Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mitigating Insider Threats in Virtual & Cloud Environments
- Modern Mission Critical Series
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
CIO Council offers cyber guidelines for Web 2.0
Friday - 9/18/2009, 2:46pm EDT
Agencies jumping into the Web 2.0 ocean should not focus their cybersecurity strategy around the tools and technology, but rather reiterate and stress existing policy requirements.
But departments also should press commercial social media providers for a more in-depth look into their security procedures and monitor security and network operations of the vendor.
These are among the Chief Information Officer's Council recommendations in a new report issued Thursday.
"This document recommends mitigating the social media risks through a series of guidelines and recommendations to assist federal departments and agencies in developing a strategy to securely enable the use of social media," the document states. "It must be made based on a strong business case, supported at the appropriate level for each department or agency, considering its mission space, threats, technical capabilities, and potential benefits. The goal of the IT organization should not be to say 'No' to social media Web sites and block them completely, but to say 'Yes, following security guidance,' with effective and appropriate information assurance security and privacy controls."
The council, which also is developing privacy guidance, broke down the recommendations into five areas:
- Policy controls
- Acquisition controls
- Training controls
- Network controls
- Host controls
"Policies should not be based on specific technology, as technology changes rapidly," the document states. "Rather, policies should be created to focus on user behavior, both personal and professional, and to address information confidentiality, integrity and availability when accessing data or distributing government information. Procedures should be created and updated frequently to address the rapid changes in specific technologies."
The document also goes into the potential cyber threats social media tools could bring to agencies, such as spear phishing or social engineering.
"In order to defend against rapidly evolving social media threats, departments and agencies should include a multi-layered approach in a risk management program, including risks to the individual, risks to the department or agency, and risks to the federal infrastructure," the document states.
The council recommends agencies update their Acceptable User Policies to cover social media technologies, and the CIO should develop a Web 2.0 communications strategy.
Under acquisition, the council suggests agencies use two-factor authentication, including the secure identity card, under Homeland Security Presidential Directive-12, and designate a dedicated government server or instance within the corporate social media network. Agencies also should encourage social media vendors to use code validation and signing to improve the security of their Web sites, and have a third party conduct a risk assessment of the vendor's systems or services.
The guidelines also promote the use of trust zones to better ensure agency network security, and use desktop virtualization strategies to safeguard against malicious Web sites.
On the Web:
FederalNewsRadio- DOD's developing Web 2.0 policy - and collaborating around security
FederalNewsRadio- GSA equips employees with Web 2.0 rules
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)