Docstoc

Social Media Risk Assessment Template - DOC - DOC

Document Sample
Social Media Risk Assessment Template - DOC - DOC Powered By Docstoc
					                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                           EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                       CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                      OCCURRENCE

DISCLOSURE OF CONFIDENTIAL            LACK OF EMPLOYEE                      1) INFORMATION SECURITY TRAINING                LOW                LOW             LOW
CUSTOMER INFORMATION                  UNDERSTANDING OF INFORMATION
                                      SECURITY RISKS TO CUSTOMER            2) SOCIAL MEDIA TRAINING
                                      INFORMATION
                                                                            3) INFORMATION SECURITY POLICY

                                                                            4) SOCIAL MEDIA POLICY

                                                                            5) SOCIAL MEDIA MONITORING
                                                                               PROGRAM

                                                                            6) ACCEPTABLE USE POLICY

                                                                            7) EMPLOYEE CODE OF CONDUCT

                                      ROGUE EMPLOYEE INTENTIONALLY 1) ADEQUATE EMPLOYEE HIRING /                            LOW                LOW             LOW
                                      RELEASES CONFIDENTIAL           PRE-SCREENING PROCEDURES
                                      CUSTOMER INFORMATION THROUGH
                                      SOCIAL MEDIA PLATFORM        2) INFORMATION SECURITY TRAINING

                                                                            3) SOCIAL MEDIA TRAINING

                                                                            4) INFORMATION SECURITY POLICY

                                                                            5) SOCIAL MEDIA POLICY

                                                                            6) SOCIAL MEDIA MONITORING
                                                                               PROGRAM

                                                                            7) ACCEPTABLE USE POLICY

                                                                            8) EMPLOYEE CODE OF CONDUCT




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                            1    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                           EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                       CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                      OCCURRENCE

DISCLOSURE OF CONFIDENTIAL            LACK OF EMPLOYEE                      1) INFORMATION SECURITY TRAINING                LOW                LOW             LOW
COMPANY INFORMATION                   UNDERSTANDING OF INFORMATION
                                      SECURITY RISKS TO COMPANY             2) SOCIAL MEDIA TRAINING
                                      INFORMATION
                                                                            3) INFORMATION SECURITY POLICY

                                                                            4) SOCIAL MEDIA POLICY

                                                                            5) SOCIAL MEDIA MONITORING
                                                                               PROGRAM

                                                                            6) ACCEPTABLE USE POLICY

                                                                            7) EMPLOYEE CODE OF CONDUCT

                                      ROGUE EMPLOYEES INTENTIONALLY         1) ADEQUATE EMPLOYEE HIRING /                   LOW                LOW             LOW
                                      RELEASES CONFIDENTIAL COMPANY            PRE-SCREENING PROCEDURES
                                      INFORMATION THROUGH SOCIAL
                                      MEDIA PLATFORM                        2) INFORMATION SECURITY TRAINING

                                                                            3) SOCIAL MEDIA TRAINING

                                                                            4) INFORMATION SECURITY POLICY

                                                                            5) SOCIAL MEDIA POLICY

                                                                            6) SOCIAL MEDIA MONITORING
                                                                               PROGRAM

                                                                            7) ACCEPTABLE USE POLICY

                                                                            8) EMPLOYEE CODE OF CONDUCT




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                            2    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                           EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                       CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                      OCCURRENCE

PUBLIC RELATIONS CHALLENGES           DISGRUNTLED CUSTOMER USES 1) SOCIAL   MEDIA    MONITORING                             LOW                LOW             LOW
                                      SOCIAL MEDIA TO DISPARAGE    PROGRAM
                                      COMPANY
                                                                2) CRISIS RESPONSE POLICY AND
                                                                   PROCEDURES THAT INCLUDE A
                                                                   SOCIAL MEDIA COMPONENT

                                      DISGRUNTLED EMPLOYEE USES 1) SOCIAL   MEDIA    MONITORING                             LOW                LOW             LOW
                                      SOCIAL MEDIA TO DISPARAGE    PROGRAM
                                      COMPANY
                                                                2) CRISIS RESPONSE POLICY AND
                                                                   PROCEDURES THAT INCLUDE A
                                                                   SOCIAL MEDIA COMPONENT

                                                                            3) ACCEPTABLE USE POLICY

                                                                            4) EMPLOYEE CODE OF CONDUCT

                                                                            5) SOCIAL MEDIA POLICY

                                      OTHER PUBLIC RELATIONS EVENT 1) SOCIAL    MEDIA    MONITORING                         LOW                LOW             LOW
                                      SUCH AS INAPPROPRIATE CONTENT    PROGRAM
                                      BY EMPLOYEES
                                                                    2) CRISIS RESPONSE POLICY AND
                                                                       PROCEDURES THAT INCLUDE A
                                                                       SOCIAL MEDIA COMPONENT

                                                                            3) ACCEPTABLE USE POLICY

                                                                            4) EMPLOYEE CODE OF CONDUCT

                                                                            5) SOCIAL MEDIA POLICY




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                            3    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                           EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                       CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                      OCCURRENCE

OUTAGE DUE TO SOCIAL MEDIA-           LACK OF REGULARLY UPDATED 1) REGULARLY     UPDATED   ANTI-                            LOW                LOW             LOW
BASED        VIRUS/MALWARE            VIRUS/MALWARE SOFTWARE       VIRUS/ANTI-MALWARE SOFTWARE
INFECTION
                                                                            2) CONTENT FILTERING SOFTWARE
                                                                               TO RESTRICT/LIMIT ACCESS TO
                                                                               SOCIAL MEDIA PLATFORMS IF
                                                                               COMPANY POLICY CALLS FOR
                                                                               NON-EMPLOYEE USE OF SOCIAL
                                                                               MEDIA

                                                                            3) INFORMATION SECURITY TRAINING

                                                                            4) SOCIAL MEDIA TRAINING

                                                                            5) SOCIAL MEDIA POLICY

                                                                            6) INFORMATION SECURITY POLICY


LOSS OF SOCIAL MEDIA-BASED            CLOSURE OF          SOCIAL     MEDIA 1) INCLUDE THIRD-PARTY SOCIAL                    LOW                LOW             LOW
CONTENT                               PLATFORM                                MEDIA PLATFORMS IN VENDOR
                                                                              MANAGEMENT PROCESS

                                                                            2) MAINTENANCE OF SOCIAL MEDIA
                                                                               MANAGER

                                      CONTENT POSTED THROUGH NON- 1) REQUIRE    THAT    COMPANY                             LOW                LOW             LOW
                                      COMPANY-CONTROLLED/OWNED       “OWNED” CONTENT IS POSTED
                                      ACCOUNTS                       THROUGH           COMPANY-
                                                                     CONTROLLED ACCOUNTS

                                                                            2) SOCIAL MEDIA POLICY

                                                                            3) SOCIAL MEDIA TRAINING




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                            4    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                                 EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                             CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                            OCCURRENCE

                                      VIOLATION OF SOCIAL            MEDIA 1) MAINTENANCE OF SOCIAL MEDIA                         LOW                LOW             LOW
                                      PLATFORM POLICIES                       MANAGER

                                                                                2) SOCIAL MEDIA POLICY

                                                                                3) SOCIAL MEDIA TRAINING

                                                                                4) INCLUDE THIRD-PARTY SOCIAL
                                                                                   MEDIA PLATFORMS IN VENDOR
                                                                                   MANAGEMENT PROCESS


LAWSUIT FOR ALLEGED IMPROPER          LACK OF UNDERSTANDING                 OF 1) SOCIAL MEDIA POLICY                             LOW                LOW             LOW
USE OF SOCIAL MEDIA IN THE            SOCIAL MEDIA RISKS BY                 HR
HIRING PROCESS                        DEPARTMENT                               2) SOCIAL MEDIA TRAINING

                                                                                3) CODE OF CONDUCT

                                      LACK OF UNDERSTANDING OF 1)                    SOCIAL MEDIA POLICY                          LOW                LOW             LOW
                                      SOCIAL MEDIA RISKS BY HIRING
                                      MANAGERS                     2)                SOCIAL MEDIA TRAINING

                                                                                3)   CODE OF CONDUCT


LAWSUIT FOR ALLEGED IMPROPER          LACK OF UNDERSTANDING                 OF 1)    SOCIAL MEDIA POLICY                          LOW                LOW             LOW
TERMINATION     BASED   UPON          SOCIAL MEDIA RISKS BY                 HR
SOCIAL MEDIA USE                      DEPARTMENT                               2)    SOCIAL MEDIA TRAINING

                                                                                3)   CODE OF CONDUCT

                                      LACK OF UNDERSTANDING OF 1)                    SOCIAL MEDIA POLICY                          LOW                LOW             LOW
                                      SOCIAL MEDIA RISKS BY HIRING
                                      MANAGERS                     2)                SOCIAL MEDIA TRAINING

                                                                                3)   CODE OF CONDUCT


 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                                  5    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                                EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                            CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                           OCCURRENCE


LAWSUIT    FOR        COPYRIGHT       LACK       OF        EMPLOYEE 1)              MAINTENANCE OF SOCIAL MEDIA                  LOW                LOW             LOW
VIOLATIONS                            UNDERSTANDING OF COPYRIGHT                    MANAGER
                                      RULES RELATIVE TO SOCIAL MEDIA
                                      USE                            2)             SOCIAL MEDIA POLICY

                                                                               3)   SOCIAL MEDIA TRAINING

                                                                               4)   EMPLOYEE CODE OF CONDUCT


LOSS OF OPPORTUNITY TO HIRE           LACK OF UNDERSTANDING                 OF 1)   SOCIAL MEDIA POLICY                          LOW                LOW             LOW
QUALIFIED EMPLOYEE DUE TO             SOCIAL MEDIA RISKS BY                 HR
INFORMATION CONTAINED ON              DEPARTMENT                               2)   SOCIAL MEDIA TRAINING
SOCIAL MEDIA PLATFORM
                                                                               3)   CODE OF CONDUCT

                                      LACK OF UNDERSTANDING OF 1)                   SOCIAL MEDIA POLICY                          LOW                LOW             LOW
                                      SOCIAL MEDIA RISKS BY HIRING
                                      MANAGERS                     2)               SOCIAL MEDIA TRAINING

                                                                               3)   CODE OF CONDUCT


ATTACK    ON    CUSTOMERS    /        INADEQUATE PASSWORD POLICY               1)   INFORMATION SECURITY POLICY                  LOW                LOW             LOW
FOLLOWERS / FRIENDS THROUGH
HIJACKED SOCIAL MEDIA ACCOUNT                                                  2)   INFORMATION             SECURITY
                                                                                    TRAINING

                                                                               3)   SOCIAL MEDIA POLICY

                                                                               4)   SOCIAL MEDIA TRAINING

                                                                               5)   CODE OF CONDUCT




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                                 6    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                 SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
            THREAT                              VULNERABILITY                             EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                         CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                        OCCURRENCE

                                      LACK        OF        EMPLOYEE 1)          INFORMATION SECURITY                         LOW                LOW             LOW
                                      UNDERSTANDING OF SOCIAL MEDIA              TRAINING
                                      RISKS TO CUSTOMERS / FOLLOWERS
                                      / FRIENDS                      2)          SOCIAL MEDIA TRAINING

                                                                            3)   INFORMATION SECURITY POLICY

                                                                            4)   SOCIAL MEDIA POLICY

                                                                            5)   SOCIAL MEDIA MONITORING
                                                                                 PROGRAM

                                                                            6)   ACCEPTABLE USE POLICY

                                                                            7)   EMPLOYEE CODE OF CONDUCT


EXCESSIVE/INAPPROPRIATE USE                                                 1)   SOCIAL MEDIA POLICY                          LOW                LOW             LOW
OF SOCIAL MEDIA BY EMPLOYEE
                                                                            2)   SOCIAL MEDIA TRAINING

                                                                            3)   SOCIAL MEDIA         MONITORING
                                                                                 PROGRAM

                                                                            4)   ACCEPTABLE USE POLICY

                                                                            5)   EMPLOYEE CODE OF CONDUCT

                                                                            6)   CONTENT FILTERING SOFTWARE
                                                                                 TO RESTRICT/LIMIT ACCESS TO
                                                                                 SOCIAL MEDIA PLATFORMS IF
                                                                                 COMPANY POLICY CALLS FOR
                                                                                 NON-EMPLOYEE USE OF SOCIAL
                                                                                 MEDIA




 Prepared by Jesse Torres (MrJesseTorres@gmail.com)                              7    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
 Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
           THREAT                              VULNERABILITY                       EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                  CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                 OCCURRENCE

Risk is the possibility of an act or event occurring that would have an adverse effect on the organization. Risk can also be
the potential that a given threat will exploit vulnerabilities to cause loss of, or damage. Risk is generally measured by a
combination of severity and likelihood of occurrence.

A threat is an action or event that might jeopardize the organization. It is a sequence of circumstances and events that
allow a human (intruder, criminal, disgruntled employee, terrorist, etc.) or other agent (virus, Trojan horse, natural
disaster, etc.) to cause a misfortune by exploiting vulnerabilities.

A Vulnerability is a weakness that allows a threat to manifest. Threats cannot manifest unless a vulnerability is exploited.




Prepared by Jesse Torres (MrJesseTorres@gmail.com)                         8   Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
           THREAT                              VULNERABILITY                                EXISTING                      LIKELIHOOD            IMPACT            RISK
                                                                                           CONTROLS                           OF               SEVERITY          LEVEL
                                                                                                                         OCCURRENCE



                                                               Likelihood of Occurrence Table
                                        Likelihood                              Description
                                       Negligible          Unlikely to occur.

                                       Very Low            Likely to occur two/three times every five years.

                                       Low                 Likely to occur once every year or less.

                                       Moderate            Likely to occur once every six months or less.


                                       High                Likely to occur once per month or less.

                                       Very High           Likely to occur multiple times per month.

                                       Extreme             Likely to occur multiple times per day.




Prepared by Jesse Torres (MrJesseTorres@gmail.com)                               9     Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
           THREAT                              VULNERABILITY                           EXISTING                       LIKELIHOOD            IMPACT            RISK
                                                                                      CONTROLS                            OF               SEVERITY          LEVEL
                                                                                                                     OCCURRENCE



                                                                   Impact Severity Levels
                         Impact Severity                                              Description
                           Insignificant         Almost no impact if the threat is realized and vulnerability is exploited.
                                                 Minor effect on the organization that will require minimal effort to repair or
                               Minor
                                                 reconfigure.
                                                 Some negligible yet tangible harm that will require some expenditure of resources
                             Significant
                                                 to repair.
                                                 Damage to the reputation of the organization, and/or notable loss of confidence in
                             Damaging            the organization’s resources or services. Will require expenditure of significant
                                                 resources to repair.
                                                 Considerable system outage and/or loss of customer/business partner confidence.
                              Serious            May result in the compromise of services or a large amount of
                                                 customer/organization information.
                                                 Extended system outage or permanent closure. May result in complete
                               Critical
                                                 compromise of services or confidential information.




Prepared by Jesse Torres (MrJesseTorres@gmail.com)                           10    Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc
                SAMPLE SOCIAL MEDIA RISK ASSESSMENT MATRIX - MARCH 2012
           THREAT                              VULNERABILITY                              EXISTING                     LIKELIHOOD            IMPACT            RISK
                                                                                         CONTROLS                          OF               SEVERITY          LEVEL
                                                                                                                      OCCURRENCE



                                                                           Risk Levels
                  Likelihood                                                      Impact Severity
                       Of              Insignificant           Minor          Significant     Damaging              Serious            Critical
                  Occurrence
                   Negligible               Low                Low              Low               Low                 Low               Low
                   Very Low                 Low                Low              Low               Low               Moderate          Moderate
                      Low                   Low                Low            Moderate          Moderate             High              High
                   Moderate                 Low                Low            Moderate           High                High              High
                     High                   Low              Moderate          High              High                High              High
                   Very High                Low              Moderate          High              High                High              High
                    Extreme                 Low              Moderate          High              High                High              High

UPDATES AND REVISIONS: Please help the community by posting your improvements to this risk assessment in the “Comments”
section of the social media risk assessment post at http://socialmediabanking.blogspot.com/2012/03/social-media-risk-assessment-
process.html




Prepared by Jesse Torres (MrJesseTorres@gmail.com)                             11   Visit the Social Media and Banking Blog at http://socialmediabanking.blogspot.com
Download at http://www.JesseTorres.com/doc/socialmediariskassessment.doc

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:149
posted:3/6/2012
language:
pages:11