About Us | Contact Us
View Cart

Get Ready to Respond to the Social Media Guidance!

By Dan Hadaway | Wednesday, February 12, 2014 - Leave a Comment

FFIEC Guidance on Social Media Risk

For the past 60 days, the writers and thinkers at infotex have been working diligently on our Social Media Guidance Response Kit.   Given that we conduct “public presence reviews” and “social media reviews” as part of our IT Audit process, we came to this table with a healthy understanding of the risks banks face due to social media.  And while the guidance is very helpful in relation to compliance risk, it misses the mark when it comes to helping banks manage the overall risk of Web 2.0 technology . . . . the use of interactive applications served over the internet.

But wait . . . .

What the guidance does well:

Before this becomes too much of a flame-post, let me say that the guidance does serve some important functions:

  1. The guidance DOES properly define the problem:  both in the way it defines social media, and in the way it expresses the many risks associated with the phenomenon.
  2. The guidance simplifies the risk expression into four risks:  compliance, legal, reputational, and privacy.   (But it “only gives a nod” to the security risks, and thus this article.)
  3. The guidance maps out, in appropriate detail, the intricate web of laws and regulations impacting the use of interactive internet applications (currently called social media).
  4. Thus the guidance serves as a map (for those who would) showing us how to TAKE compliance risk in the areas of lending products, deposit services, and payment systems.  Footnote #1

And in their defense:  the FFIEC released an advance copy of this guidance on January 23rd of last year . . . almost a year in advance of publishing the final guidance on 12/11/2013.  They did this to seek comments from the public, and while 81 official comments were received, it does not appear that any were related to information security.

But what the guidance misses:

The above benefits are great, but if we do not also address security risk . . . . what’s the point?  The guidance only gives a slight nod to the notion of security (and in that, the concern was privacy.)  But in our opinion the majority of the risk is going to be in the employee and customer sites, not in the institution-owned sites.  The guidance fails to adequately address malware, social engineering, and account takeovers.

So fortunately:

Infotex is creating a guidance response kit that will allow your team to quickly assure compliance while concurrently installing a simple review process that keeps you in compliance.  And for those who are already adequately addressing security risk, the kit allows for a stand-alone approach.  A video will show you how to focus solely on the compliance aspects of social media (and thus only the requirements of the guidance).

However, if you feel insecure about the security risk exposure from employee and customer social media assets, the kit will also give you the ability to expand the asset focus to include not only your own bank-owned site, but also the risks associated with employee and customer social media assets.

Simplicity is the key.  The kit will be simple:  language to insert in a board policy, a customize-able set of standards, and the review process (tracked with a simple excel spreadsheet).  We’re also working on training materials for your management team members and such, but that’s just the icing on the cake.

The review process will require a periodic meeting between team members (as defined in the guidance.)  It will combine risk assessing with auditing, and deliver a risk-rated report of any gaps between the guidance, the security framework, and your actual presence.

The meeting structure allows all social media assets to undergo a compliance (plus other risk if you wish) review and allows you to keep the entire process contained to the meeting (plus the agenda and the minutes).  We’re thinking this review meeting can be semi-annual for institutions that very active in social media, and annual for other institutions.

So when?

We’re doing the best we can to get the Social Media Guidance Response Kit onto our e-commerce site as soon as possible.  Our hope is that we will be posting it by the end of the month, so that we can be showing you how to use it during our workshop at the Indiana Bankers Association on March 26th.

 

Footnote #1:  We’re not so sure community-based banks will be that excited by the prospects of a map to deploying payment systems, lending products, and deposit services on social media.  It seems that only big-banks . . . maybe innovative regional banks . . . will be able to take advantage of the volume that would be necessary to justify these risks.  In other words, we don’t see First Bank of Nowhere spending a lot of money renting a re-branded Facebook banking app.  However, please keep in mind, most (but not all) of us thought Facebook was going to be a fad when we reluctantly wrote our first social media policy in 2007.


Original article by Dan Hadaway CRISC CISA CISM.
(Alias: the one who thought Facebook was a passing fad!)

Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    How Do We Know What We Know? Making Sure You Can Understand What Happened in an Incident. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Until I reclined on my front yard, looking at the sky, following the instructions on how not to look […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]
    Welcome Cybersecurity Conference Attendees! Thanks for joining us for the Cybersecurity Conference today! We have created this page for you to have access to the deliverables from Dan’s talk.  
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]