About Us | Contact Us
View Cart

Get Ready to Respond to the Social Media Guidance!

By Dan Hadaway | Wednesday, February 12, 2014 - Leave a Comment

FFIEC Guidance on Social Media Risk

For the past 60 days, the writers and thinkers at infotex have been working diligently on our Social Media Guidance Response Kit.   Given that we conduct “public presence reviews” and “social media reviews” as part of our IT Audit process, we came to this table with a healthy understanding of the risks banks face due to social media.  And while the guidance is very helpful in relation to compliance risk, it misses the mark when it comes to helping banks manage the overall risk of Web 2.0 technology . . . . the use of interactive applications served over the internet.

But wait . . . .

What the guidance does well:

Before this becomes too much of a flame-post, let me say that the guidance does serve some important functions:

  1. The guidance DOES properly define the problem:  both in the way it defines social media, and in the way it expresses the many risks associated with the phenomenon.
  2. The guidance simplifies the risk expression into four risks:  compliance, legal, reputational, and privacy.   (But it “only gives a nod” to the security risks, and thus this article.)
  3. The guidance maps out, in appropriate detail, the intricate web of laws and regulations impacting the use of interactive internet applications (currently called social media).
  4. Thus the guidance serves as a map (for those who would) showing us how to TAKE compliance risk in the areas of lending products, deposit services, and payment systems.  Footnote #1

And in their defense:  the FFIEC released an advance copy of this guidance on January 23rd of last year . . . almost a year in advance of publishing the final guidance on 12/11/2013.  They did this to seek comments from the public, and while 81 official comments were received, it does not appear that any were related to information security.

But what the guidance misses:

The above benefits are great, but if we do not also address security risk . . . . what’s the point?  The guidance only gives a slight nod to the notion of security (and in that, the concern was privacy.)  But in our opinion the majority of the risk is going to be in the employee and customer sites, not in the institution-owned sites.  The guidance fails to adequately address malware, social engineering, and account takeovers.

So fortunately:

Infotex is creating a guidance response kit that will allow your team to quickly assure compliance while concurrently installing a simple review process that keeps you in compliance.  And for those who are already adequately addressing security risk, the kit allows for a stand-alone approach.  A video will show you how to focus solely on the compliance aspects of social media (and thus only the requirements of the guidance).

However, if you feel insecure about the security risk exposure from employee and customer social media assets, the kit will also give you the ability to expand the asset focus to include not only your own bank-owned site, but also the risks associated with employee and customer social media assets.

Simplicity is the key.  The kit will be simple:  language to insert in a board policy, a customize-able set of standards, and the review process (tracked with a simple excel spreadsheet).  We’re also working on training materials for your management team members and such, but that’s just the icing on the cake.

The review process will require a periodic meeting between team members (as defined in the guidance.)  It will combine risk assessing with auditing, and deliver a risk-rated report of any gaps between the guidance, the security framework, and your actual presence.

The meeting structure allows all social media assets to undergo a compliance (plus other risk if you wish) review and allows you to keep the entire process contained to the meeting (plus the agenda and the minutes).  We’re thinking this review meeting can be semi-annual for institutions that very active in social media, and annual for other institutions.

So when?

We’re doing the best we can to get the Social Media Guidance Response Kit onto our e-commerce site as soon as possible.  Our hope is that we will be posting it by the end of the month, so that we can be showing you how to use it during our workshop at the Indiana Bankers Association on March 26th.


Footnote #1:  We’re not so sure community-based banks will be that excited by the prospects of a map to deploying payment systems, lending products, and deposit services on social media.  It seems that only big-banks . . . maybe innovative regional banks . . . will be able to take advantage of the volume that would be necessary to justify these risks.  In other words, we don’t see First Bank of Nowhere spending a lot of money renting a re-branded Facebook banking app.  However, please keep in mind, most (but not all) of us thought Facebook was going to be a fad when we reluctantly wrote our first social media policy in 2007.

Original article by Dan Hadaway CRISC CISA CISM.
(Alias: the one who thought Facebook was a passing fad!)

Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]