Tag Archives: social media

Social Media guidance from FFIEC and governed agencies .. up for comments!

The FFIEC released today (January 22, 2013) the “Social Media:  Consumer Compliance Risk Management Guidance” and is available here online.  The release is seeking comments and is a great opportunity to see where enforcement agencies are leaning; what are the concerns they are seeing on a macro scale, and their intended path to mitigating these unique areas.

“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.

According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference

Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.

“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:

  1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”

Participate in the comments and invoking of these guidances here.

The guidance itself is again available here. (pdf)

Best,

James DeLuccia

*See me speak at the RSA 2013 Conference – Passwords are Dead (I’ll also be posting research elements on this site for the communities input)

Sensitive Data leaked onto P2P networks… how to safeguard assets?

An article was highlighted in a LinkedIN Group (that spawned a discussion) published by SC Magazine entitled, “First lady’s safe house location leaked on P2P“.  The article breaks down the concern that lawmakers and regulators have with P2P networks due to the recent release of sensitive data.
You can find the article here, and the U.S. Committee on Oversight and Reform transcriptions & webcast here.  The chairman’s closing remarks (short) are here on “predator-to-prey” networks.

I strongly advise reading through these to understand the current risks and perception of risks that exist.
The article is a good overview of a problem, but I would contend that the attack / threat / vector is not as described by the testimony or highlighted in this article.  They state the problem is the P2P technology that lead to the disclosure of the sensitive data.  That is similar to blaming the highway to causing an accident.  Professionals within the business of protecting assets and managing operations must have safeguards for the data that transcends the risks of the technology.
Safeguarding data begins with a few simple efforts (a good initial start…):

  1. Identify what is worth protecting (this definition allows for PII, PHI, Top Secret, Competitive importance)
  2. Determine the flows of data (i.e., the Rabbit holes… follow where the data from origination to retirement)
  3. Introduce process efficiencies (i.e., reduce the rabbit hole dead ends; add automation where possible; simplify the process to reduce the final assets requiring protection)
  4. Develop and define the necessary Safeguards to protect these assets
  5. Compare existing controls (for the remaining rabbit holes or “business processes”) and eliminate duplication
  6. Finally define performance metrics of these controls, a timetable, and deploy

It is dangerous, and unfortunate that the committee seems to be hunting for a culprit that can be regulated, to assume and believe that P2P is the simple problem.  When in fact it is the current state of security within the Nation’s critical infrastructure, and this is as much an internal people problem as an internal technology compliance problem.  I do agree with the elimination of software that is known to be at risk to attack, but in the client-browser attack world we live in today that would include things such as Internet Explorer!  Removing access to Torrents and other p2p networks only stifles innovation and increases costs.  A more risk aware and intelligent method needs to be devised that allows the government to gain access to valuable resources without placing sensitive information at risk.

I look forward to anyone’s take and experience on solving this challenge,

Kind Regards,

James DeLuccia IV

See me speak at RSA 2009 Europe on a new framework for addressing social, smartphones, netbooks, and their risks

Order my book online at Amazon where I elaborate on how to develop an Enterprise Risk Management Program, based upon NIST and years of client engagements.