If we are issuing devices that allow text messaging to our employees, we’d be wise to update our Acceptable Use Policy to include “zero privacy expectations” for text messaging.
There are many articles on the subject, here’s the one I thought was best!
I would like to point out that this is a great example of how we need to be VERY conscious of “new assets” during our day-to-day lives. Any time we see a process, device, application, or even a new “function” of existing assets, we should be documenting that using our risk assessment tools, and brainstorming answers to the questions:
- “What threats does this new asset pose?”
- “What vulnerabilities are there in this new asset?”
- “How is this asset similar to other existing assets (in terms of threats and vulnerabilities)?”
Keep in mind that had we done this for text messaging, I think we might have thought “it’s very similar to e-mail, let’s look at the threats and vulnerabilities related to e-mail.”
In other words, our next iteration of our Acceptable Use Policy will look at text messaging not only in terms of privacy and confidentiality, but also in terms of integrity, availability, reputation, legal risk, and compliance.
Just take that last one. If a loan officer broadcasts the new low interest rate to all contacts on his smart phone, are we violating disclosure requirements of Reg Z and other regulations?
Think about it!
Let us know if you have additional information, thoughts, links,
or disagreements. Simply comment on this article.
We will keep your comment private unless you give us permission to post it on the blog.
This has been a Dan’s New Leaf posting . . . . a weekly post about whatever happens to be on Dan’s mind at the time, related of course to IT Governance in banking.