150 SOCIAL MEDIA RISK MANAGEMENT
a. Attack vector shall refer to the path or means by which an attacker can gain access to a computer system in order to deliver a malicious code (e.g., virus, worms, trojans).
b. Non-technical controls shall refer to management, administration, and operational controls employed that are manual and procedural in nature (e.g., security-related policies and procedures; operational procedures; personnel, physical, and environmental security controls; performance management and measurement).
c. Risk assessment shall refer to the process involving the identification and assessment of potential threats and vulnerabilities related to the use of social media and determination of the likelihood that the threat will occur as well as the corresponding impact to the business should the threat occur.
d. Social media shall refer to online communication channels dedicated to community-based content generation and sharing, interaction, and collaboration.
e. Social media platform shall refer to any form of interactive communication medium wherein users can generate and disseminate content (e.g., text, images, audio, video) through social networks using the internet. Examples of popular social media platform categories include the following:
(1) Social networking (e.g., Facebook, Linkedln)
(2) Micro-blogging (e.g., Twitter, Tumblr)
(3) Blogging (e.g., WordPress, Blogger)
(4) Photo Sharing (e.g., Flicker, Instagram, Pinterest)
(5) Video Sharing (e.g., Youtube, Vimeo, Vine)
(6) Crowdsourcing (e.g., Ushahidi, Inc.)
f. Technical controls shall refer to the controls incorporated into the computer hardware, software, or firmware to aid in the effective implementation of policies and standards (e.g., access control, authentication, web scanner/crawler).
a. Clearly defined governance structure indicating the roles and responsibilities of the board of directors and senior management in setting the direction on the BSFI’s use of social media, including its alignment to the BSFI’s strategic goals/plans; establishing adequate standards, policies, procedures, and controls; and implementing ongoing risk assessment of social media-related activities.
b. Policies and procedures governing the following, among others:
(1) Scope and definition of social media;
(2) Social media regulatory landscape reflecting applicable laws, rules and regulations for compliance;
(3) Individuals and/or composition of the team/s who will be responsible for the creation, maintenance, and monitoring of the BSFI’s proprietary social media sites/pages. Their corresponding roles and accountabilities should also be clearly defined;
(4) Content management and approval process;
(5) Ongoing assessment, management, and monitoring of risks associated with social media-related activities;
(6) Acceptable use as well as prohibitions/restrictions on the business/official use of social media platforms. These guidelines shall likewise apply to the employees’ 1 personal use of social media, insofar as it may impact the BSFI’s operations, reputation and/or compliance with applicable laws and regulations. These should cover matters such as, but not limited to, expectations, ethical behavior, types/nature and extent of BSFI and/or customer-related information that can be posted, statements that can or cannot be made about or in behalf of the institution, comments that should not be made about a competitor, and corresponding sanctions/penalties for inappropriate use of social media and committing non-permissible activities;
(7) Use and monitoring of the BSFI’s proprietary social media sites/pages to ensure compliance with applicable laws, regulations and internal policies;
(8) Monitoring and recording of suspicious transactions and customer activities on the BSFI’s proprietary social media sites/pages;
(9) Adoption of technical and non-technical controls to address risks associated with the use of social media platform/s including methodologies to manage risks from online postings, edits, replies and retention;
(10) Due diligence process for selecting, managing and continuous monitoring of third-party service providers (TSP) that administer the BSFI’s social media site(s)/page(s). In addition, the specific roles and responsibilities of the TSP, including liabilities and accountabilities for errors, omissions, fraud, and other instances, resulting from the TSP’s actions, which may adversely affect the BSFI, should also be defined;
(11) Social media crisis management plan and escalation procedures;
(12) Enterprise-wide employee training and awareness programs covering relevant topics such as the BSFI’s social media use policies, employee roles and responsibilities and non-permissible activities;
(13) Records retention of social media data; and
(14) Communication of the BSFI’s official social media sites/pages to its customers to avoid confusion and being misled to unofficial sites.
c. Specific roles and responsibilities of the risk management, consumer protection, audit and compliance functions to ensure that social media risks are adequately managed and integrated in the BSFI’s enterprise-wide risk management systems.
(Circular No. 949 dated 15 March 2017)