w. noel haskins-hafer cisa, cism, cgeit, crisc, …. noel haskins-hafer cisa, cism, cgeit, crisc,...
Post on 13-Mar-2018
219 Views
Preview:
TRANSCRIPT
W. Noel Haskins-Hafer
CISA, CISM, CGEIT, CRISC, CRMA, CFE, SCPM
Compliance Program Manager
Intuit Consumer Ecosystems Group
IIA Orange County / ISACA Orange County Spring Educational Conference
13 March, 2014
1
DisclaimerUnless otherwise specified, the views expressed in this
presentation are my own, and not those of any other
individual or individuals connected with my current or
former employers.
All names, logos, and other outside material attributed to
other sources remain the property of their respective
copyright owners and are used here in accordance with
the Fair Use doctrine.
2
Agenda
� Social Media Defined
� Risks and Opportunities in Social Media
� Components of a Social Media Program
� Social Media Audit Best Practices
� The Imperative To Audit Social Media
3
Assumptions
� Basic knowledge of tools and concepts of social media
� Understanding of auditing techniques and practices
� Recognition that no two audit programs are exactly alike
4
Social Media Defined
The use of web-based and mobile technology to
enable interactive communication between,
across and about people, organizations and
communities
5
Social media is about sociology and psychology more
than technologyBrian Solis, Principal of FutureWorks and author of Engage!
Social Media Expectations
�Dialog
�Active contribution
�Viral distribution of content
�Customization of technologies and
interfaces to suit the users
6
Social media is social because it works best
when you are having a conversation
The Social Shift
7
Yesterday Today
• Users, communities and
experiences rule
• Constantly changing
• Flexible
• Collaborative
• Engaged users
• Multilateral
• Institutions, platforms,
technology set the rules
• Structured
• Siloed
• One size fits all
• Passive audience
• Unilateral
Social Media is a fundamental shift in the way we
communicate
Adapted from Managing Social Media Risk (IIA-SF presentation, March 2012)
Social Media Uses and Benefits
9
Brand
Sales
Service
Innovation
Recruit
• Build and maintain reputation
• Find and communicate with customers
• Increase customer loyalty
• Develop, market and promote products and
services
• Increase productivity, creativity and
innovation
• Recruit new employees and suppliers
• Build the team regardless of location
• Share knowledge
• Find funding
…Essentially, to improve processes and results
Adapted from Peter Scott and J. Mike Jacka, Auditing Social Media: A Gover-
nance and Risk Guide (Institute of Internal Auditors Research Foundation, 2011)
The Social Media Program Challenge
How to be sensible and prudent in
managing the risks
Lewis Segall, Sr. Corporate Counsel, Google
Shop Talk: Compliance Risks in New Data Technologies
Compliance Week July 7, 2010
10
Social Media Program Risks� Average company polled experienced
� 9 social media incidents in 12 months prior to the poll
� 94% suffered negative consequences
� Per company recovery costs were $4 million annually
� Top Risks� Employees sharing too much information in public forums (46%)
� Loss or exposure of confidential or proprietary information (41%)
� Embarrassment or damage to brand or reputation (40%)
� Increased exposure to litigation (37%)
� Malware (37%)
� Violation of regulatory rules (36%)Symantec Social Media Protection 2011 Flash Poll
www.slideshare.net/symantec/symantec-2011-social-media-protection-flash-poll-global-results
11
Cost of SM Incidents
�Reduced stock price - $1,038,401
� Litigation costs - $650,361
�Direct financial cost - $641,993
�Damaged brand / trust - $638,496
� Lost Revenue - $619,360
12
Symantec Social Media Protection 2011 Flash Pollwww.slideshare.net/symantec/symantec-2011-social-media-
protection-flash-poll-global-results
You Make The News For…� Not doing due diligence before launching social media
campaigns
� Not creating and communicating social media policies
� Not managing social media as a core program
� Not monitoring the social media space appropriately
� Not building relationships instead of growing sales
� Not training employees on social media awareness
� Not complying with relevant laws and regulations
� And sometimes, for doing something right
13
Audit Objective
To provide management with an independent
assessment relating to the effectiveness of
controls over the enterprise’s social media
policies, program and processes
Adapted from
Social Media Audit/Assurance Program (ISACA 2011)
14
Key Areas to Audit
� Strategy
� Governance and compliance
� Processes, including
� Internal and external policies and program execution
� Metrics and monitoring
� Third party relationship management
� People
� Training and awareness
� Recruiting and work force management
15
Key Areas to Audit, continued
� Technology
� Information systems operations
� Network management
� Third party management
� Information security and privacy
16
Let’s Get Started!
Planning the Audit� Understand the business and culture
� Determine the objectives, scope, model and placement of the
social media program
� Identify key players, roles and responsibilities
� Inventory the social media projects
� Categorize and prioritize social media channels used
� Map out key interactions between departments and third
parties
� Understand compliance requirements, including archiving
17
What should we look for?
SM Strategy Best Practices
� Is led by an executive champion
� Provides direction for all stakeholders
� Defines social media program model
� Aligns with business objectives
� Aligns with organization’s other strategies
� Identifies metrics to measure effectiveness
� Is pervasive and integrated throughout the business
� Defines target audiences and channels
� Is adequately funded and staffed
18
SM Governance Audit Best Practices� Defines appropriate policies for social media
� Establishes social media program oversight responsibility
� Board-level awareness
� Qualified program champion
� Effective oversight for all social media use
� Program monitoring and reporting
� Balances risks and opportunities
� Includes effective oversight for social media use
� Management awareness and monitoring
� Responses to social media events
19
SM Compliance Best Practices
� Identifies all relevant laws and regulations
� Local and global
� PCI and other relevant standards
� Recognizes how social media increases compliance efforts
� Extends compliance, supervision and surveillance practices to interactive content
� Monitors social media use for violations
� Monitors compliance environment for potential changes related to social media
� Includes guidance for collecting and archiving social media content and activities (e-discovery)
20
SM Policy Best Practices� Aligns with business objectives, culture and core values
� Defines platforms, formats and tools used to support social media
� Stakeholders
� Social media initiatives, including crisis communication
� Outlines monitoring practices for social media conversations
� Information collected
� Competition monitoring
� Reputational risk monitoring
� Defines management reporting
� Covers both internal and external constituencies
� Is vetted by key players throughout the organization
21
Internal Social Media Policy
� Defines what workers and 3rd parties may and may not do
both professionally and personally
� Establishes workers’ expectation of privacy
� Discloses what the organization will do
� Monitor, curate, investigate, discipline, terminate
� Location expectations
22
External Social Media Policy
� Discloses organization’s sites and account names used
� Defines acceptable use and content on organization’s online
sites
� Discloses what the organization will do
� Monitor, curate, investigate, litigate
� Account and content banning
� Defines SLAs
� Hours
� Response time
� Error correction
23
Overlapping Policies
� These should incorporate social media
� IT compliance policies and controls
� Employee conduct
� Harassment
� Ethics
� Confidentiality and IP
� Third Party policies and agreements
24
SM Policy Team� Executive champion
� Marketing
� Public Relations
� Human Resources
� Information Technology and Security
� Product Development
� Customer Service
� Legal
� Risk Management
25
SM Metrics Best Practices� Provide insights into success and failure of social media
activities
� Align with business objectives
� Are consistent across business units
� Are defined for each social media initiative
� Are both qualitative and quantitative measures
� Support regulatory compliance requirements
� Are shared with business units and social media
champion
26
Social is measured in Relationship Building –
Not in Units Sold
Intuit HR Social Media Metrics
27
from “Social Media and the Talent Landscape: What HR Needs to Know about
Social Media” (Manpower US March 30, 2012)
SM Monitoring Best Practices� Encompasses active listening, monitoring and responding
� Includes processes and tools for monitoring communications
� Keywords, topics and issues
� Trend analysis and comparison
� Competitive intelligence
� Gives customers an opportunity to provide insight and feedback
� Uses those comments to improve products, services and processes
� Matches customers’ preferred communication methods and styles
� Provides guidance for responding to issues
� Social Media Triage Chart
28
SM Third Party Management Best
Practices� Recognizes all relevant content may not be in control of
the social media program
� Includes cross-functional review of contracts for social
media relevance
� Provides guidance on how contracts and agreements
affect organization’s operations, risk and compliance
positions
� Includes risk assessments for third parties
� Addresses organization’s requirements for records
retention
30
What are SM users doing?� 64% click on links even if they don’t know where the links
will take them
� >50% let friends access social networks on their
computers
� 47% have been infected by malware
� 26% share files within the social network
� 21% accept contact offerings from strangers
� 20% have experienced identify theft
31
SM Training Best Practices� Required at least annually
� Offered enterprise-wide
� Incorporates awareness campaigns
� Includes additional training for core social media team
� Covers:
� Social media roles, responsibilities and expectations
� Especially for crisis communications
� Level of representation for the company
� Relevant policies and best practices
� Social media rules of the road
� Social engineering, security, privacy and data protection
� Guidance for triaging and responding� Not every post needs an instantaneous response
� Make sure legal and compliance processes are streamlined for SM
32
SM Technical Best Practices� Monitors for
� Malware and viruses
� Data leakage/theft
� Owned systems (zombies)
� System downtime
� Recovery resources
� Brand hijacking
� Customer backlash/adverse legal reaction
� Data exposure
� Reputation
� Targeted phishing
33
More SM Technical Best Practices� Documents how customer interactions are integrated
with existing systems and databases
� Clearly defines interfaces with customer and third party
systems
� Includes alerting tools for key topics, comments,
commentators and sentiment of activity
34
Use the Best Practices to guide audit inquiry and
testing
Overwhelmed?� You can do this
� Standard audit concepts still rule
� Focus on balancing opportunities and risks
� Remember the social media uses and benefits
� Use Best Practices as template for audit inquiry and testing
� COSO still matters
� The same laws apply
� You will make a difference
36
References and Recommended Readings
� Peter Scott and J. Mike Jacka, Auditing Social Media: A Governance and Risk Guide
(Institute of Internal Auditors Research Foundation, 2011)
� Social Media and the Talent Landscape: What HR Needs to Know about Social
Media (Manpower US March 30, 2012)
� Social Media Governance: An Ounce of Prevention (Gartner, December 17, 2010)
� Social Networking And Reputational Risk In The Workplace (Deloitte LLP, July 2009)
� Advocacy Drives Growth (London School of Economics, 2005)
� theultimatequestion.com (Bain & Company, 2006)
� Eric Qualman, Social Media Revolution 4
(http://www.youtube.com/watch?v=0eUeL3n7fDs)
� Social Media Starter Kit (manpowerblogs.com/toth)
� Compliance in the Age of Social Media (Compliance Week, November 2011)
� Social Media Audit/Assurance Program (ISACA, 2011)
� Social Media: Business Benefits and Security, Governance and Assurance
Perspectives (ISACA 2010)
39
Resources, continued
� Social Media Triage Chart (http://www.socialfish.org/2010/11/social-media-response-triage.html)
� Managing Risk in a Social Media-Driven Society (Protiviti, 2011)� Brian Solis & JESS3, The Conversation Prism (www.theconversationprism.com) � Blog Assessment, Dell � http://www.slideshare.net/hawk9698/social-media-comment-response-protocol� http://www.slideshare.net/Dell/dell-outreach-in-the-blogosphere� Social Media Risks and Mitigations (BITS The Financial Services Roundtable,
June 2011)� Managing Social Media Risk (IIA-San Francisco presentation, March 2012)� http://www.mindflash.com/blog/2012/03/infographic-how-to-train-your-
employees-to-handle-your-social-media/?view=mindflashgraphic� http://socialmediavoice.com/2012/01/10-social-media-law-governance.html
40
Social Media Policy Guidelines� Tie to vision + code of conduct/ethics + handbook
� Set clear and reasonable expectations
� Define social media broadly
� Protect trade secrets
� Clarify who owns what
� Ban disparagement / harassment
� Respect copyrights
� Include NLRA disclaimer
� Impose duty to report violations
� Include consequences
� Enforce “up to and including discharge”
41
Social Communications Policy Framework
� Who may participate in organization’s Social Media program
� When and why to participate
� Guiding Principles� Disclose affiliations
� Clearly state when you’re talking for the company or yourself
� Pay attention to tone of voice
� Be aware of language usage and interpretation
� Comply with Code of Conduct
� Be accurate and honest� Awareness of potential to be held responsible for unsubstantiated or
misleading claims and endorsements� Could include “liking” and “friending”
� Don’t disclose personal or confidential information
� Think before posting
� Instructions for dealing with media, bloggers, and other outsiders
42
Electronic Communications Policy Content� Population covered by policy
� Equipment covered
� Devices
� Networks
� Guardrails for electronic communications
� Professional, courteous, law-abiding
� Protect confidential information
� Expectation of privacy
� Appropriate use of media and devices
� What organization may do
� Monitor, block, modify, delete
� When and under what circumstances
� Filtering
� Protection of confidential information and trade secrets
� Define confidential information
� Check distribution lists for need to know
� Be aware of international laws
� Attorney Client Privilege considerations
� Tie in with Code of Conduct, Non-Disclosure Agreement, Intellectual Property Agreements
� Consequences of non-compliance
� Responsibilities & Points of contact for additional information and guidance
43
Social Media Content Best Practices� Add value
� Conversational style
� Honesty and respect
� Transparency and disclosure
� Confidentiality / PII
� Ownership and property registration
� Endorsements and recommendations
� Boundaries of personal and professional use
� What you can and can’t disclose
44
Organizational Models� Organic
� Growth from several sources in the organization
� Inconsistent user experience (reputational risk)
� Centralized� Social media managed from one department
� Good for highly regulated industries
� Risk: Social media becomes just another distribution point
� Coordinated� Multiple sources coordinated through a committee
� Risk: information hoarding rather than enabler
� Hub and Spoke� Autonomous groups with guidelines for common experience
� Good for organizations spanning cultures, languages and governments
� Risk: costly, requires excellent intra-organizational communications
� Honeycomb� Requires organization to embrace social media as core to business
� Everyone actively participates in social media
� Risk: cultural commitment and extensive training and support
From Auditing Social Media: A Governance and Risk Guide Peter R. Scott & J. Mike Jacka
Institute of Internal Auditors Research Foundation, 2011
45
Brand Awareness & Advocacy - Use� Stakeholder education
� Community development
� Subject matter expertise
� Product sampling and reviews
� Advocacy development
� Promotions and contests
� Crisis communications
� Reputation management
49
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Brand Metrics� Stakeholder Engagement
� Advocate Engagement
� Share of Voice
� Sentiment
� Fans & Follower Count
� Common, but does not fully measure engagement
50
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Sales - Use� Channel-only specials
� Lead generation
� E-commerce / F-commerce
� Profile updates
� Mobile promotions
51
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Sales - Metrics� Leads generated
� Revenue from social media activities
� Customer Lifetime Value
� New customer acquisition
� Customer purchase patterns
� Repeat business
� Product patterns
� Average purchase amount
52
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Customer Service - Use
� Customer problem resolution
� Chat
� Community or P2P service
53
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Customer Service - Metrics� Issue submission percentage
� Issue resolution rate
� Issue resolution time
� Financial Impact
� Customer satisfaction rate
� Advocate engagement rate and sentiment
� Peer-to-Peer interaction and voice
54
Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)
Innovation - Use� Idea sourcing
� Competitive Intelligence
� Feedback
� Co-creation
55
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Innovation - Metrics� Issues reported
� Number of conversations
� Ideas submitted
� Idea and Issue Impact
� Financial impact
56
Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)
Recruitment - Use� Employee empowerment
� Organizational culture
� Organizational insights
� Candidate identification and nurturing
� Employee alumni
57
Adapted from Evaluating Your Organization’s Social Media Efforts (IIA Webinar series,
October 2011)
Recruitment - Metrics� Potential candidate engagement
� New hire rate
� Social Media-sourced employee retention rate
� Financial impact of recruiting through social media
� Employee sentiment
� Employee reach, influence and impact
58
Evaluating Your Organization’s Social Media Efforts (IIA Webinar series, October 2011)
Social Media Governance� Strategy
� Review the social media strategy, program goals, and organization model.
� Assess if these have been formalized and communicated to all relevant teams.
� Evaluate alignment of the strategy with company goals.
� Policy
� Review the social media policy and confirm that elements related to
disclosure, ethics, community and privacy are included.
� Identify gaps and test awareness of the policy.
� Roadmap
� Assess the adequacy of the social media roadmap, including if it is global /
localized and whether short-term and long-term program milestones have
been defined.
� Team Structure
– Assess if roles of key owners and stakeholders in the social media program are
defined and clearly communicated (e.g. executive sponsorship,
communications / PR, employees, Legal, IT, Support, R&D, Product, etc).
59Managing Social Media Risk (IIA-SF presentation, March 2012)
Preparedness and Response
� Customer Profiles and Market Analyses:
� Review customer profile and market analyze
� Evaluate if all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model.
� Tools and Analytics:
� Understand how customer interactions via social media are integrated with internal infrastructure (databases, systems, processes)
� Assess process and tools for identifying key topics, comments, commentators, and sentiment from website activity.
� Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy.
� Processes:
� Test the policies and procedures to verify messaging is consistent with the social media strategy / plan.
� Review and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights.
� Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for action.
60Managing Social Media Risk (IIA-SF presentation, March 2012)
Training and Education
� Education
� Evaluate the types of training programs implemented to share best practices and rules of the road within the social media team
� Understand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc.
Compliance
� Monitoring and Compliance
� Understand whether compliance with the social media policy is monitored both internally and externally
� Perform procedures to test compliance with the social media policy within selected social media tools
61Managing Social Media Risk (IIA-SF presentation, March 2012)
Training Best Practice Examples� Intel’s Digital IQ program
� Beginning: Raise awareness of social media policy
� Now: 60 online courses
� 6,000 employees completed 2,000 courses
� Rebecca Brown, Directory of social media strategy, Intel
� Monthly newsletter
� Program updates
� Best practices
� Updates from Social Media Professionals
� Coca Cola
� Employees may participate freely after taking a certification program
� Best Buy
� Twelpforce volunteers must be trained before becoming an agent
62
HR Laws in Social Media� Discrimination
� National Labor Relations Act
� Fair Credit Reporting Act (FCRA)
� Genetic Information Nondescrimination Act (GINA)
� Negligent hiring
� Off-duty conduct
� Arrest records
� Background check information
� Ultimate test: Is it job related?Adapted from “Social Media and the Talent Landscape: What HR Needs to Know about
Social Media” (Manpower US March 30, 2012)
63
HR Stay out of Court Basics� Know the law
� Adopt and consistently enforce a reasonable policy
� Consider social media and employment agreements
� Who owns terminated employees’ followers? (PhoneDog.com)
� Limit the number of searchers, managers, and 3rd Parties
� Maintain segregation of duties for search and hiring
� Train searchers and managers
� Make sure they understand the value of maintaining good
documentationAdapted from “Social Media and the Talent Landscape: What HR Needs to Know about
Social Media” (Manpower US March 30, 2012)
64
Suggested COBIT v4.1 ProcessesPO1 – Define a strategic IT plan
PO2 – Define the information architecture
PO4 – Define the IT processes, organization and relationships
PO6 – Communicate management aims and directions
PO7 – Manage IT human resources
PO9 – Assess and manage IT risks
DS2 – Manage third party services
DS5 – Ensure systems security
DS8 – Manage service desk and incidents
DS7 – Educate and train users
ME3 – Ensure compliance with external requirements
ME4 – Provide IT governance
65
Derived from Social Media Audit/Assurance Program (ISACA 2011)
top related