issues Productivity loss Increased risk of exposure to

viruses and malware

Manage accessibility to social media sites

Employee access to socialmedia via enterprise-suppliedmobile devices

Infection of mobile devices Data theft from mobile devices Circumvention of enterprisecontrols Data leakage

Route enterprise mobile devices through corporatenetwork filtering technology Ensure that appropriate updated controls are installed onmobile devices. Establish or update policies and standards regarding the

use of mobile devices to access social media. Develop and conduct awareness training for risksinvolved with using social media sites.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives21

8/2/2019 Asaf Ahmad

22/23

?

Consumer-oriented technology,?An enterprises tool to drive business objectives

?Affords enterprises many potential benefits

?Inherent risks such as data leakage, malwarepropagation and privacy infringement.

?Adopt a cross-functional, strategic approach thataddresses risks, along with appropriate governanceand assurance measures.

2 0 1 0 I S A C A, Social Media: Business Benefits and Security, Governance and Assurance Perspectives

22

8/2/2019 Asaf Ahmad

23/23

23