Compliance 2.0

Techrigy's Adam Steinberg shares some social media policy best practices

Many organizations are beginning to realize the value of using collaborative tools such as blogs and wikis. When used appropriately, these tools can help organizations gain a competitive edge. However, these tools can must also be monitored for legal liability and regulatory problems.

Inevitably all organizations will need to manage compliance with social media. Even if an organization decides to disallow all social media, compliance policies must still be enforced both inside and outside your network. The following ten steps should help you reduce many of the risks associated with the use of social media.

1. Create a Policy For Use of Blogs and Wikis

The first step an organization should take is to create a social-media usage policy. Without a set of organizational guidelines to clearly define how employees can use blogs and wikis, employees will not be able to ensure that they are in compliance with organization policies.

A social-media usage policy makes it clear what is and is not acceptable. The social-media usage policy should be broad enough to cover the basics of what you can and cannot address in a public forum and should also include specifics about when and how blogging is acceptable.

2. Know Who is Saying What and What They are Saying

It's not likely that an organization will be able to effectively manage this risk if it hasn't properly inventoried all sources of social media. Communications such as email are relatively easy to monitor because email is typically channeled through a small number of email servers operated by the organization. However, social media can be hosted in disparate places ranging from a user's local PC to a web server running in an individual department or even on a remote provider such as Google's BlogSpot or WordPress.com. Creating a complete and accurate social media inventory can be very challenging.

One should begin creating an inventory by attempting to generate a list of blogs and wikis running inside your organization's network. Inventorying these applications requires a TCP/IP discovery tool such as nmap (www.nmap.org). Once the running web servers have been identified, one should look at each server found to detect if the web server is running a blog, such as WordPress or Movable Type, or a wiki, such as MediaWiki or Twiki.

Employee blogs or wikis outside the network perimeter must also be checked. If an employee makes any reference to work-related information, the organizational risk becomes real and the media will need to be monitored for compliance.

3. Monitor for Confidential Information or Trade Secrets Being Leaked

Certain sensitive information simply does not belong on a public forum such as a blog or wiki. While a user new to wiki or blog may feel that the information is inconspicuous because of the vastness and anonymity of the internet, sensitive information should seldom be discussed on a public blog or wiki.

In order to monitor for these types of events, an organization or compliance manager will need to monitor for:

  • discussions of confidential information
  • salary or compensation information
  • usernames and passwords
  • non-public financial results or reports
  • patent or secret formulas

Organizations must take steps to ensure that confidential information is not inadvertently exposed due to an innocent mistake.

4. Use of Disclaimers

Blogs and wikis can be hotbeds of sensitive topics. Because of their nature, it's recommended that you request employees that blog to label their blogs with disclaimers and perhaps even privacy policies. Just as a TV station or movie producer labels any politically charges show as "not necessarily reflecting the view of the station," you should consider the same type of disclaimers for your employees which choose to blog.

5. Archive Social Media Content

Legal discovery of electronic records has been recently codified in the Federal Rules of Civil Procedures. With the new rules, which went into effect in December of 2006, electronically stored information now qualify as records that must be maintained for legal discovery purposes.

It is imperative that you properly archive all social media using a method that allows the integrity of the content to be verified. For instance, archiving an entry with a timestamp and a signature makes the evidence that much stronger. By not recording blogs entries, you open yourself up to possible risks of legal fines.

6. Educate Employees

Many of these potential problems can be mitigated by simply educating employees about the dangers of using social media. Employees unaware of legal and regulatory risks are much more likely to create risks simply because the employee is unaware of the potential consequences of creating a compliance risk.

Ultimately, employees and management must work together when implementing social media. Employees frustrated about their inability to communicate through social media at work can lead to damaging situations, while employees satisfied with their ability to utilize social media can become your organization's best evangelists.


Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish