In this presentation, we discuss the considerations for an effective social media policy in Government.

1. Building a Modern Security Policy for Social Media Page 1

3. Graduate of Russian basic course, Defense Language Institute, Monterey, CA

4. DotCom survivor

5. Infantryman, deployed to Afghanistan (2004)

6. CISSP #50247 (2003), ISSEP (2005)

7. Former CISO, Unisys Federal Service Delivery Center

9. CISSP (2007), CAP (2007)

10. Federal Information Security Architect for Tantus Technology

13. Are you using Government-owned hosting?

14. Do you don’t know how/where you’re being hosted?

16. NIST Risk Management Framework Page 7

17. Defining the Problem Space: SDLC Initiation to O&M is a minimum of 120 days with 6 months being typical. How does this fit into your plans for social media? Page 8

19. Hosting: CO-CO v/s GO-GO

20. Security: Enabler v/s Roadblock

21. Simplicity: Engagement v/s “Shiny Objects”

23. Threat Landscape Government to Government: Internal social media services within or between agencies Government (internally hosted) to Public: Social media services on government sites Government (externally hosted) to Public: External social media services used by the government Government users in public: Social media services used by government users Page 11

24. Getting to a Good SocMed Policy Engage early, engage often Policy should focus on risk, not technology Social media technology changes constantly Data protection requirement is constant Consider the business case Consider the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation Make risk-based decisions goals Page 12

25. Primary Resources CIO Council Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0 http://www.cio.gov/library/library_category2.cfm?structure=Information%20Technology&category=IT%20Security%20/%20Privacy GSA Terms of Service Agreements with New Media Providers http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml NARA Records Management Policy and Guidance http://archives.gov/records-mgmt/policy/ Page 13

26. Primary Resources - FISMA NIST SP 800-37 Rev. 1 DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-39 DRAFT Managing Risk from Information Systems: An Organizational Perspective SP 800-53 Rev. 3 Recommended Security Controls for Federal Information Systems and Organizations http://csrc.nist.gov/publications/PubsSPs.html Page 14

27. Related Requirements Communications Policy 508 Compliance Policy Federal Records Management Policy Page 15

29. Risk Mitigation Approaches

30. Risk Tolerance

31. Risk Monitoring Approaches

32. Linkage to ISO/IEC 27001Risk Management Strategy TIER 1 Organization NIST SP 800-39 TIER 2 Mission / Business Process TIER 3 Information System

34. Information Flows

35. Information Categorization

36. Information Protection Strategy

37. Information Security Requirements

39. Information System Categorization

40. Selection of Security Controls

42. Risk Acceptance

43. Continuous MonitoringTIER 1 Organization NIST SP 800-37 TIER 2 Mission / Business Process Risk Management Framework TIER 3 Information System

44. Policy Controls Social Media Communications Strategy Acceptable Use Policies (AUP) Content Filtering and Monitoring Privacy and Security Support Integration with NIST SP 800-39 and NIST SP 800-37 Risk Management Page 19

45. Policy Controls – NIST Guidance AC-20 Use of External Information Systems AC-22 Publicly Accessible Content IA-2 Identification and Authentication (Organizational Users) IA-5 Authenticator Management IA-7 Cryptographic Module Authentication IA-8 Identification and Authentication (Non-Organizational Users) Page 20

46. Policy Controls – NIST Guidance IR-5 Incident Monitoring IR-6 Incident Reporting IR-7 Incident Response Assistance IR-8 Incident Response Plan PL-4 Rules of Behavior PL-5 Privacy Impact Assessment RA-1 Risk Assessment Policy and Procedures SI-12 Information Output Handling and Retention Page 21

47. Acquisition Controls Strong Authentication Social Media services security practice Comment moderation and monitoring social media Ensure federal security requirements are met by using dedicated resources from vendors Modify user’s public profiles from .gov or .mil email addresses to provide stronger security Page 22

48. Acquisition Controls Partner with social media services to: Provide traceability to federal employee accounts Improve communications between providers and Security Operations Centers (SOC) Allow independent monitoring of social media service providers Encourage use of validated and signed code Ensure social media provider maintains appropriate configuration, patch and technology refresh levels Page 23

49. Acquisition Controls Ensure an independent risk assessment Records management in accordance with NARA record schedules, FOIA requests and e-discovery litigation holds Ensure hosted federal content is accessible at any time and stored in editable and non-proprietary formats Page 24

50. Acquisition Controls – NIST Guidance SA-1 System and Services Acquisition Policy and Procedures SA-2 Allocation of Resources SA-3 Life Cycle Support SA-4 Acquisitions SA-5 Information System Documentation SA-9 External Information System Services Page 25

51. Acquisition Controls – GSA Guidance Terms of Service Agreements Social media services standard Terms of Service (TOS) Agreements present legal problems Many services are free, making it hard to encourage services to negotiate new TOS On behalf of the government, GSA has negotiated new TOS for many social media services http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml Page 26

52. Training Controls Provide awareness, guidance and training on: Information to that can be shared, can not be shared and with whom it can be shared Social media policies and guidelines including AUP Blurring of personal and professional life as appropriate For Operations Security (OPSEC) on risks of social media Federal employees self-identification on social media sites, depending on roles Page 27

53. Training Controls Provide awareness, guidance and training on: Privacy Act requirements and restrictions Specific social media threats before granting access to social media sites Possible negative outcomes of information leakage, social media misuse and password reuse Possible impact on security clearance Page 28

54. Training Controls – NIST Guidance AT-2 Security Awareness: Add social media usage related awareness training AT-3 Security Training: Create specific role-based training for those with social media responsibility AT-5 Contacts with Security Groups and Associations: Establish contacts with security groups addressing web application and social media security Page 29

55. Host Controls Require use of a hardened Common Operating Environment (COE): Federal Desktop Core Configuration (FDCC) Security Content Automation Protocol (SCAP) Encourage use of strong authentication for greater assurance of a user’s identity: Two-factor authentication (e.g., HSPD-12 & PIN) Page 30

56. Host Controls Ensure strong change management, patch management, configuration management: Includes applications and Operating Systems Enforces strong logging Reports to SOC Desktop virtualization technologies: Allows safer viewing of potentially malicious websites Virtual sandbox protects base operating system Page 31

57. Host Controls Browser versioning: Ensure use latest browsers which include additional security measures Encourage use of signed code or white listing: Provides higher level of assurance software comes from approved vendor or is approved software Page 32

58. Host Controls – NIST Guidance Audit and Accountability (AU) Family of controls, as applicable AC-1 Access Control Policy and Procedures AC-7 System Use Notification CM-1 Configuration Management Policy and Procedures CM-2 Baseline Configuration CM-6 Configuration Settings CM-7 Least Functionality Page 33

60. Network Controls Federal Trusted Internet Connection (TIC) program protections: Reduced number of internet connections Einstein traffic inspection Security Operations Center (SOC) and Network Operations Center (NOC): Visibility and centralized control for incident response and risk reduction These should all be provided to you as “infrastructure” Page 35

61. Network Controls Web content filtering: Beyond Einstein protections Granular control of web applications, data and protocols Trust Zones dependent on security assurance requirements DNSSEC to better ensure website name resolution integrity Page 36

62. Network Controls Focus on data-centric protection URL Shortening: http://go.usa.gov/ Page 37

63. Network Controls – NIST Guidance SC-1 System and Communications Protection Policy and Procedures SC-7 Boundary Protection SC-13 Use of Cryptography SC-14 Public Access Protections SC-15 Collaborative Computing Devices SC-20 Secure Name /Address Resolution Service (Authoritative Source) Page 38

64. Questions, Comments, or War Stories? http://www.potomacforum.org/ Michael Smith: rybolov(a)ryzhe.ath.cx http://www.guerilla-ciso.com/ Dan Philpott: danphilpott(a)gmail.com http://www.fismapedia.org/ 39