Wednesday, May 30, 2012

Social Media and Information Security Governance

Greetings from the CSIRO centre in Canberra, where Jo Stewart-Rattray is speaking at an Australian Computer Society meeting on "Social Media and Information Security Governance". Jo emphasized the high level governance, rather than management or technical aspects of social media's use in organizations. Also mentioned was the Australian Government's work on a Cyber-Security White-paper.

Jo pointed out that while technologies may change, many of the governance and security issues are the same: today's cloud server throws up similar issues to last century's computer bureau.

In terms of social media, Jo pointed out that some organizations has set up their own internal social media services. These provide similar features to Facebook, but are for staff only. I have used Yammer in this way at CSIRO and ANU. She cited the
"On the Internet, nobody knows you're a dog" cartoon (by Peter Steiner in The New Yorker, 5 July 1993) and how some people will put on a false personal online.

Jo suggested that external experts are needed for security policy review due to the rapid developments. I suggested for Canberra it is useful to get someone with a uniform on, for credibility. She argued that personnel need some leeway on the use of social networking at work (apart from high security sites), with practical guidelines.

Organizations harvest social media information from the web. Jo pointed out that this information needs to be protected, as it may contain details about individuals, including staff. While the individuals volunteer information online, they may not realize how much information is available. It occurs to me that it might be useful to provide each staff member with a harvested profile about themselves, to increase their awareness of what may be inadvertently released.

Jo mentioned some standards, such as ISO 38500 Corporate Governance of IT, ISO 27002 IT Security Techniques: Code of practice for information security management, COBIT 5.0 (new version this year), and the Business Model for Information Security.

Jo will be speaking in Bella Vista NSW 31 May and Hobart 5 June.

No comments: