social media auditing - rausch advisory services llc. · speakerbio...
TRANSCRIPT
A discussion on Social Media Audi/ng:
Audi/ng Your Social Media Presence Mike Lisenby, Managing Partner of Rausch Advisory Services
July 10, 2015
What you don’t know can hurt you
Speaker Bio Mike Lisenby is the Managing Partner of Rausch Advisory Services. Mike has over 18+ years of experience in helping businesses manage their technology resources and compliance needs effecIvely. His experience includes consulIng and co-‐sourcing, IT Security, IT audits, Regulatory compliance, and technology security assessments, risk idenIficaIon, assessment and evaluaIon; risk response; risk monitoring; IT control design and implementaIon; and IT control monitoring and maintenance. Mike has held leadership roles with Arthur Andersen and several other NaIonal ConsulIng Firms, and has prior experience with Fortune Brands and Philip Morris. He designed a Virtual Security Technology Center for a NaIonal ConsulIng Firm and ran an ethical hacking / penetraIon tesIng team for Arthur Andersen. He has served on the Board of Directors for the InformaIon Systems Audit and Control AssociaIon (ISACA/Atlanta & Milwaukee), and he holds a CRISC (CerIfied in Risk and InformaIon Systems Control) CerIficaIon.
Agenda • The Power of Social media • EffecIve Uses of Social Media • The Risks related to Social Media • Strategy and Governance—policies and
frameworks • Work Program Development
• Performing a Social Media Risk Assessment • Risk Management • Social Media Policies and Standards • People to Consider for the Interviews • Training Awareness Programs • Social Media Alignment With Business
Processes • Social Media Brand ProtecIon • IT infrastructure and security • Monitoring Process • Monitoring Tools & Technology • Resources & References
Please be nice to your auditors
Social Media “Social media is the collecIve of online communicaIons channels dedicated to community-‐based input, interacIon, content-‐sharing and collaboraIon. Websites and applicaIons dedicated to forums, microblogging, social networking, social bookmarking, social curaIon, and wikis are among the different types of social media.”
The Power of Social Media • MarkeIng: Gebng connected with your customers. Two way
communicaIon. • Customer Service: monitoring complaints to improve service “Its great having more than nine million followers across Twicer, Facebook, Google+, LinkedIn and Instagram, and means our messages are seen and heard by a lot of people. Thanks to everybody for supporIng important issues and using the web as a force for good.” – Richard Branson
• It’s easier to keep a customer than to acquire a new one! • Gartner, Inc StaIsIcs show that 80% of a companies revenue will
come from just 20% of it’s exisIng costumers. • A 5% increase in customer retenIon can increase a companies
profitability by 75% -‐ according to Bain & Company (working with Earl Sasser of Harvard Business School)
• Increased Customer Power -‐ In the days before social media, negaIve company experiences might stay within an individual's circle of friends; now, stories of bad customer service and disappoinIng products can run quickly through social media networks.
The Power of Social Media
EffecIve Uses of Social Media • Customer Services Responses and Input
"'consumer' is an industrial-‐age word, a broadcast-‐age word. It implies that we are all Ied to our chairs, head back, eaIng 'content' and crapping cash". Now consumers don't just consume. We spit back. We have our own prinIng presses. -‐ Blogger and Cluetrain Manifesto co-‐author Doc Searls
• Launching new products • CommunicaIng with your potenIal customers • Driving traffic back to your website • Hiring and employment
• Not having clear guidelines • Not having consistent guidelines • Not being aware of current laws and regulaIons
• Employee engagement
The Risks of Social Media Not having a social media policy
• A former CFO posted on YouTube criIcizing Chick-‐Fil-‐A -‐ went viral and destroyed his career.
• An Applebee's waitress took to Reddit and posted scanned copy of a receipt that featured a haughty comment from a customer.
• Ex-‐CFO Gene Morphis used Twicer to write about Francesca's Holdings Corp., its results and dealings between investors and his board.
Knowing the temperature and allowing open replies
• JPMorgan Chase asked twicer followers to send quesIons to investment banker and company vice chairman Jimmy Lee. "Can I have my house back?" and "What is more saIsfying: securiIes fraud on unsophisIcated pension fund investors, or foreclosing on those you gave Alt-‐A loans?”
User Access: Not having a crisis management program
• Retailer HMV staff members live tweeted a corporate bloodlebng in the U.K. on the store's official feed. "We're tweeIng live from HR where we're all being fired! ExciIng!!
Regulatory: Not having social media training
• Two paramedic students who were in the ER of MarIn Memorial Medical Center in Stuart, Florida as part of their training took digital photos of a paIent (shark acack vicIm), and subsequently e-‐mailed the photos to numerous friends.
• “[A] physician, on his blog, called a paIent “lazy” and “ignorant” because she had made several visits to the emergency room auer failing to monitor her sugar levels. In yet another case, a medical student filmed a doctor inserIng a chest tube into a paIent, whose face was clearly visible, and posted the footage on YouTube.
AddiIonal Risks of Social Media
AddiIonal Risks of Social Media • InformaIon technology
– Spear Phishing Bogus profiles connec7ng to gain contact informa7on
– InformaIon leakage Sites leak your whereabouts
– InformaIon integrity Several social media campaigns used to lure unsuspec7ng users to click on hyperlinks infected with malicious code
– Inadequate authenIcaIon controls – Cross site scripIng
Facebook's controversial Instant Personaliza7on feature affected – Insufficient anI-‐automaIon – (ex. Websense) – Not having a seat at the table
.
MLB Facebook pages hacked
Strategy and governance—policies and frameworks 43% of businesses block access to social media on company-‐owned computers or handheld devices. -‐ Society for Human Resource Management survey Bad Idea if this is the extent of your social media Strategy & Governance. A sound social media governance model empowers your employees while keeping them accountable. • Social Media Policy
Guide your employees and to protect your organizaIon and your customers from risk. You should have a social media policy regardless of whether or not your business is acIvely engaged in a social media strategy.
• Training program It only takes one rogue employee Tweet or Facebook post to unravel your brand image
Strategy and Governance—policies and frameworks • Monitoring
Your brand is likely being discussed on the social web whether you’re engaged in the conversaIon or not.
• Crisis Management Plan A slow response from your organizaIon may exacerbate the crisis. At its basic level, your crisis management plan should outline how to use your social media channels to deliver a quick and appropriate response.
• Upda7ng The social media landscape is evolving at lightning speed, and your policies and best pracIces should evolve right along with it. Designate a social media governance team and a frequency for re-‐evaluaIng all elements of your governance model to assure it's never outdated.
• Objective: Determine that there is an effective social media management program in place
• Pre-‐planning: Consult with Compliance, MarkeIng & Legal Counsel
• Interviews: Meetings with Finance, Marketing, IT / HR, Legal and compliance
• Steps: Determination of social media strategy – Key performance indicators and return on investment
– Alignment of policies / procedures – Training / educaIon
An Audit of Social Media
• Steps: Determination of social media risk assessment – Risk miIgaIon strategies employed – Included in crisis management plan
• Steps: Determination of social media governance – hcp://blog.adidas-‐group.com/wp-‐content/uploads/2011/06/adidas-‐Group-‐Social-‐
Media-‐Guidelines1.pdf
– hcp://hr.umich.edu/voices/docs/Social-‐Media-‐Guidelines.pdf
– hcp://www.coca-‐colacompany.com/stories/online-‐social-‐media-‐principles
• Steps: Determination that operational risks are monitored – Monitoring of channels – Third-‐party vendor management – IT infrastructure and security
An Audit of Social Media
• Legal: Determine that Legal communicates changes in global laws and regulations on social media
• Assessment of Compliance & Ethics program: Determine the program covers social media risks
• IT: Determine that IT includes social media in risk assessment and monitoring
• MarkeIng: Determine that social media is included in strategy and risk assessment and that metrics are uIlized to measure return on investment
• HR: Determine that social media is being utilized appropriately and consistently in recruiIng and employment decisions
An Audit of Social Media
In the 2013 SHRM survey, 22 percent of respondents said they use social media websites like Facebook or Instagram to research job candidates, a decline from 34 percent in 2008.
When using Social Media for Hiring • Never ask for passwords. In all 50 states, asking for an applicant’s (or
employee’s) password creates a real risk of violaIng the federal Stored CommunicaIons Act.
• Have HR do it. The HR professional is more likely to know what he or
she can and cannot consider.
• Look later in the process. Auer an applicant has been interviewed, when his or her membership in protected groups is likely already known.
• Be consistent. Don’t look at only one applicant’s social media profiles.
• Document decisions.
• Consider the source. There are impostor social media accounts out there.
• Be aware that other laws may apply
• ISACA: Social Media Audit / Assurance Program hcp://www.isaca.org/Knowledge-‐Center/Research/ResearchDeliverables/Pages/Social-‐Media-‐Audit-‐Assurance-‐Program.aspx
• Sample Policies hcp://socialmediagovernance.com/policies/
• An effecIve Social Media policy addresses: – CommunicaIon protocol – Standardized terms/key words that may convey the company brand, product, image, campaign,
business iniIaIve, corporate social responsibility – Use of standard logos, images, pictures, etc. – Employee personal use of social media in the workplace – Employee personal use of social media outside the workplace – Employee use of social media for business purposes (personally owned devices) – Use of mobile devices to access social media – Required review, monitoring and follow-‐up processes for brand protecIon – CommunicaIon of policy via social media sites to employees and acceptable public posIngs – NoIficaIon that compliance monitoring will be the right of the company – Management procedures for company accounts on social media sites – Response protocols for response process on social media environments
Resources
• Monitoring and Publishing Tools hcp://www.websense.com/ hcp://www.exaccarget.com/products/social-‐media-‐markeIng/radian6 hcp://sysomos.com/ hcp://sproutsocial.com/ hcp://www.smarsh.com/ hcp://www.socialmenIon.com/ hcps://en.menIon.com/ hcp://www.talkwalker.com/alerts hcp://topsy.com/ hcps://hootsuite.com hcp://pinalerts.com/index/login
Resources
QuesIons & Answers Michael Lisenby Managing Partner (404)-‐281-‐8005
Download this presenta/on at hNp://rauschadvisory.com/news-‐events.html
Follow us on