About Us | Contact Us
View Cart

Get Ready to Respond to the Social Media Guidance!

By Dan Hadaway | Wednesday, February 12, 2014 - Leave a Comment

FFIEC Guidance on Social Media Risk

For the past 60 days, the writers and thinkers at infotex have been working diligently on our Social Media Guidance Response Kit.   Given that we conduct “public presence reviews” and “social media reviews” as part of our IT Audit process, we came to this table with a healthy understanding of the risks banks face due to social media.  And while the guidance is very helpful in relation to compliance risk, it misses the mark when it comes to helping banks manage the overall risk of Web 2.0 technology . . . . the use of interactive applications served over the internet.

But wait . . . .

What the guidance does well:

Before this becomes too much of a flame-post, let me say that the guidance does serve some important functions:

  1. The guidance DOES properly define the problem:  both in the way it defines social media, and in the way it expresses the many risks associated with the phenomenon.
  2. The guidance simplifies the risk expression into four risks:  compliance, legal, reputational, and privacy.   (But it “only gives a nod” to the security risks, and thus this article.)
  3. The guidance maps out, in appropriate detail, the intricate web of laws and regulations impacting the use of interactive internet applications (currently called social media).
  4. Thus the guidance serves as a map (for those who would) showing us how to TAKE compliance risk in the areas of lending products, deposit services, and payment systems.  Footnote #1

And in their defense:  the FFIEC released an advance copy of this guidance on January 23rd of last year . . . almost a year in advance of publishing the final guidance on 12/11/2013.  They did this to seek comments from the public, and while 81 official comments were received, it does not appear that any were related to information security.

But what the guidance misses:

The above benefits are great, but if we do not also address security risk . . . . what’s the point?  The guidance only gives a slight nod to the notion of security (and in that, the concern was privacy.)  But in our opinion the majority of the risk is going to be in the employee and customer sites, not in the institution-owned sites.  The guidance fails to adequately address malware, social engineering, and account takeovers.

So fortunately:

Infotex is creating a guidance response kit that will allow your team to quickly assure compliance while concurrently installing a simple review process that keeps you in compliance.  And for those who are already adequately addressing security risk, the kit allows for a stand-alone approach.  A video will show you how to focus solely on the compliance aspects of social media (and thus only the requirements of the guidance).

However, if you feel insecure about the security risk exposure from employee and customer social media assets, the kit will also give you the ability to expand the asset focus to include not only your own bank-owned site, but also the risks associated with employee and customer social media assets.

Simplicity is the key.  The kit will be simple:  language to insert in a board policy, a customize-able set of standards, and the review process (tracked with a simple excel spreadsheet).  We’re also working on training materials for your management team members and such, but that’s just the icing on the cake.

The review process will require a periodic meeting between team members (as defined in the guidance.)  It will combine risk assessing with auditing, and deliver a risk-rated report of any gaps between the guidance, the security framework, and your actual presence.

The meeting structure allows all social media assets to undergo a compliance (plus other risk if you wish) review and allows you to keep the entire process contained to the meeting (plus the agenda and the minutes).  We’re thinking this review meeting can be semi-annual for institutions that very active in social media, and annual for other institutions.

So when?

We’re doing the best we can to get the Social Media Guidance Response Kit onto our e-commerce site as soon as possible.  Our hope is that we will be posting it by the end of the month, so that we can be showing you how to use it during our workshop at the Indiana Bankers Association on March 26th.

 

Footnote #1:  We’re not so sure community-based banks will be that excited by the prospects of a map to deploying payment systems, lending products, and deposit services on social media.  It seems that only big-banks . . . maybe innovative regional banks . . . will be able to take advantage of the volume that would be necessary to justify these risks.  In other words, we don’t see First Bank of Nowhere spending a lot of money renting a re-branded Facebook banking app.  However, please keep in mind, most (but not all) of us thought Facebook was going to be a fad when we reluctantly wrote our first social media policy in 2007.


Original article by Dan Hadaway CRISC CISA CISM.
(Alias: the one who thought Facebook was a passing fad!)

Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]