Agencies jumping into the Web 2.0 ocean should not focus their cybersecurity strategy around the tools and technology, but rather reiterate and stress existing policy requirements.
But departments also should press commercial social media providers for a more in-depth look into their security procedures and monitor security and network operations of the vendor.
These are among the Chief Information Officer’s Council recommendations in a new report issued Thursday.
“This document recommends mitigating the social media risks through a series of guidelines and recommendations to assist federal departments and agencies in developing a strategy to securely enable the use of social media,” the document states. “It must be made based on a strong business case, supported at the appropriate level for each department or agency, considering its mission space, threats, technical capabilities, and potential benefits. The goal of the IT organization should not be to say ‘No’ to social media Web sites and block them completely, but to say ‘Yes, following security guidance,’ with effective and appropriate information assurance security and privacy controls.”
The council, which also is developing privacy guidance, broke down the recommendations into five areas:
“Policies should not be based on specific technology, as technology changes rapidly,” the document states. “Rather, policies should be created to focus on user behavior, both personal and professional, and to address information confidentiality, integrity and availability when accessing data or distributing government information. Procedures should be created and updated frequently to address the rapid changes in specific technologies.”
The document also goes into the potential cyber threats social media tools could bring to agencies, such as spear phishing or social engineering.
“In order to defend against rapidly evolving social media threats, departments and agencies should include a multi-layered approach in a risk management program, including risks to the individual, risks to the department or agency, and risks to the federal infrastructure,” the document states.
The council recommends agencies update their Acceptable User Policies to cover social media technologies, and the CIO should develop a Web 2.0 communications strategy.
Under acquisition, the council suggests agencies use two-factor authentication, including the secure identity card, under Homeland Security Presidential Directive-12, and designate a dedicated government server or instance within the corporate social media network. Agencies also should encourage social media vendors to use code validation and signing to improve the security of their Web sites, and have a third party conduct a risk assessment of the vendor’s systems or services.
The guidelines also promote the use of trust zones to better ensure agency network security, and use desktop virtualization strategies to safeguard against malicious Web sites.