As part one of this article explained, in setting and policing a social media acceptable use policy (AUP) there are various company departments that will need to play their part. Part two explores what an AUP should say, and how to use technology as a means of compliance

What should an AUP say?
 
In general the AUP should be designed to accomplish two important objectives:

1. To maintain employees’ high productivity levels
2. To keep a company’s computer system safe from hackers and malware

This means it must outline the types of websites a user may or may not visit. For example, an AUP may put a ban on social media sites such as Facebook or stipulate use only during breaks. A well-drafted AUP should, therefore, be focused on educating employees about protecting business assets and explain why security measures are in place that enforce the policy. The aim of the AUP should be to gain employee cooperation, rather than creating resistance, by helping them understand the reasoning and logic behind the policy.

Technology as a means of compliance

Technology will make monitoring of the AUP much easier. The security software used in most IT departments should be able to block users from visiting websites deemed unacceptable. The usual suspects of pornography, gaming and social media sites, are commonly excluded from most corporate networks. In some instances however, it's not practical to completely block a site.  

Facebook, for example, may need to be accessible to the marketing department to update the corporate page or for customer service to manage complaints or requests. However, it is not a tool to be used widely by all employees. The alternative in this case is for IT to utilise technology that goes beyond a simple ‘block or allow’ capability, and allow for granular access by groups, departments or specific individuals. The solution should also provide advanced reporting relating to employee use of the company network, and drill down to provide various details such as use by website category (e.g. Social Media or P2P), or by user group or department.

Armed with this information, it becomes a relatively simple matter for HR to identify people who are making excessive use of particular social sites, or who are responsible for major surges in bandwidth use, and it is HR's role to then determine whether the actions constitute acceptable use.

Security software will also provide analyses of instant messaging and email. Along with audit trails of web activity, these capabilities can assist companies to prove that they are in compliance with regulations such as data privacy and stock market blackout periods. They can help to pinpoint whether insider trading or even unintentional leakage of sensitive data is occurring. In short, these tools provide the information that makes an AUP enforceable.

It's undeniable that social media has brought a new era of opportunity and cooperation for businesses, but it has also brought its fair share of challenges.  Many companies have yet to fully appreciate the security and compliance issues related to unfettered employee social media access.

Security software may help with some aspects, but it is not a panacea. Creating an AUP with input from all stakeholders is critical because it will help to ensure a practical, enforceable and beneficial policy that is aligned to business objectives. As in so many other areas of business, collaboration between departments is vital in obtaining all the information necessary to generate the positive response that is desired.

The writer of this article is Scott Robertson, Vice President, Asia Pacific, WatchGuard Technologies

Related stories:

The social network: how to set IT policies that keep the risks at bay - part one

Young guns: how to respond to the risks of tech hungry employees

Reach for the clouds: the risks of cloud security solutions explored