Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published February 2012

SPONSORED BY

sponsored by

Important Issues for Federal Agencies to Consider When Using Social Media

and Unified Communications

SPON

WH

ITE

PA

PER

SP

ON

Important Issues for Federal Agencies to Consider When Using Social Media and Unified Communications

©2012 Osterman Research, Inc. 1

Why You Should Read This White Paper FEDERAL AGENCIES ARE AT RISK A July 2007 United States Government Accountability Office (GAO) reporti found that almost all of the 24 major US federal agencies had significant information security control vulnerabilities, most notably focused on access control, continuity of operations and configuration management. The report found that these security holes could put at risk, among other items, federal payments and collections, critical defense and emergency services operations, sensitive taxpayer data and Social Security records, and agency missions of various types. The US Federal government is the United States’ largest single employer, employing 2.15 million people in 2010, or 1.6% of the US workforceii. Information security is of vital importance to the Federal government, partly because of the very large amount of sensitive data that the US government has under its control. For example, the US government maintains tax records on most individuals living in the United States, it maintains health records for tens of millions of Americans, and it maintains a variety of other types of protected information. DATA BREACHES ARE NOT UNCOMMON IN THE FEDERAL GOVERNMENT Not surprisingly, there have been a sizable number of data breaches that have occurred within the US government, some recent examples of which are shown below: • In late October 2010, the General Services Administration (GSA) announced that six

weeks earlier an employee of the GSA emailed the names and Social Security numbers of all 12,000+ staff members at the GSA to a personal email addressiii.

• A report in January 2011 showed that a client computer at the Veteran’s Affairs

Medical Center in White River Junction, VT, allowed individuals to anonymously log onto a network, giving them access to sensitive patient informationiv.

• The Orthopedics department of a Veteran’s Affairs facility in Chicago, IL, used

Yahoo! to track patient scheduling, including the names, dates and types of surgery performed on 878 patients. This began in July 2007 and was shut down only in late November 2010v.

• A report in December 2010 showed that a subcontractor for the Social Security

Administration Office of Temporary Disability Assistance in New York, NY, accessed and stored roughly 15,000 Social Security numbers, including (possibly) the addresses, telephone numbers and birthdates of these individualsvi.

• In June 2010, a partial search of the National Highway Traffic Safety Administration’s

public complaint database revealed the names, addresses, birthdates, vehicle identification numbers and driver’s license numbers in up to 792,000 complaint cases.

As a result of the growing potential for data breaches, the increasing number of information tools and assets maintained by the Federal government, as well as a general



recognition that information security is critically important from a national security perspective, the US government has been ratcheting up its information security posture over the past decade. For example, the US government spent roughly $68 billion on information technology and $6.2 billion on information security in 2008 alonevii. These figures are expected to increase significantly over the next several years. ABOUT THIS WHITE PAPER This white paper sets out to do the following: • Discuss some of the technologies in use by the US Federal government

• Offer an overview of some of the variety of regulations imposed upon Federal

agencies

• Offer advice on what Federal agencies should do to mitigate the risks created by use of established and new communications technologies

This white paper also discusses the sponsor of this white paper, Actiance, and its offerings that specifically address the security and compliance issues addressed in this document.

Communications Practices in the Federal Government GROWING ADOPTION OF UNIFIED COMMUNICATIONS Both voicemail integration and enterprise instant messaging hold the promise of speeding up processes and streamlining communication between people in many industries, particularly in the Federal government, given its size and the scope of the services it offers. Voicemail integration with email inboxes means that end users can get their voicemail from wherever they receive their email, thus eliminating voice messages as a separate and siloed repository. Enterprise instant messaging, when combined with presence, gives a clear indication of when people are available for interaction, irrespective of their location or time zone. This is particularly important for government agencies that are often distributed nationally or internationally with sometimes hundreds of field offices that must share information and work jointly on projects. There are myriad problems associated with managing email systems; real-time communications systems, such as instant messaging; as well as unified communications, social networking, and the like. As shown in the following table from an Osterman Research survey conducted in 2010, organizations face a variety of problems in this regard.



Top Ten Security Concerns % Responding a Serious or Very Serious Concerns

Problem % Malware being introduced from employees’ Web surfing 56% Phishing attacks 42% Data loss from employees sending confidential info via email 41% Malware being introduced from employees’ home computers 40% Virus/worm/malware infections 38% Users complaining about mailbox quotas 36% Breaches of sensitive customer data 35% Malware being introduced from employees’ personal Webmail 34% Spam – the amount that your organization receives 34% Breaches of sensitive internal data 34%

Skype is another important service that is finding more users, including those in government. For example, as of mid-2010, there were 560 million total Skype accountsviii. SOCIAL NETWORKING TOOLS ARE BECOMING IMPORTANT Social networking tools are exploding in popularity. Consider the following: • Facebook had 153.9 million unique visitors in December 2010 in the United States

alone, an increase of 38% from December 2009ix. December 2010 also saw 26.6 million US visitors and 23.6 million visitors to Twitter, representing increases of 30% and 18%, respectively, compared to a year earlier.

• Further, the penetration of social media sites continues to increase. For example,

while the number of unique visitors to Facebook increased by 38% during the year ended December 2010, total minutes spent on the site increased by 79%x.

Many Federal agencies are significant users of social networking tools. A growing number of Federal agencies have a social networking presence, including the Federal Emergency Management Agency (FEMA), the Centers for Disease Control (CDC), the Department of Homeland Security (DHS), the Environmental Protection Agency (EPA), the National Aeronautics and Space Administration (NASA), the National Science Foundation (NSF), and many others. For example, the Veteran’s Administration uses social media to develop a consistent voice for its practice and policies and also to obtain feedback on its performancexi; FEMA will be expanding its use of social media in order to better respond to disastersxii. Some Federal government social networking accounts are among the top sites followed: the NASA Twitter account, for example, has more than 800,000 followers as of February 2010 and ranks 429th out of the millions of accounts on Twitter. The CDC uses social media for distributing information on a variety of health issues and has more than 95,000 followers on Twitter and more than 78,000 “likes” on Facebook. FEMA uses Twitter and Facebook to distribute information on emergency situations and preparedness activities with more than 30,000 followers on Twitter.



The Growing Risk of Non-Compliance REGULATIONS GOVERNING USE OF COMMUNICATIONS TOOLS There are a variety of Federal government regulations and recommendations that focus on the use of communications tools and the output generated by them. Among the more important of these regulations are the following: • Federal Information Security Management Act of 2002 (FISMA)

FISMA is a far-reaching law that requires every agency within the United States Federal government to develop and manage an information security plan for every information asset it owns, as well as those that support its operations. A key part of FISMA is the requirement for an annual review by CIOs, inspectors general and others, and a submission of this audit to the Office of Management and Budget (OMB). OMB, in turn, prepares a report on information technology compliance for submission to Congress. Key components of FISMA include the ability for information systems used by the Federal government to meet minimum security standards, a system security plan that must be periodically reviewed and updated, and continuous monitoring of key information system components. Important publications that are relevant to all Federal agencies include Special Publication 800-53 (Recommended Security Controls for Federal Information Systems) and Federal Information Processing Standards Publication 200 (Minimum Security Requirements for Federal Information and Information Systems).

• National Industrial Security Operating Manual (NISPOM)

NISPOM was issued as part of the National Industrial Security Program (NISP) to codify the “requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information” by the Federal government. NISPOM is focused on the Executive Branch of the US government and its agencies and focuses on how information is disclosed to its contractors. Focus areas of NISPOM include Restricted Data, Formerly Restricted Data, sources of intelligence and the methods used to obtain this information, Special Access Program (SAP) information, and Sensitive Compartmented (SC) Information. Management of NISP is the responsibility of the National Security Council. A key part of NISPOM is Chapter 8, Information System Security.

• Director of Central Intelligence Directive 6/3 This directive created the US government’s security policies and procedures for managing classified intelligence information in government-operated information systems, specifically those systems that manage SAP and SC information as noted above. This directive encompasses any information system that involves the management, transmission, storage, interchange or other processing of both voice and data information. As such, it applies to virtually any type of information system that might be operated by the Federal government that is focused on SAP or SC information.



• National Archives and Records Administration (NARA) NARA is the official archivist of the US Federal government. As such, it has been given the responsibility to archive all official records of legislation, executive orders, Federal regulations and other content. NARA has been among the more proactive of the US Federal agencies in terms of how it uses social networking and social media technologies. For example, in 2009, the US National Archives launched a channel on YouTube to make archived content of public interest more accessible, and it launched a Flickr account to share US government-archived photographs with the public.

• National Institute of Standards and Technology (NIST)

This agency provides guidance to federal agencies for information systems and security policies and procedures, offers technical assistance regarding compliance with various standards, and it develops standards for information categorization.

• Other regulations, committees, etc.

Other regulations focused on Federal information security include:

o National Security Directive 42 – established what is now known as the Committee on National Security Systems, an interagency organization focused on providing guidance for system security to executive-branch agencies. The committee is represented by several Cabinet-level departments.

o Public Law 107-347 – established the position of Federal Chief Information Officer within the OMB to oversee the management of electronic systems in use by the Federal government.

o Directive-Type Memorandum (DTM) 09-026– focuses on a range of social media, including wikis, blogs, social networks, and other Internet-based capabilities. The DTM imposes restrictions on the use of social media, including requirements for disclaimers when personal opinions are expressed, imposition of records management policies on posted content, and limitations on personal use of these tools.

o Clinger-Cohen Act – enacted in 1996, this Act focuses on improving the

efficiency of the manner in which the Federal government procures and manages its IT resources. While not focused on security issues per se, the Act does focus on information architectures that could have an impact on Federal information security.

o Information Security and Identity Management Committee – offers a forum to support the Federal CIO Council on matters related to identity management and information security issues.

PROPOSED REGULATIONS • Secure Federal File Sharing Act (H.R. 4098)

This Act would require the Director of the OMB to work with the Federal Chief Information Officers Council to issue guidelines on the use of peer-to-peer (P2P) file-



sharing programs. This Act contains several provisions, including a) an approval process for P2P file-sharing programs that are necessary for use by Federal agencies, b) prohibition on the use of unauthorized programs by government employees or its contractors, and c) management of P2P file-sharing programs by government employees and contractors on their home computers when used in telecommuting situations.

• United States Information and Communications Enhancement Act of 2009

(S. 921) This bill would amend Chapter 35 of Title 44 of the United States Code to improve the US Federal government’s awareness of information security policies, practices and procedures. Specifically, the bill would eliminate subchapters II and III from Chapter 35 and replace it with text that focuses on the importance of information security and a recognition that security focuses on any information system, including telecommunications systems, among many other provisions. This bill would establish the National Office for Cyberspace.

• Protection of privacy and security for commercial data brokers’

information (S. 1490) This proposed bill would enhance the punishment for identity theft. Specifically, this bill would impose a fine and/or prison sentence for up to five years on anyone who has an obligation to report a security breach and fails to do so.

OTHER IMPORTANT CONSIDERATIONS • GAO Report on Social Media

In June 2011, the General Accounting Office (GAO) published Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminatexiii. This report, in response to a request from members of Congress, set out to accomplish two goals: a) study how federal agencies are using commercial social media services, and b) determine the extent of these agencies’ policies and procedures for managing social media use. The performance audit that was conducted between July 2010 and June 2011, results of which were published in this report, discussed the key challenges that federal agencies face in managing social media use, including fulfilling their records management obligations and the security threats they face when using social media. Moreover, the report provides a set of high-level recommendations for specific government agencies in the context of their social media use.

• Guidelines for Secure Use of Social Media by Federal Departments and

Agencies This documentxiv, released in September 2009, discusses the risks that government agencies face from the use of social media, Web tools, and other capabilities. It also offers recommendations about how to mitigate these risks, including the creation and enforcement of policies focused on appropriate use of communications tools, acquisition controls that will help agencies to determine the specific types of tools and capabilities that should be implemented, the training that employees should



undergo, and the network- and host-level controls that should be implemented to protect against attacks.

• Intelligence Community Directive Number 503

This documentxv establishes “Intelligence Community policy for information technology systems security risk management, certification and accreditation.” This document focuses on a strategic and holistic process for managing risk among interconnected systems used primarily in the defense and intelligence communities.

• Office of Management and Budget Circular A-123

This memorandumxvi, published in late 2004, focuses on internal management controls in Federal agencies necessitated by the passing of the Sarbanes-Oxley (SOX) Act of 2002. In essence, it defines the federal version of SOX.

What You Must Do to Mitigate the Risks There are several issues that any government agency must address with respect to managing their employees’ and others’ use of instant messaging, social networking and other tools. We have developed six basic points that every decision maker should seriously consider as they attempt to minimize the risks that their agency faces from unfettered use of these tools, while at the same time maximizing the value they can derive from them. CONTROL USE OF UNAUTHORIZED TOOLS An Osterman Research report published in August 2010 found that only 34% of IT decision makers consider Twitter to be a legitimate tool for use in a business context, but 50% allow it to be used in their organizations. We found a similar pattern for a variety of other tools, as shown in the following figure.



IT Views on Legitimacy of Various Applications

As demonstrated in the figure above, IT departments allow far more use of communications and information tools than they consider to be legitimate, resulting in the potential for serious risk if the content from unauthorized use of these tools is not logged or otherwise managed properly. It is imperative that financial services firms implement capabilities that can control use of communications and information tools so that only authorized users can use specific tools. Underscoring the severity of the problem is a February 2011 Osterman Research surveyxvii of mid-sized and large organizations in multiple industries that found that relatively few organizations have implemented policies focused on social media and other tools. For example, the survey found that only 18% of organizations have a detailed and thorough policy focused on employees’ use of Twitter and Facebook, while only 15% of organizations have such a policy focused on the use of LinkedIn. LOG ALL CONTENT, INCLUDING POSTS TO SOCIAL NETWORKING SITES It is absolutely vital to log all content sent through instant messaging clients, unified communications systems, social networking tools and websites, even if the use of these tools is unofficial and not sanctioned formally by either the IT department or an agency’s senior management. A failure to log traffic sent to or received from any communications or information venue can result in serious consequences with auditors and others.



For example, an employee of a Federal agency could offer his or her opinion on a pending case via Twitter, perhaps inadvertently, and thereby reveal sensitive information that had not yet been made public. To help manage the use of these tools, the content posted or received from any social networking, instant messaging, or other tool must be logged so that an agency can a) monitor these communications for policy enforcement purposes, and b) correct errant employee behavior, if only after the fact. However, some tools, such as Twitter, do not offer logging capabilities. BLOCK THREATS The threat landscape is becoming significantly more serious on several fronts: • Social engineering techniques can fool even very experienced users. For example, a

Twitter account that becomes infected by a worm can result in tweets sent to hundreds or thousands of individuals. If any of these recipients clicks on the link that could be sent by the compromised account, tens of thousands of users could end up being infected.

• Because the Web and Web 2.0 applications are generally less well-defended than

email systems and because many government users install consumer-oriented Web 2.0 applications on their work or home computers, the Web is a more fertile field for hackers and other criminals.

• Spearfishing, whaling and phishing attacks are becoming more common and more

numerous. Some government agencies have been successfully breached via these attacks.

There is a broad range of threats that can be distributed through social networking, instant messaging, unified communications, and other tools. For example, an Osterman Research survey published in August 2010 found that in 12% of organizations, malware had successfully infiltrated the corporate network through Web 2.0 applications during the one-year period ended Spring 2010. Sixty-two percent of organizations had experienced malware infiltration through the Web – often through Web 2.0 applications like Twitter – during the same period. The key, then, is to monitor the use of all communications venues and block threats from being propagated throughout the network while allowing legitimate traffic to be passed through unencumbered. PREVENT DATA LEAKAGE One of the most important capabilities that any agency must enable is the monitoring and prevention of the leakage of sensitive, confidential, or other information that could be damaging to the owner of that information. This might include any information that is overtly sensitive, such as taxpayer information or the healthcare records of Medicare patients. However, it can also include seemingly innocuous posts to Twitter or other social networking sites that recipients could piece together to gather intelligence about an investigation or corporate audit. The bottom line here is that sensitive information of any kind sent through any communications or information channel must be protected.



ARCHIVE CONTENT Another critical component of any information management strategy is the ability to archive all content sent or received regardless of the tools that are used to send it. This obviously includes emails, instant messages and other electronic content. The need to archive is driven in no small part by Federal Freedom of Information Act (FOIA) requirements that demand the preservation of content. INTEGRATE WITH EXISTING ARCHIVING SYSTEMS Closely related to the point above is that it is imperative not only to archive content for any communications or information system, but also to integrate this archived content with existing archiving tools in the organization. Because Federal agencies must archive content for FOIA compliance, among other reasons, it is clearly a best practice to integrate other content archives into the primary archive already being used. This can save significant amounts of time when searching for content and can ensure a common interface is used to search for and access content, regardless of its source.

Summary Federal agencies must manage content in a manner that is consistent with the growing number of Federal regulations focused on information security and content retention. This includes the traditional content medium of paper, of course, but more recently, content sent electronically through email and instant messages. However, as modes of communications evolve and new technologies are introduced, users in Federal agencies have been presented with a growing array of new communications alternatives, including unified communications systems that can store voice content as easily as they can retain emails or instant messaging conversations; social networking tools like Twitter, Facebook or LinkedIn; or telephony alternatives like Skype that combine voice and instant messaging capabilities. While the regulation of these new forms of communication has not always kept pace with their use, there are a variety of reasons for agencies to embrace use of these new technologies in order to reduce costs and provide better customer service. At the same time, however, there are a number of best practices that any Federal agency should follow to ensure that it will be compliant with current and anticipated regulations and that it will minimize the risks associated with use of these tools.

Vantage Vantage is the de facto platform for granular security and policy controls for real-time communications – providing management for the broadest set of applications and modalities, including Microsoft Lync, public instant messaging platforms such as Windows Live Messenger and Skype, Web conferencing, and industry-focused networks like Thomson Reuters Messenger, Bloomberg, and YellowJacket.



Unified Security Gateway Actiance Unified Security Gateway (USG) complements Vantage by blocking the use of other applications that bypass corporate security policies and introduce additional risk to the organization. USG provides granular control of Web 2.0 applications, monitoring, securing, and recording content to reduce outbound data leaks and to enable compliance with industry regulations, legal discovery requirements, and corporate policy standards. USG also logs social media conversations in compliance with the strictest requirements for record-keeping and tamper-proof data auditing for customers in highly regulated industries such as financial services, insurance, energy, education, and healthcare.

Insight Actiance Insight interfaces with USG and Vantage to provide enterprise data visualization of user behavior, browsing patterns, and Web application usage trends. Ideal for managing enterprise networks which encompass multiple locations, the dynamic, multi-dimensional graphical interface provided by Actiance Insight provides complete visibility into Internet and real-time application usage that has not previously been possible with legacy reporting applications for Web security and data compliance.

Socialite Socialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular control of Facebook, LinkedIn, and Twitter. It not only controls access to 180 different features across social networks, but Socialite can also moderate, manage, and archive any social media traffic routed through the solution, which can either be on-premise or hosted.



About Actiance, Inc. Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance of unified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unified communications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft, IBM, and Cisco. Actiance, Inc. 1301 Shoreway Suite 275 Belmont, CA 94002 USA Toll-free: +1 888 349 3223 Phone: +1 650 631 6300 Fax: +1 650 598 2820 [email protected] www.actiance.com For Web and Unified Communications security news, follow Actiance on Twitter, http://www.twitter.com/actiance



© 2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.gao.gov/new.items/d07837.pdf ii http://www.bls.gov/news.release/empsit.nr0.htm iii http://www.nytimes.com/2010/11/07/us/07breach.html iv Source: PHIPrivacy.net v Source: PHIPrivacy.net vi Source: DataBreaches.net vii Source: FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 viii http://online.wsj.com/article/SB10001424052748703293204576106132286203062.html ix U.S. Digital Year in Review 2010, comScore x U.S. Digital Year in Review 2010, comScore xi http://fcw.com/articles/2011/02/14/feat-citizen-outreach-social-media.aspx xii http://www.dailyfinance.com/story/taxes/can-twitter-help-fema-respond-to-disasters/19807666/ xiii http://www.gao.gov/new.items/d11605.pdf xiv http://www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf xv http://www.dni.gov/electronic_reading_room/ICD_503.pdf xvi http://www.whitehouse.gov/omb/circulars_a123_rev/ xvii Messaging Policy Market Trends 2010-2013, Osterman Research, Inc.