Social Media Risk Assessment. The Unique Alternative to the Big Four

Similar documents
Goodbye, SAS 70! Hello, SSAE 16!

Raj Chaudhary, PE, CGEIT Partner, Crowe Horwath LLP. Chris Reffkin, CISSP Manager, Crowe Horwath LLP

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Effective Model Risk Management for Financial Institutions: The Six Critical Components

New PCI Standards Enhance Security of Cardholder Data

Effective AML Model Risk Management for Financial Institutions: The Six Critical Components

Are your assets tax efficient?

Leveraging Your ERP System to Enhance Internal Controls

Insurance Industry Expertise

Consolidating Back-Office Operations for Multilocation Dealer Groups: Lessons Learned From Those Who Have Succeeded

ICT Student Usage Policy

Internal Audit Leads the Way to Performance Improvement

ICD-10: Ready or Not?

A New Decade, a New Internal Audit Model

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Data Governance for Financial Institutions

Presentation Title Presentation Subtitle. The Unique Alternative to the Big Four

Third-Party Risk Management for Life Sciences Companies

Crowe Healthcare Webinar Series

Risk Assessment Standards Toolkit. Practical Guidance in Implementing SFAS

Information Technology

Having Trouble Explaining and Predicting Net Revenue?

Risk Management of Outsourced Technology Services. November 28, 2000

Enterprise Risk Management:

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

FRESNO COUNTY EMPLOYEES' RETIREMENT ASSOCIATION INTERNET AND USAGE POLICY

Crowe Automotive Accelerator for Microsoft Dynamics AX

What s Next for Stress Testing: Expect Surprises, Less Heroic Effort

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Acceptable Use Policy

The City reserves the right to inspect any and all files stored in private areas of the network in order to assure compliance.

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy

Best Practices in Incident Response. SF ISACA April 1 st Kieran Norton, Senior Manager Deloitte & Touch LLP

TERMS & CONDITIONS FOR INTERNET ACCESS. Service Provided by Fast Telecommunication Company W.L.L. (hereinafter referred to as FAST Telco )

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Moving Forward with IT Governance and COBIT

North Clackamas School District 12

Cybersecurity Workshop

Ed McMurray, CISA, CISSP, CTGA CoNetrix

ITU Computer Network, Internet Access & policy ( Network Access Policy )

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Penetration Testing. ISACA - Atlanta

Website TERMS OF USE AND CONDITIONS

Dedicated Server Service Agreement

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

TERMS OF USE. Last Updated: October 8, 2015

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

AXIS12 DRUPAL IN A BOX ON THE CLOUD

Executive Management of Information Security

Board of Directors and Management Oversight

INTERNET ACCEPTABLE USE POLICY

Covered California. Terms and Conditions of Use

Acceptable Use Policy

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

ACOT WEBSITE PRIVACY POLICY

Defending Against Data Beaches: Internal Controls for Cybersecurity

Managing Cyber Risk through Insurance

COMPUTER NETWORK AGREEMENT FORM

This agreement applies to all users of Historica Canada websites and other social media tools ( social media tools or social media channels ).

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Click to edit Master title style

EASTLINK PERSONAL CLOUD TERMS OF SERVICE

Smartphone Hacks and Attacks: A Demonstration of Current Threats to Mobile Devices

Draft Internal Audit Report Software Licensing Audit. December 2009

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Terms and Conditions. 1. Legal Drinking Age notice

Security Practices for Online Collaboration and Social Media

Network Security Policy

You must not: (a) Copy and republish material from this website (including republication on another website);

THE DALLAS IIA SOCIAL MEDIA POLICY

We have opted to implement a modified Bring Your Own Device (BYOD) program at the high school level.

How To Use The Blog Safely And Responsibly

Transcription:

Social Media Risk Assessment The Unique Alternative to the Big Four

Overview of Social Media Agenda Why Use Social Media? Recent Guidance Executing a Social Media Risk Assessment 2013 Crowe Horwath LLP 2

Social Media Revolution 2013 Is social media a fad? 2013 Crowe Horwath LLP 3

What is Social Media? Social media technology involves the creating and dissemination of content through social networks using the Internet. - An ISACA Emerging Technology White Paper According to the recent draft FFIEC guidance, social media is a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. 2013 Crowe Horwath LLP 4

Platforms of Social Media 2013 Crowe Horwath LLP 5

The Biggest Social Media Networks Source http://www.crowehorwath.com/socialmedia 2013 Crowe Horwath LLP 6

Why Use Social Media? 2013 Crowe Horwath LLP 7

2013 Crowe Horwath LLP 8

FFIEC Guidance In January 2013, the Federal Financial Institutions Examination Council (FFIEC) proposed social media guidance to help financial institutions identify potential risk areas to appropriately address, as well as to ensure institutions are aware of their responsibilities to oversee and control these risks within their overall risk management program. Key Points of the Guidance Risks related to social media should be assessed and managed by the institution A risk management program should be in place and include the following A corporate governance structure Policies and procedures around social media usage Social media training Due diligences process for selecting and managing relationships with third-party providers of social media services Oversight and monitoring process Audit and compliance functions A program to confirm the effectiveness of the social media program While the FFIEC guidance relates specifically to financial institutions, all organizations should be considering the risks involved with social media. 2013 Crowe Horwath LLP 9

Social Media Risk Assessment (SMRA) What s involved? A review of the various risks of social media within an organization regardless of whether an organization is actively participating in social media. Input from various department heads and upper management to understand focus and desired direction of social media. Assessment of the impact and likelihood of risk affecting your organization Understanding of the current controls in place to mitigate the risk Why assess social media risk? Widespread use among employees Concerns about a corporate social media presence The unknown information publically available about their organization To mitigate additional business risks 2013 Crowe Horwath LLP 10

Risk Assessment Methodology In order to assess an organization and how it uses social networks, a structured methodology should be utilized to understand how risks are related specifically to that organization. A typical methodology should include the following: Understand Assess Identify Improve 2013 Crowe Horwath LLP 11

Understand It is important to gauge an institution s understanding of social media and its risks. The assessment should begin by surveying the organization s employees. How do employees use social media for business purposes? How do employees use social media for personal purposes? What are employees understandings of social media risk? 2013 Crowe Horwath LLP 12

Interview Further interviews with management and key employees who have involvement with risk management will help determine the organization s risk and control landscape related to social media. Departments that should be taken into account during the interview process may include the following: Human Resources Legal Audit Compliance IT Marketing Others?? 2013 Crowe Horwath LLP 13

Assess Severity of risk should be evaluated based on likelihood and impact of the individual risk. Once information has been gathered, controls should be assessed to understand how they impact the risks of social media. Then consider residual risk with current controls in place What is the direction of risk? Will this affect you more or less in the future? 2013 Crowe Horwath LLP 14

Identify Gaps identified between the current control environment and desired environment can be used to initiate discussions around areas that need improvement. 2013 Crowe Horwath LLP 15

Improve Solutions should be developed to strategically address the gaps in the current social media strategy and reduce overall risk. Based on risk rating, where should you focus your efforts first? What can wait? 2013 Crowe Horwath LLP 16

Types of Business Risks Reputational Risks Financial Risks Information Security & Privacy Risks Legal & Employment Risks Operational Risks 2013 Crowe Horwath LLP 17

Reputational Risks Sample Discussion Points An employee/vendor/external party posts negative content about your organization online. Officially published content misrepresents the organization in some way or misaligns with marketing objectives. Examples Domino s Pizza Google 2013 Crowe Horwath LLP 18

Financial Risks Sample Discussion Points An employee posts financial data to a social media site before being released to the public. Marketing and business development opportunities are missed because of the failure to exploit the social media channel. Examples Netflix Francesca s 2013 Crowe Horwath LLP 19

Information Security & Privacy Risks Sample Discussion Points Employees overshare information making social engineering attempts more successful An employee infects their organization owned PC (desktop or laptop) with a virus, Trojan, or worm from a social media site Your organization s social media account passwords are not changed regularly, leading to a potential hacked account Examples Burger Kings Jeep 2013 Crowe Horwath LLP 20

Legal and Employment Sample Discussion Points An inquiry on a social media site that is used in a hiring decision results in a non-hire and a subsequent claim for discrimination. A termination based in part on evidence from a social media site is mishandled resulting in a wrongful termination suit. 2013 Crowe Horwath LLP 21

Operational Sample Discussion Points A person of authority posts content that is deemed to be hostile, discriminatory or offensive that is viewed by employees Employee use of social media negatively impacts productivity 2013 Crowe Horwath LLP 22

2013 Crowe Horwath LLP 23

Questions 2013 Crowe Horwath LLP 24

Thank You! For more information, contact: Erika Del Giudice Direct 630.575.4366 Erika.delgiudice@crowehorwath.com Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. 2013 Crowe Horwath LLP 2013 Crowe Horwath LLP 25