A  discussion  on    Social  Media  Audi/ng:    

Audi/ng  Your  Social  Media  Presence    Mike  Lisenby,  Managing  Partner  of  Rausch  Advisory  Services  

July  10,  2015    

What  you  don’t  know  can  hurt  you  

Speaker  Bio  Mike  Lisenby   is   the  Managing  Partner  of  Rausch  Advisory  Services.  Mike  has  over  18+  years  of  experience   in  helping  businesses  manage   their   technology   resources  and   compliance   needs   effecIvely.   His   experience   includes   consulIng   and   co-­‐sourcing,   IT   Security,   IT   audits,   Regulatory   compliance,   and   technology   security  assessments,   risk   idenIficaIon,   assessment   and   evaluaIon;   risk   response;   risk  monitoring;   IT   control   design   and   implementaIon;   and   IT   control  monitoring   and  maintenance.   Mike   has   held   leadership   roles   with   Arthur   Andersen   and   several  other  NaIonal  ConsulIng  Firms,  and  has  prior  experience  with  Fortune  Brands  and  Philip  Morris.    He  designed  a  Virtual  Security  Technology  Center  for  a  NaIonal  ConsulIng  Firm  and  ran  an  ethical  hacking  /  penetraIon  tesIng  team  for  Arthur  Andersen.  He   has   served   on   the   Board   of   Directors   for   the   InformaIon   Systems   Audit   and  Control  AssociaIon  (ISACA/Atlanta  &    Milwaukee),  and  he  holds  a  CRISC  (CerIfied  in  Risk  and  InformaIon  Systems  Control)  CerIficaIon.  

Agenda  •  The  Power  of  Social  media  •  EffecIve  Uses  of  Social  Media  •  The  Risks  related  to  Social  Media  •  Strategy  and  Governance—policies  and  

frameworks  •  Work  Program  Development  

•  Performing  a  Social  Media  Risk  Assessment  •  Risk  Management  •  Social  Media  Policies  and  Standards  •  People  to  Consider  for  the  Interviews  •  Training  Awareness  Programs  •  Social  Media  Alignment  With  Business  

Processes  •  Social  Media  Brand  ProtecIon  •  IT  infrastructure  and  security  •  Monitoring  Process  •  Monitoring  Tools  &  Technology    •  Resources  &  References  

   

Please  be  nice  to  your  auditors  

Social  Media    “Social  media  is  the  collecIve  of  online  communicaIons  channels  dedicated  to  community-­‐based  input,  interacIon,  content-­‐sharing  and  collaboraIon.  Websites  and  applicaIons  dedicated  to  forums,  microblogging,  social  networking,  social  bookmarking,  social  curaIon,  and  wikis  are  among  the  different  types  of  social  media.”    

The  Power  of  Social  Media  •  MarkeIng:  Gebng  connected  with  your  customers.  Two  way  

communicaIon.  •  Customer  Service:  monitoring  complaints  to  improve  service    “Its  great  having  more  than  nine  million  followers  across  Twicer,  Facebook,  Google+,  LinkedIn  and  Instagram,  and  means  our  messages  are  seen  and  heard  by  a  lot  of  people.  Thanks  to  everybody  for  supporIng  important  issues  and  using  the  web  as  a  force  for  good.”  –  Richard  Branson        

•  It’s  easier  to  keep  a  customer  than  to  acquire  a  new  one!    •  Gartner,  Inc  StaIsIcs  show  that  80%  of  a  companies  revenue  will  

come  from  just  20%  of  it’s  exisIng  costumers.      •  A  5%  increase  in  customer  retenIon  can  increase  a  companies  

profitability  by  75%  -­‐  according  to  Bain  &  Company  (working  with  Earl  Sasser  of  Harvard  Business  School)    

•  Increased  Customer  Power  -­‐  In  the  days  before  social  media,  negaIve  company  experiences  might  stay  within  an  individual's  circle  of  friends;  now,  stories  of  bad  customer  service  and  disappoinIng  products  can  run  quickly  through  social  media  networks.    

   

The  Power  of  Social  Media  

EffecIve  Uses  of  Social  Media  •  Customer  Services  Responses  and  Input  

"'consumer'  is  an  industrial-­‐age  word,  a  broadcast-­‐age  word.  It  implies  that  we  are  all  Ied  to  our  chairs,  head  back,  eaIng  'content'  and  crapping  cash".  Now  consumers  don't  just  consume.  We  spit  back.  We  have  our  own  prinIng  presses.  -­‐  Blogger  and  Cluetrain  Manifesto  co-­‐author  Doc  Searls  

 •  Launching  new  products    •  CommunicaIng  with  your  potenIal  customers  •  Driving  traffic  back  to  your  website  •  Hiring  and  employment  

•  Not  having  clear  guidelines  •  Not  having  consistent  guidelines  •  Not  being  aware  of  current  laws  and  regulaIons  

•  Employee  engagement    

The  Risks  of  Social  Media  Not  having  a  social  media  policy  

•  A  former  CFO  posted  on  YouTube  criIcizing  Chick-­‐Fil-­‐A  -­‐  went  viral  and  destroyed  his  career.  

•  An  Applebee's  waitress  took  to  Reddit  and  posted  scanned  copy  of  a  receipt  that  featured  a  haughty  comment  from  a  customer.  

•  Ex-­‐CFO  Gene  Morphis  used  Twicer  to  write  about  Francesca's  Holdings  Corp.,  its  results  and  dealings  between  investors  and  his  board.  

 Knowing  the  temperature  and  allowing  open  replies  

•  JPMorgan  Chase  asked  twicer  followers  to  send  quesIons  to  investment  banker  and  company  vice  chairman  Jimmy  Lee.  "Can  I  have  my  house  back?"  and  "What  is  more  saIsfying:  securiIes  fraud  on  unsophisIcated  pension  fund  investors,  or  foreclosing  on  those  you  gave  Alt-­‐A  loans?”  

 User  Access:  Not  having  a  crisis  management  program  

•  Retailer  HMV  staff  members  live  tweeted  a  corporate  bloodlebng  in  the  U.K.  on  the  store's  official  feed.  "We're  tweeIng  live  from  HR  where  we're  all  being  fired!  ExciIng!!  

 Regulatory:  Not  having  social  media  training  

•  Two  paramedic  students  who  were  in  the  ER  of  MarIn  Memorial  Medical  Center  in  Stuart,  Florida  as  part  of  their  training  took  digital  photos  of  a  paIent  (shark  acack  vicIm),  and  subsequently  e-­‐mailed  the  photos  to  numerous  friends.  

•  “[A]  physician,  on  his  blog,  called  a  paIent  “lazy”  and  “ignorant”  because  she  had  made  several  visits  to  the  emergency  room  auer  failing  to  monitor  her  sugar  levels.  In  yet  another  case,  a  medical  student  filmed  a  doctor  inserIng  a  chest  tube  into  a  paIent,  whose  face  was  clearly  visible,  and  posted  the  footage  on  YouTube.  

AddiIonal  Risks  of  Social  Media  

AddiIonal  Risks  of  Social  Media  •  InformaIon  technology  

–  Spear  Phishing  Bogus  profiles  connec7ng  to  gain  contact  informa7on    

–  InformaIon  leakage  Sites  leak  your  whereabouts    

–  InformaIon  integrity  Several  social  media  campaigns  used  to  lure  unsuspec7ng  users  to  click  on  hyperlinks  infected  with  malicious  code  

–  Inadequate  authenIcaIon  controls  –  Cross  site  scripIng  

Facebook's  controversial  Instant  Personaliza7on  feature  affected  –  Insufficient  anI-­‐automaIon  –  (ex.  Websense)  –  Not  having  a  seat  at  the  table  

.  

MLB  Facebook  pages  hacked  

   

Strategy  and  governance—policies  and  frameworks  43%  of  businesses  block  access  to  social  media  on  company-­‐owned  computers  or  handheld  devices.  -­‐  Society  for  Human  Resource  Management  survey    Bad  Idea  if  this  is  the  extent  of  your  social  media  Strategy  &  Governance.    A  sound  social  media  governance  model  empowers  your  employees  while  keeping  them  accountable.  •  Social  Media  Policy    

Guide  your  employees  and  to  protect  your  organizaIon  and  your  customers  from  risk.  You  should  have  a  social  media  policy  regardless  of  whether  or  not  your  business  is  acIvely  engaged  in  a  social  media  strategy.  

•  Training  program  It  only  takes  one  rogue  employee  Tweet  or  Facebook  post  to  unravel  your  brand  image  

   

Strategy  and  Governance—policies  and  frameworks  •  Monitoring    

Your  brand  is  likely  being  discussed  on  the  social  web  whether  you’re  engaged  in  the  conversaIon  or  not.    

•  Crisis  Management  Plan  A  slow  response  from  your  organizaIon  may  exacerbate  the  crisis.  At  its  basic  level,  your  crisis  management  plan  should  outline  how  to  use  your  social  media  channels  to  deliver  a  quick  and  appropriate  response.  

•  Upda7ng    The  social  media  landscape  is  evolving  at  lightning  speed,  and  your  policies  and  best  pracIces  should  evolve  right  along  with  it.  Designate  a  social  media  governance  team  and  a  frequency  for  re-­‐evaluaIng  all  elements  of  your  governance  model  to  assure  it's  never  outdated.  

•  Objective:  Determine  that  there  is  an  effective  social  media  management  program  in  place  

•  Pre-­‐planning:  Consult  with  Compliance,  MarkeIng  &  Legal  Counsel  

•  Interviews:  Meetings  with  Finance,  Marketing,  IT  /  HR,  Legal  and  compliance  

•  Steps:  Determination  of  social  media  strategy  –  Key  performance  indicators  and  return  on  investment  

–  Alignment  of  policies  /  procedures  –  Training  /  educaIon  

An  Audit  of  Social  Media  

•  Steps:  Determination  of  social  media  risk  assessment  –  Risk  miIgaIon  strategies  employed  –  Included  in  crisis  management  plan  

•  Steps:  Determination  of  social  media  governance  –  hcp://blog.adidas-­‐group.com/wp-­‐content/uploads/2011/06/adidas-­‐Group-­‐Social-­‐

Media-­‐Guidelines1.pdf  

–  hcp://hr.umich.edu/voices/docs/Social-­‐Media-­‐Guidelines.pdf  

–  hcp://www.coca-­‐colacompany.com/stories/online-­‐social-­‐media-­‐principles  

•  Steps:  Determination  that  operational  risks  are  monitored  –  Monitoring  of  channels  –  Third-­‐party  vendor  management  –  IT  infrastructure  and  security    

An  Audit  of  Social  Media  

•  Legal:  Determine  that  Legal  communicates  changes  in  global  laws  and  regulations  on  social  media  

•  Assessment  of  Compliance  &  Ethics  program:  Determine  the  program  covers  social  media  risks  

•  IT:  Determine  that  IT  includes  social  media  in  risk  assessment  and  monitoring  

•  MarkeIng:  Determine  that  social  media  is  included  in  strategy  and  risk  assessment  and  that  metrics  are  uIlized  to  measure  return  on  investment  

•  HR:  Determine  that  social  media  is  being  utilized  appropriately  and  consistently  in  recruiIng  and  employment  decisions  

An  Audit  of  Social  Media  

In  the  2013  SHRM  survey,  22  percent  of  respondents  said  they  use  social  media  websites  like  Facebook  or  Instagram  to  research  job  candidates,  a  decline  from  34  percent  in  2008.  

When  using  Social  Media  for  Hiring    •  Never  ask  for  passwords.  In  all  50  states,  asking  for  an  applicant’s  (or  

employee’s)  password  creates  a  real  risk  of  violaIng  the  federal  Stored  CommunicaIons  Act.    

 •  Have  HR  do  it.  The  HR  professional  is  more  likely  to  know  what  he  or  

she  can  and  cannot  consider.  

•  Look  later  in  the  process.  Auer  an  applicant  has  been  interviewed,  when  his  or  her  membership  in  protected  groups  is  likely  already  known.  

•  Be  consistent.  Don’t  look  at  only  one  applicant’s  social  media  profiles.  

•  Document  decisions.    

•  Consider  the  source.    There  are  impostor  social  media  accounts  out  there.  

•  Be  aware  that  other  laws  may  apply  

•  ISACA:  Social  Media  Audit  /  Assurance  Program  hcp://www.isaca.org/Knowledge-­‐Center/Research/ResearchDeliverables/Pages/Social-­‐Media-­‐Audit-­‐Assurance-­‐Program.aspx    

•  Sample  Policies  hcp://socialmediagovernance.com/policies/    

•  An  effecIve  Social  Media  policy  addresses:  –  CommunicaIon  protocol  –  Standardized  terms/key  words  that  may  convey  the  company  brand,  product,  image,  campaign,  

business  iniIaIve,  corporate  social  responsibility  –  Use  of  standard  logos,  images,  pictures,  etc.  –  Employee  personal  use  of  social  media  in  the  workplace  –  Employee  personal  use  of  social  media  outside  the  workplace  –  Employee  use  of  social  media  for  business  purposes  (personally  owned  devices)  –  Use  of  mobile  devices  to  access  social  media  –  Required  review,  monitoring  and  follow-­‐up  processes  for  brand  protecIon  –  CommunicaIon  of  policy  via  social  media  sites  to  employees  and  acceptable  public  posIngs  –  NoIficaIon  that  compliance  monitoring  will  be  the  right  of  the  company  –  Management  procedures  for  company  accounts  on  social  media  sites  –  Response  protocols  for  response  process  on  social  media  environments      

Resources  

•  Monitoring and Publishing Tools hcp://www.websense.com/  hcp://www.exaccarget.com/products/social-­‐media-­‐markeIng/radian6  hcp://sysomos.com/  hcp://sproutsocial.com/  hcp://www.smarsh.com/    hcp://www.socialmenIon.com/  hcps://en.menIon.com/  hcp://www.talkwalker.com/alerts  hcp://topsy.com/  hcps://hootsuite.com  hcp://pinalerts.com/index/login  

Resources  

QuesIons  &  Answers  Michael  Lisenby  Managing  Partner  (404)-­‐281-­‐8005  

mlisenby@rauschadvisory.com    

Download  this  presenta/on  at    hNp://rauschadvisory.com/news-­‐events.html  

 Follow  us  on