Like millions of people and organizations, agencies increasingly use Internet technologies so their employees and groups can create, organize, share and comment on online content. The use of these social media services — including popular sites such as Facebook, Twitter and YouTube — has been endorsed by President Obama because they provide opportunities for agencies to more readily share information with and solicit feedback from the public.
Yet use of these services also poses challenges, such as how best to identify and manage records, protect personal information and ensure the security of federal information and systems.
So what can agencies do to guarantee that they sufficiently address these challenges? For starters, agencies should take the following four actions:
1. Ensure that policies spell out clear records management guidance.
Establishing such guidance can provide a basis for consistently and appropriately categorizing and preserving social content as federal records. Failure to do so may lead officials responsible for creating and administering content on agency social media sites to make inappropriate determinations about what to preserve.
2. Update privacy policies to address use of personally identifiable information.
These services often encourage people to provide extensive personal information that may be accessible to other users. Agency privacy policies should inform the public whether the agency uses, for any purpose, personal information available through third-party websites.
3. Conduct a privacy impact assessment (PIA).
Agencies must proactively protect individual privacy whenever they use third-party websites and applications to engage the public. Assessing privacy risks is an important element of conducting a PIA because it helps agency officials determine appropriate protection policies and techniques to implement those policies.
These assessments can be especially helpful in connection with the use of social media because of the high likelihood that personally identifiable information will be made available to the agency.
4. Conduct a security risk assessment and implement risk-mitigating controls.
Agencies face several security threats, such as spear phishing, social engineering and web application attacks, when using social media. Identifying these threats and implementing security controls to mitigate risks are essential to sufficiently safeguard systems and data from attack.
The Government Accountability Office recently issued a report, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate, that reveals that agencies have made mixed progress in implementing these four actions.
For example, of the 23 major agencies reviewed that used social media services, 12 had developed records management guidance and updated privacy policies to reflect issues associated with social media use. Less encouraging, only eight agencies had conducted PIAs, and only seven had assessed and documented security risks and identified mitigating controls.
GAO has recommended that 21 of the 23 agencies in our review improve their policies and procedures for managing and protecting information associated with social media use.
The use of social media offers new ways for agencies to enhance services and interact with the public. But social tools also present unique challenges and risks; without establishing guidance and assessing the risks, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats.
Establishing appropriate policies and procedures will help agencies reap the benefits of using social media while effectively managing the risks.