How to create a security policy for social networks

The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University. Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic:

"Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them."

Our recent NoticeBored security awareness module on social engineering used example scenarios based on LinkeDin and other social networking sites for exactly this purpose. We suspect few managers think of LinkeDin as a social networking site, let alone consider the security implications of publishing all sorts of personal information about themselves. It's a useful topic to get their attention.