About Us | Contact Us
View Cart

Get Ready to Respond to the Social Media Guidance!

By Dan Hadaway | Wednesday, February 12, 2014 - Leave a Comment

FFIEC Guidance on Social Media Risk

For the past 60 days, the writers and thinkers at infotex have been working diligently on our Social Media Guidance Response Kit.   Given that we conduct “public presence reviews” and “social media reviews” as part of our IT Audit process, we came to this table with a healthy understanding of the risks banks face due to social media.  And while the guidance is very helpful in relation to compliance risk, it misses the mark when it comes to helping banks manage the overall risk of Web 2.0 technology . . . . the use of interactive applications served over the internet.

But wait . . . .

What the guidance does well:

Before this becomes too much of a flame-post, let me say that the guidance does serve some important functions:

  1. The guidance DOES properly define the problem:  both in the way it defines social media, and in the way it expresses the many risks associated with the phenomenon.
  2. The guidance simplifies the risk expression into four risks:  compliance, legal, reputational, and privacy.   (But it “only gives a nod” to the security risks, and thus this article.)
  3. The guidance maps out, in appropriate detail, the intricate web of laws and regulations impacting the use of interactive internet applications (currently called social media).
  4. Thus the guidance serves as a map (for those who would) showing us how to TAKE compliance risk in the areas of lending products, deposit services, and payment systems.  Footnote #1

And in their defense:  the FFIEC released an advance copy of this guidance on January 23rd of last year . . . almost a year in advance of publishing the final guidance on 12/11/2013.  They did this to seek comments from the public, and while 81 official comments were received, it does not appear that any were related to information security.

But what the guidance misses:

The above benefits are great, but if we do not also address security risk . . . . what’s the point?  The guidance only gives a slight nod to the notion of security (and in that, the concern was privacy.)  But in our opinion the majority of the risk is going to be in the employee and customer sites, not in the institution-owned sites.  The guidance fails to adequately address malware, social engineering, and account takeovers.

So fortunately:

Infotex is creating a guidance response kit that will allow your team to quickly assure compliance while concurrently installing a simple review process that keeps you in compliance.  And for those who are already adequately addressing security risk, the kit allows for a stand-alone approach.  A video will show you how to focus solely on the compliance aspects of social media (and thus only the requirements of the guidance).

However, if you feel insecure about the security risk exposure from employee and customer social media assets, the kit will also give you the ability to expand the asset focus to include not only your own bank-owned site, but also the risks associated with employee and customer social media assets.

Simplicity is the key.  The kit will be simple:  language to insert in a board policy, a customize-able set of standards, and the review process (tracked with a simple excel spreadsheet).  We’re also working on training materials for your management team members and such, but that’s just the icing on the cake.

The review process will require a periodic meeting between team members (as defined in the guidance.)  It will combine risk assessing with auditing, and deliver a risk-rated report of any gaps between the guidance, the security framework, and your actual presence.

The meeting structure allows all social media assets to undergo a compliance (plus other risk if you wish) review and allows you to keep the entire process contained to the meeting (plus the agenda and the minutes).  We’re thinking this review meeting can be semi-annual for institutions that very active in social media, and annual for other institutions.

So when?

We’re doing the best we can to get the Social Media Guidance Response Kit onto our e-commerce site as soon as possible.  Our hope is that we will be posting it by the end of the month, so that we can be showing you how to use it during our workshop at the Indiana Bankers Association on March 26th.


Footnote #1:  We’re not so sure community-based banks will be that excited by the prospects of a map to deploying payment systems, lending products, and deposit services on social media.  It seems that only big-banks . . . maybe innovative regional banks . . . will be able to take advantage of the volume that would be necessary to justify these risks.  In other words, we don’t see First Bank of Nowhere spending a lot of money renting a re-branded Facebook banking app.  However, please keep in mind, most (but not all) of us thought Facebook was going to be a fad when we reluctantly wrote our first social media policy in 2007.

Original article by Dan Hadaway CRISC CISA CISM.
(Alias: the one who thought Facebook was a passing fad!)

Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]