actiance enabling social_networks

Enable Social Networks

A U VConfidential and Proprietary © 2011, Actiance , Inc. All rights reserved.

So who’s using Social Media? And Why?

Sales & Marketing Promotions Advertising Branding

HR Background checks Recruiting

Scientists & Researchers Information exchange Collaboration

IT Investigation of security breaches


Social Networking: Balancing Benefit & Risk

Risks & Challenges

Employee productivity– Control who can access what, when, and for how long

Content security– Introduction of malware

Brand and reputation protection– Allow “approved corporate posters” to self-moderate– Moderate posts from unapproved corporate posters

IP/Information Leak Prevention/NDA compliance– Sensitive, confidential term dictionary matching– Stop contract staff accidentally leaking your secrets– Quarantine posts for moderation by a reviewer– Quick deployment, no desktop touch

Compliance with regulation (e.g., FINRA, PCI)– Archive content– Stop credit card number patterns– Control specific content


Web 2.0 & Social Networks Regulation & Compliance

SEC and FINRAObliged to store records and make accessible. Public correspondence requires approval, review and retention. Extended to social media.http://www.finra.org/Industry/Issues/Advertising/p006118

Gramm-Leach-Bliley Act (GLBA) Protect information, monitor for sensitive content, and ensure not sent over public channels (e.g., Twitter)

PCI Ensuring cardholder data is not sent over unsecured channels AND PROVING IT.

Red Flag Rules Prevent identity theft. Protect IM and Web 2.0 from malware and phishing when users are more likely to drop their guard.

FRCP (eDiscovery) Email and IM are ESI. Posts to social media sites must be preserved if reasonably determined to be discoverable. http://blog.twitter.com/

Regulation Social Network and Web 2.0 Impact


Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company reporting.

Canadian Securities Administrators National Instrument 31-303 (CSA NI)

Retain records for two years, in a manner that allows “rapid recovery to a regulator,” Can extend to IM and social media.

Investment Dealers Association of Canada (IDA29.7)

Demands the retention of records with respect to business activities, regardless of its medium of creation.

MiFID and FSAMarkets in Financial Instruments Directive (EU)

Specifically requires the retention of electronic communications conversations when trades are referenced.

Model Requirements for the management of Electronic Records (MoReq)

European requirements for the retention of electronic records.

Regulation Social Networks and Web 2.0 Impact

Web 2.0 & Social Networks Regulation & Compliance


FINRA Regulatory Notice 10-06:Guidelines for Social Networks

SEC Rules 17a-3 and 17a-4 and NASD Rule 3110 Retain records of communications related to business

Public Appearances Electronic forum & chat rooms, content posted to social media may constitute a public appearance

Prior Approvals Wall postings require prior approvals

Participation Real-time participation on social networks equals participation

FINRA Regulatory Notice 07-59 For instance communications between research and investment banking departments should be restricted

Restrict PersonnelOnly those subject to firms supervision should have access, provide training prior to engagement, prohibit or restrict those who pose a compliance risk. Restrict access with technology.



Financial Services Authority (FSA): Guidelines for Social Networks

Senior Management Arrangements, Systems and Controls (SYSC)

SYSC 9.1.1

An enterprise must arrange for orderly records to be kept of its business and internal organization.

SYSC 9.1.2 Records must be kept for at least five years.

SYSC 9.1.5 An enterprise should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records.

Policy Statement 08/1 Must record conversations on public and enterprise IM networks.

SYSC 3.1 A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

SYSC 10.2 Firms must take reasonable steps to ensure that ethical walls remain effective and are adequately monitored.

Financial Promotions Industry Update No. 5

All communications or financial promotions must be based on the principles of fair dealing. Adequate records of financial promotions must be kept.



Enabling Social Networking: Solution Requirements

Identity management Ensure that all the different logins of an individual link back to corporate identity

Activity control Posting of content allowed for marketing but read-only for everyone else

Granular application control Employees can access Facebook, but not Facebook Chat or Facebook Games

Anti-malware Protect network against hidden phishing or Trojan attacks

Data leak prevention Protect organization from employees disclosing sensitive information

Moderation Messages posted only upon approval by designated officer

Logging and archiving Log all content posted to social networks

Export of data Export stored data to any email archive or WORM storage

Issue Control Requirements


Simple SPAN/monitor port deployment to allow/block– Social Networking Widget Usage– Web 2.0 applications (~4,500)– Instant messaging (~200)– P2P (~200)– URL filtering– Anti-Malware

Unified Security GatewaySecure & Enable Web 2.0

Users

Active DirectoryGroup-based policies

LAN/WAN Internet

Switch

All In

tern

et Tra

ffic

Social Networking Control: Basic functionality


URL Filtering & Anti-Malware

Allow

Block

Coach

Time quotas


Social Networking Widget Categorization

– Control access to individual social media sites

– Allow/block application widgets on popular sites


SaaS Infrastructure

• Fully Redundant Architecture

• End-to-End Failover

• Fully Redundant and Mirrored Database

• Extensive Network and Application Monitoring and Alerting


Social Networking Feature Control

• Control features or areas of content posting by user or group


Content Monitoring

Policy summaries

Easy-to-set policies– Archiving

– Moderation

Lexicons

Actions to take


eDiscovery of Social Networking Posts

Social networking activity and posts are captured

All the captured events are presented for eDiscovery and available for export to archiving platforms


Moderation

Posts to Twitter/Facebook/LinkedIn held for review by the following criteria:

– All

– Keyword/dictionary matches

– Regular expressions (e.g., credit card/SSN patterns)


Simplified Moderator Workflow

STEP 1User posts message on Facebook,

LinkedIn, or Twitter

STEP 2Socialite intercepts post and provides a notification that content is being monitored and will be posted only upon approval by the moderator

STEP 4• Moderator signs-on to Socialite reviewer

console

• Moderator reviews messages and depending upon appropriateness Approves or Rejects a message

• Moderator also has an option to leave a review comment for each post

STEP 5Accepted posts are sent to the network on behalf of the user

STEP 6Accepted posts are viewed by the user

STEP 3Moderator receives e-mail notification about pending messages


Moderator work queue & transcript review

Moderator queue allows bulk approve or each post reviewed individually.


End User Experience

Toolbar displayed for each site, showing user’s post “queues”

User can click on their queues and see a list of the messages

actiance enabling social_networks

Technology