Social Networking Acceptable Use Policy
Location
Produced by Authorised by Current Version
N:\Directorate of Corporate Services\ITCS\Systems & Services\Active\Services\Security\Security Policy\Policy document set ICT Manager (Security) Deputy Director (ICT) 1.1
Social Networking Acceptable Use Policy
Contents Social Networking Acceptable Use Policy............................................................. 0 Purpose.................................................................................................................... 2 Scope ....................................................................................................................... 2 Responsibilities ....................................................................................................... 2 Revision ................................................................................................................... 2 1.0
Introduction.................................................................................................. 3
2.0
Risks ............................................................................................................. 4
3.0
Countermeasures ........................................................................................ 6
4.0
Use of social networking sites outside of work ......................................... 8
5.0
Social Networking Use Good Practice Checklist ....................................... 8
6.0
How to request access to OSN for business purposes ............................ 9 Document History ............................................................................................ 10 Glossary .......................................................................................................... 10 Reference Documents ..................................................................................... 10
Version 1.1
Social Networking Acceptable Use Policy
Purpose The purpose of this document is to define the London Borough of Bexley’s (LBB) Social Networking Acceptable Use policy. This document does not replace the existing Internet Acceptable Use Policy but provides additional guidance in the specific topic of internet based Social Networking.
Scope This policy covers all staff, contractors, partner organisations and Members of the Council and is not limited to business use of LBB computers.
Responsibilities The ICT Manager (Security) is responsible for the maintenance and distribution of this policy.
Revision This policy will be reviewed annually or when a significant change is made to the systems, people or processes related to this procedure.
Version 1.1
Social Networking Acceptable Use Policy
1.0 Introduction Information Security is nothing new. ‘Careless Talk Costs Lives ‘is a phrase familiar to every generation since the 1940’s. We live in a science fiction age compared to when this advice first appeared, however if updated to ‘Careless Talk/Memory Stick/Tweet Costs’ it would still be relevant today. The threats we face now are significantly different to those prevalent at the time when this advice was first published, however, today’s ability to share and use information in a multitude of ways makes it inevitable that security incidents occur. The cost nowadays may not be measured in lives, but may have significant reputational and or financial costs. Internet-based social networking sites, such as Facebook, MySpace, Bebo and Twitter, are popular applications which allow individuals to create a profile containing personal information and interact with other users. These were initially conceived as social tools but corporate uses have evolved and they are now an accepted means of communication for Council use in a controlled manner. Social networking sites are seen as particularly valuable in communicating with social groups for whom social networking is a foremost and familiar communications medium. However, there are many risks associated with use of these sites. For this reason technical controls are in place to restrict access to Online Social Networks (OSN) via Council systems. Fortunately, many of the identified risks can be substantially reduced by following safe usage practices. This Acceptable Use Policy is for Council Officers & Councillors who require access to OSN for business purposes. This policy includes instructions on how to request access to OSN and outlines the main risks & safe ways of using these sites. Being internet-based it is possible to access OSN from home or other non-Council provided computers. For this reason this policy also defines acceptable use of OSN from outside of work. This policy incorporates guidance defined within the UK national government’s Good Practice security Guide (CESG GPG 27) – Online Social Networking.
Version 1.1
Social Networking Acceptable Use Policy
2.0 Risks The following are identified risks associated with the use of OSN. All internet-based applications develop at a rapid rate and consequently new risks, currently not conceived, may quickly become prevalent. It is thus important for users to remain vigilant and act upon any future advice issued to them. 2.1 Publishing personal information on your OSN profile may make you susceptible to identity theft. Dates of birth, full names and home addresses are key pieces of information for identity fraudsters. Many users also publish the answers to common security or password reminder questions (such as ‘my first school’) which can put other accounts, such as online bank accounts, at risk of account takeover. Some sites ‘own’ any data posted on them, and may reserve the right to sell your details to third parties – check the terms and conditions. 2.2 Posting some information can also put your personal safety at risk. For example, your address, phone number, details of your schedules and plans and information about your family could be used to target you. Location based information can be posted on social networks, especially from GPS enabled mobile devices, which tells others exactly where you are. Burglars may also use information on social network profiles, such as holiday plans or new purchases, to plan burglaries. 2.3 Phishing attacks, where a criminal masquerades as an entity with the right to request sensitive information such as a bank, are increasingly being delivered on social networking sites instead of by email. Profile pages are also being used to research information about an individual, so attacks can be specifically targeted at them and hence more likely to succeed. Many phishing attacks are being launched with links to fake login pages for social networks to obtain users’ login details and hijack their social networking accounts. 2.4 Most social networking sites provide an informal environment where it is easy to share views and update content. However, some users have damaged their career or the reputation of their employer by making inappropriate comments. Remember that, depending on privacy settings, your posts may be visible to all your contacts, networks and groups, or even other users and search engines. 2.5 Social engineering involves manipulating people into performing actions or revealing information they should not, for example their login details for the corporate IT system. In order to do this, perpetrators need information about the individuals and/or the organisations they work for. This can often be obtained from social networks, especially if colleagues have set up groups based on their workplace and declared that they know each other ‘from work’. 2.6 Social networking sites can be forums for bullying and harassment online (known as cyberbullying, cyberharassment or cyberstalking). Attackers may also use these sites to identify or target their victims due to the large amount of personal information some users post. Such incidents may take place online only or may spill over into the offline world. 2.7 Account hijacking is a growing problem on social networking sites. Criminals obtain users’ login details from phishing attacks or by ‘dictionary attacks’, which involve trying the most common passwords. Once they have access to a user’s account, criminals may use this to propagate malware or spam or obtain personal
Version 1.1
Social Networking Acceptable Use Policy
information from the compromised account and people on that user’s contact list. A common scam is for a criminal to hijack an account and send messages to the user’s friends claiming to be stranded and request money. 2.8 Malicious code (‘malware’) spreads rapidly around online social networks. Beware of links posted on friend’s profile pages or sent to you in messages – if their account has been hijacked or they have been infected by malware it may not have been put there by them. In addition, many URLs are now ‘obfusticated’, meaning the full address of the website cannot be seen until the link is clicked on. This is often done to shorten long URLs so they can appear in character limited posts, such as on microblogging sites like Twitter. 2.9 Third party applications are written by developers independent of the social network provider. Although they can often be useful or fun, and most are safe, they are not checked or certified by the social network before launch. Some have included malicious code or links to malicious sites. Application developers may also be granted access to some of a user’s personal information when they use the application. 2.10 Uncontrolled private use of OSN will cause staff time wasting. Recent studies have shown employees may squander between 30 minutes to 3 hours each day on social networks if uncontrolled access is provided. Even if access is provided for professional purposes, this can also cause time to be needlessly lost through poor planning and management. Common causes for this being:
Version 1.1
You do not have a plan You don’t have anything interesting to say You do not have a clear message about who you are To prevent time wasting access to OSN is controlled and limited to those with a validated business use approved by the Deputy Director of ICT or the Head of Communications. Legitimate users must apply the Social Networking use checklist (as shown in section 5) to develop efficient practices.
Social Networking Acceptable Use Policy
3.0 Countermeasures The following countermeasures must be exercised by all staff to ensure the safe use of OSN. 3.1 Think about any information you post relating to your job or employer. Is the information in any way sensitive? Would it be of interest to competitors or journalists? In addition, information can become more sensitive if its brought together from a range of sources. Be especially aware of this when using professional networking services. Once information is posted on the internet it is essentially impossible to completely delete it. Social network profiles are often not as private as users believe. Be very wary about venting frustrations about work in public comments, as it is highly likely your colleagues or boss may see them. If at all possible, maintain separate personal and professional personas online. 3.2 Check your privacy settings. Who can see your profile information? It is worth taking the time to understand what each setting controls and making a proactive decision about who you want your information to be visible to. Many sites allow you to classify your contacts (into e.g. ‘friends’ and ‘professional contacts’) and set independent privacy controls for each. If you are a member of large groups or networks it may be wise to restrict what other members of these groups can see. Do you want your profile indexed in search results on the site or even on internet search engines such as Google? 3.3 Choose your friends carefully! Social networking sites can be a great way of making new contacts but beware of giving away too much personal information to people you do not know. If you do have individuals on your contact list you do not know well, consider restricting what they can see using your privacy settings. In addition, watch out for suspicious or unusual activity or language from your friends, as this may be a sign that their account has been hijacked. 3.4 Be cautious when using third party applications. Remember they could contain malware, or link to sites containing malware. Be particularly wary if you are prompted to install an update to another program when trying to use an application – this is a common trick used to install malware on a user’s computer. It may also be possible to control what information is passed on to the developers of third party applications using your privacy settings. 3.5 Read terms and conditions. Read the terms and conditions of any sites you sign up to ensure you are aware of who owns data posted on the site and what the owners of the site can do with your data. 3.6 Don’t post more personal information than is necessary. For example, other users probably don’t need to know your date of birth or home address – if you do need to give such details to any of your contacts, it is wise to give them to individuals offline or in private messages. Consider the security implications of posting details of your exact, real-time location. 3.7 Consider your occupation. Also consider whether your occupation may make you a target for any form of attack or harassment, or whether publicising your occupation may threaten the effectiveness with which you or your colleagues can do your job. If this is the case, limit the personal information you post and what you say about your work. If in doubt, ask your line manager for advice. If it is inadvisable to
Version 1.1
Social Networking Acceptable Use Policy
discuss your work online, let your close friends and family know so they can avoid inadvertently saying something inappropriate. 3.8 Avoid becoming the victim of phishing attacks. To avoid becoming the victim of phishing attacks, do not click on obscured URLs unless you are very sure of the source. Use URL-preview services such as expandmyurl.com and longurlplease.com to verify the safety of URLs in abbreviated links before clicking on them. If the link is to a site you visit regularly, such as your bank or an online store, type the URL or use a bookmark to ensure you are accessing the genuine site. 3.9 Guard against hijack of your own social networking accounts – if you click on a link which asks you to log in to the site, type the site URL or use a bookmark to ensure it is the correct site and not a phishing scam. Signs of account hijack include passwords not working and activity or logins on your account at times when you weren’t online. If your account is hijacked, change your passwords and warn your contacts that your account has been compromised. 3.10 Accessing social networking sites from your own computer. If accessing social networking sites from your own computer, access them from an account with user privileges only, not administrator privileges. This will minimise the privileges available to any malware which is downloaded and so may limit the damage it can cause. 3.11
Use good passwords for all online accounts: a. Avoid dictionary words or strings of letters and numbers such as qwerty, 12345678, or abcdefg. b. Do not use the same password for more than one account – doing this means that compromise of one password will compromise multiple accounts. Never use the same passwords for internet accounts and corporate IT systems. c. Change passwords regularly. d. Avoid storing passwords on computers (this includes using the ‘remember me’ function on sites), especially when using portable devices (Smartphone’s etc.) which are at high risk of theft, as theft of the device may lead to account compromise.
3.12 Ensure sessions are closed properly. Once you have completed working on the social networking site, ensure that you ‘log off’ to properly close your user session. Merely closing the Internet browser tab or even the entire Internet browser may still leave the session active and remaining active until the computer is switched off. If you do not properly close your session there remains the risk of other users of the computer being able to access your social networking account.
Version 1.1
Social Networking Acceptable Use Policy
4.0 Use of social networking sites outside of work All employees should be mindful that pages on social network media can often be accessible more widely than intended and may therefore place in the public domain material that was not intended by you to be shared in that way. You should therefore ensure that your use of social networking sites is appropriate and that material you publish will not cause embarrassment or offence to you, your work colleagues or your employer. The Council expects officers to treat each other with courtesy and respect and this expectation extends to these sites. There are circumstances in which the actions of employees in their own time may give rise to issues in the workplace. For example, behavior that brings the Council into disrepute, or might amount to bullying or harassment of a work colleague, might result in the Council considering action against an employee under formal procedures.
5.0 Social Networking Use Good Practice Checklist To ensure efficient and effective use of social networking the following checklist has been defined to assist staff with a professional need to use OSNs. 1. I have defined my social networking goals and objectives 2. I know who my target audience is 3. I have researched social networking sites and identified those that match my needs 4. I have obtained consent for my use of social networking from the Deputy Director for ICT or the Head of Communications The following will apply if the consent referred to in point 4 has been obtained.
I have created a username that will be easy to find, follow and connect with I have included contact information in my profile I have scheduled time each day to post and connect online I have integrated my social networking channel with my other communications channels I have created systems to test and track my social networking goals and tactics
Version 1.1
Social Networking Acceptable Use Policy
6.0 How to request access to OSN for business purposes Online Social Networking Access Request Form Internet access for all members of staff is strictly controlled and monitored. Access to OSN (Online Social Networks) is blocked by default for all users. If staff have a business requirement, access will be granted if approval has been given by the Deputy Director (ICT) or the Head of Communications. Requests for access must be sent to
[email protected] containing the following:
Current or proposed media? Name of page/tweet (including URL where appropriate)? Proposed start date? Proposed end or review date? What is the use of social media intended to achieve? Is this part of a wider communications plan, making use of a range of media? What is the minimum frequency with which the social media will be updated? Who will be responsible for updating? Do they understand the requirements on an officer issuing public statements on behalf of the Council and do they have the authority of their Deputy Director to make such statements? Have they read and understood the Council's policies on the use of IT, the Internet and social media? Who will cover for this person when they are absent from work due to holiday or sickness? Are other staff available who could take over this role if the named person left the Council's employment? If the proposal is to continue a current use, please provide statistics to indicate the use that has been made of the media concerned e.g. friends, followers or Klout score?
Signed:…………………………….. Title: Deputy Director (ICT) or Head of Communications
Version 1.1
Date:……………..
Social Networking Acceptable Use Policy
Document History Date 04.09.10 07.09.10 18.09.10 29.06.11 08.07.11
Version V0.1 V0.2 V0.3 V1.0 V1.1
Description First Draft Second Draft Third Draft Released Policy Minor revisions made, section 3.12 added
Glossary Term AUP CESG GPS ICT LBB OSN URL Users
Definition Acceptable Use Policy Communications-Electronics Group Global Positioning System Information Communications Technology London Borough of Bexley On-line Social Network Uniform Resource Locator All “users” include Bexley employees, temporary employees, Members of the Council, Service Partners of the Council, and third party contractors
Reference Documents Document Title Internet AUP
Version 1.1
Document Description AUP for staff to access the Internet
