social’media policies(&(standards( proposal -...

Mercyworks www.mercyworks.net

Jessica Naismith

JRN 370-‐ 22218913

Social Media

Policies & Standards

Proposal

JRN 370

Mercyworks Polic ies & Procedures Proposal 2

Jessica Naismith-‐ JRN 370 22218913

Introduction & Summary Statement

Mercyworks is a startup non-‐profit organization looking to provide social assistance to community members who are in need of help through the provisions of programs and advocacy. Through the development of the organization it came to our attention that Social Media would be a tremendous asset to the goals and objectives of the organization.

We have outlined the targeted social media platforms and the overall goal of social media within Mercyworks. It is proposed that in the best interest of Mercyworks and its programs we adopt the following policies and procedures for social media. It is believed that the use of Social Media will be of immediate benefit to the organization and its employees as well as those being served. Through social media the amount of people within the community will be greater, the amount of money given through donations will increase, and the level of awareness within the community and the surrounding areas will also be more noticeable. We aim to use social media to highlight other organizations that are involved in social assistance and relief efforts throughout the area as well.

Mission & Vision Statements

Vision Statement Mercyworks is an international Christian community development organization alleviating poverty and injustice globally through relief efforts, community transformation and advocacy. Motivated by love, we bring aid to the most vulnerable people with no regard toward faith, ethnicity, age or gender.

Values

We value people. We believe the deepest treasure of the earth is the people who inhabit it. People matter to God and therefore matter to us.

We value justice. All people have value regardless of ethnicity, age, gender or financial standing, therefore we advocate for those that are poor, oppressed and disenfranchised; seek justice for them and give them a voice in order to bring justice and equality to their communities.

JRN 370



We value transformation. We believe that Jesus’ mission involved establishing His Kingdom on earth with transformation being the hallmark of His Kingdom – transformation of lives, families, businesses, communities and countries.

We value empowerment. We realize that strong communities are built through empowering the people in them and so we resource our partner communities first with relief help, meeting the need at hand to reach the need of the heart. And then through relationship empower them to build their own community.

We value collaboration. We believe that our reach is magnified exponentially through partnerships and collaboration. There is strength in community, as an organization we function as a community and as we reach out, we also believe that we can only reach our potential as we hold the hands of others who have a similar vision of seeing communities transformed.

We value our faith. We are spiritually based and are focused on the mission that Jesus left us with – to love God and love people. Love is the foundation of everything we do. Releasing love to the communities and people we serve is the reason why we do what we do.

We value stewardship. Because we believe that the earth is the Lord’s and everything in it, we value proper stewardship of all of our resources, our finance, our properties, our human resources, and our programs. God has given everything we have to us and we hold it all in high esteem and treat it to the best of our ability with the deepest respect.

Organization Goals & Objectives • To raise awareness of social issues such as poverty, urban famine, lack of family structure,

students being undereducated and health issues among residents of all ages. • To present solutions to above issues in the forms of programs within and outside of the

realm of Mercyworks and Eden Urban Farms, LLC. • To begin conversations about topics such as wellness, substance abuse, poverty, education,

children, hunger, and urban agriculture with people inside of the Detroit communities. • To dialog with people who have positional power for the raising of funds, program

development, and media contacts. • To alert people of those organizations throughout the region already engaged in helping

meet societal needs.

JRN 370



Personnel & Resource Requirements I propose the use of resources including personnel, equipment, software, and funds allocated for the specific purpose of social media training and maintenance.

The breakdown of the costs per 6 months is split into three separate expense accounts; Personnel, Equipment, and Training/Development.

Personnel We will hire one fulltime employee to fill the role of Social Media Director. This employee will have an hourly rate of $25.00, at 40 hours/week; this person will have an annual salary of $52,000. Two additional employees will be hired as fulltime as well, both Social Media Coordinators. These employees will each have an hourly rate of $18.00, for an annual salary of $37,440. This accounts for the total at the 6 and 12-‐month marks respectively of $126,880. The *18-‐month mark will signify the hiring of 2 additional employees. These employees will be part-‐time Social Media Associates each working 20 hours per week with an hourly rate of $10.00. These employees make up the additional $20,800 in the budget for a total of $147,680.

* The possibility exists for the additional of the Social Media Interns at this point as opposed to the 12-‐month mark. For the duration of this proposal I will work with the idea of 4 social media interns (unpaid) starting at the beginning of the 12th month of operations. They will be included in “Personnel” but will not add to the bottom line in the Personnel Budget.

126880 126880

147680

11100 11100 13300 5000 5000 7500

6 Months 12 Months 18 Months

Personnel Equipment Training/Development

JRN 370



Equipment We will purchase one complete workstation for each of the three employees originally and maintain the three workstations each purchased for an initial price of $2,200. We will allocate $2,000 for software, downloads, and upgrades and put $2,500 in the budget for printers, ink, paper, etc. This total is $11,100 for the remainder of the first 12 months. After the end of this second period we will purchase another workstation for the two part-‐time employees to share for a purchase price of $2,200. This budget increases to $13,300.

Training & Development The amounts reflected for three periods of training and development are simply an estimation of the costs we will incur as an organization. This amount of $5,000 and $7,500 respectively account for training workshops for employees either onsite or in another location (which would include travel expenses) and costs we would incur bringing in a speaker or expert in the field of social media. We may need to purchase training software or training materials, such as the “Social Media Marketing Success Training” developed by Krista Neher. This set of training materials runs about $900.00 from Amazon.com. Also included in this expense budget would be the hours our employees spent on training and professional development. We would pay them their normal rate per hour and expense it to this account.

Additional Resources Recommended In my opinion, I would propose that additional resources be added as budget and the Board of Directors allow. My first suggestion would be to hire a salaried position whose sole purpose would be to monitor the analytics for social media and to research best practices for boosting our online presence. I would recommend this position be added after 24-‐30 months. In the meantime we would need to provide proper training to the current staff to fill this need. I would suggest as well that we make sure that our technology is up to par with the newest and recent social media platforms and that we have software, downloads, and systems that will allow for optimum use of social media.

JRN 370



We are currently lacking the staff to monitor the content of the social media platforms, while we have unpaid interns who provide content and updates, it is vital that we monitor these blogs, tweets, etc. and that someone continuously engages in conversation on these platforms in order to maintain our desired level of interaction with the community.

Training Details Overall, the Board of Directors has the say in the amount, kind, and frequency of Social Media training but below is my recommended schedule of training for the initial 6-‐month period within Mercyworks. 0-‐3 Months: Who: All employees of Mercyworks (this includes 3 in Administrative roles, 2 in Fund Development, 5 in Social Media (unpaid interns), and 1 Executive Director) = 11 Employees What: Follow the DVD/Workbook training for “1 Social Media Marketing” earlier referenced in the Training & Development section. Led By: The course will mostly be self-‐directed. The parts of the course that require more explanation, I will lead or provide additional guidance in. How Much: The course would be approx. $900.00 plus additional monies for printing materials and additional workbooks. 3-‐6 Months: Who: We will focus the training on the Social Media Department and those in Fund Development if the Board adopts the recommendation. What: The Social Media Strategies Summit for Non-‐Profits is hosted in Boston and San Diego for 2012 with dates that may work for the employees. The conference is either 1 or 3 days depending on the location. There are two tracks available. The track focused on platforms would be for the Fund Development Staff and the Social Media Interns. The second track for Campaigns and Tactics

1 http://www.amazon.com/Social-‐Media-‐Marketing-‐Training-‐Course/dp/0983028613/ref=sr_1_3?s=software&ie=UTF8&qid=1344350921&sr=1-‐3&keywords=social+media+training

JRN 370



would be better suited for anyone from Leadership who would like to attend and the Social Media Staff. How Much: Cost is $595.00 per person with the Early Bird Discount, with additional costs for travel expenses. These costs have not yet been calculated.

Additional Training Beyond the initial 6-‐month period the training would be ongoing, in an individual or small group setting led by myself or another staff member on the SM team. Some of these items will be pulled from the CMU SM Certificate Coursework and other materials will be from books purchased through Amazon or through trainings that one of the staff members has attended. The rest of these details have yet to be determined.

Audit Questionnaire: Many of these questions have been adopted by Mercyworks from The Social Media Handbook © 2012 Nancy Flynn. The main objective in using this audit for the Board of Directors and the Executive Director is to find out how Mercyworks needs to proceed in developing social media policies and procedures to better protect itself and its employees against the possible risks.

Legal Risk & Compliance 1. Have you reviewed current federal and state laws governing electronic content, usage, monitoring, privacy, e-‐discovery, data encryption, business records, and other legal issues in all jurisdictions in which you operate, have employees, serve customers, or litigate lawsuits?

Yes No Don't Know

2. Has employee email ever triggered a workplace lawsuit?

Yes No Don't Know

3. Has offensive or inappropriate social media content (blog posts, tweets, Facebook profiles, third-‐party blog comments, YouTube videos, and so on) ever triggered a workplace lawsuit?

Yes No Don't Know

4. Has employee Internet use (surfing, viewing, downloading, uploading, and so on) ever triggered a workplace lawsuit?

Yes No Don't Know

JRN 370



5. Have employee or intern (volunteer) written blog posts or third-‐party comments ever triggered a workplace lawsuit?

Yes No Don't Know

E-‐Discovery Risks & Compliance 6. Has employee email ever been subpoenaed by a court or regulatory body? Yes No Don't Know 7. Have program-‐related tweets, Facebook posts, YouTube videos, or other social networking content ever been subpoenaed by a court or regulator? Yes No Don't Know 8. Have program related blog posts ever been subpoenaed by a court or regulator? Yes No Don't Know 9. Has email or other electronically stored information (ESI) ever been used as evidence—for or against Mercyworks—in litigation? Yes No Don't Know 10. Have you provided employees with a formal definition of “electronic business record”? Yes No Don't Know 11. Do your employees and unpaid interns know the difference between business critical email that must be retained for legal and regulatory purposes versus personal email and otherwise insignificant messages that may be purged? Yes No Don't Know 12. Do you rely on an archiving solution to automatically preserve, protect, and produce legally compliant email and other ESI? Yes No Don't Know 13. Could you locate and produce legally compliant business blog posts, email messages, text messages, and other ESI in 99 days if ordered by a court to do so?

JRN 370



Yes No Don't Know 14. Are you familiar and compliant with the amended Federal Rules of Civil Procedure (FRCP)? Yes No Don't Know 15. Are you familiar and compliant with the state rules of civil procedure in every state in which you operate, have employees, or litigate lawsuits? Yes No Don't Know

Records Management 16. Do you have a formal electronic business record retention policy in place, governing the retention of all electronically stored information? Yes No Don't Know 17. Have you established a record lifecycle schedule and formal deletion schedule for Mercyworks electronic business records? Yes No Don't Know 18. Do you have a formal litigation hold policy and related procedures in place? Yes No Don't Know

Regulatory Risks & Compliance 19. Do you know and understand all of the industry and government regulations that govern Mercyworks electronic use, content, records, data security, customer data, consumer privacy, or e-‐discovery obligations? Yes No Don't Know 20. Have you educated your regulated employees and unpaid interns about electronic risks and compliance vis-‐à-‐vis regulators’ rules and guidelines? Yes No Don't Know 21. Has content posted on Mercyworks various blog sites ever triggered a regulatory investigation? Yes No Don't Know

JRN 370



22. Has content posted on Mercyworks public Facebook page or other external public social media site (Twitter, YouTube, and so on) ever triggered a regulatory investigation? Yes No Don't Know 23. Has content posted on an employee’s or unpaid intern’s personal blog ever triggered a regulatory investigation against Mercyworks? Yes No Don't Know 24. Has content posted by an employee or unpaid intern on a personal Facebook, Twitter, YouTube, or other social networking account ever triggered a regulatory investigation against Mercyworks? Yes No Don't Know

Organizational & Productivity Risks 25. Has excessive personal use of email led to a slide in workplace productivity? Yes No Don't Know 26. Has excessive personal use of the Internet led to a slide in workplace productivity? Yes No Don't Know 27. Has excessive personal use of public social networking sites led to a slide in workplace productivity? Yes No Don't Know 28. Do you review job/intern applicants’ personal blogs, Facebook pages, and other personal social media presence as part of the interview process? Yes No Don't Know 29. Has your review of job applicants’ personal blogs, Facebook profiles, and other social networking sites ever triggered a discrimination claim against Mercyworks? Yes No Don't Know 30. Do you allow employees to engage in video snacking via personal or company-‐owned systems and accounts?

JRN 370



Yes No Don't Know 31. Have you ever terminated an employee for violating email policy? Yes No Don't Know 32. Have you ever terminated an employee for violating Internet policy? Yes No Don't Know 33. Have you ever terminated an employee for violating Intranet policy? Yes No Don't Know 34. Have you ever terminated an employee for violating blog policy? Yes No Don't Know 35. Have you ever terminated an employee for violating social media policy? Yes No Don't Know 36. What does your company consider to be a termination-‐worthy social media violation? (Check all that apply.) ___Violation of social media Policy ___Violation of any company employment policy ___Inappropriate or offensive language or content ___Excessive personal use ___Breach of confidentiality rules ___Violation of regulatory guidelines ___Other 37. What does your company consider to be a termination-‐worthy blog violation? (Check all that apply.) ___Violation of blog policy ___Violation of any company employment policy ___Inappropriate or offensive language or content ___Excessive personal use ___Violation of regulatory guidelines ___Violation of regulatory guidelines ___Other

JRN 370



38. What does your company consider to be a termination-‐worthy email violation? (Check all that apply.) ___Violation of social media Policy ___Violation of any company employment policy ___Inappropriate or offensive language or content ___Excessive personal use ___Breach of confidentiality rules ___Violation of regulatory guidelines ___Other 39. What does your company consider to be a termination-‐worthy Internet violation? (Check all that apply.) ___Violation of Internet policy ___Violation of any company employment policy ___Inappropriate or offensive language or content ___Excessive personal use ___Breach of confidentiality rules ___Violation of regulatory guidelines ___Other 40. On average, how much personal use of the organization’s computer systems (social media, blogs, Internet, email, texting, and so forth) do you engage in daily? ___0 to 30 minutes ___30 minutes to 2 hours ___2 hours to 4 hours ___4-‐plus hours

Security Risks 41. Have leaked internal email messages ever triggered negative media coverage, a regulatory audit, or other negative consequences? Yes No Don't Know 42. Have employees ever posted confidential information about Mercyworks or its program participants or assistance recipients on social networking sites or blogs, triggering negative media coverage, a drop in stock valuation, a regulatory audit, or other negative consequences? Yes No Don't Know

JRN 370



43. Has compromised donor financial data (Social Security numbers, credit card numbers, debit card numbers, financial account numbers) ever put your organization at risk of Gramm-‐Leach-‐Bliley (GLBA) violations? Yes No Don't Know

Mobile Device Risks 44. Does Mercyworks provide employees or interns with mobile devices of any kind (smartphones, BlackBerries, iPhones, cell phones, tablets, iPads)? Yes No Don't Know 45. Are employees or interns permitted to use company-‐provided smartphones or other company-‐owned mobile devices for personal reasons? Yes No Don't Know 46. Are employees or interns allowed to use personal smartphones or other privately owned mobile devices to create, post, access, transmit, or download company or donor data? Yes No Don't Know 47. Are employees or interns allowed to access the internal email system via personal smartphones or privately owned mobile devices? Yes No Don't Know 48. Do employees or interns use text messaging for internal communication with coworkers or for external business communication with customers, prospects, suppliers, and potential and current donors? Yes No Don't Know 49. Has an employee or volunteer-‐driver ever caused a traffic accident or hit a pedestrian while texting, talking, blogging, posting, social networking, surfing, emailing, or otherwise engaged in distracting behavior while driving? Yes No Don't Know

Personal Use 50. Do employees or interns ever use their own personal social networking accounts, public sites, or external blogs to comment on Mercyworks, employees, executives, customers, donors, or other partners matters?

JRN 370



Yes No Don't Know 51. Have employees or interns ever used their own personal social networking accounts, public sites, or external blogs to gossip, whine, or complain about Mercyworks, employees, executives, customers, donors, or other partners matters? Yes No Don't Know 52. On their own time and using their own computer resources, have employees or interns ever— accidentally or intentionally—leaked confidential Mercyworks data or private donor information that has triggered a regulatory investigation, sparked a lawsuit, damaged the organization’s reputation, or otherwise harmed Mercyworks? Yes No Don't Know 53. Do you monitor employees’ or interns personal blogs? Yes No Don't Know 54. Do you monitor employees or interns’ personal social networking presence and activity? Yes No Don't Know

Business Use 55. Does Mercyworks use public social media sites (Facebook, Twitter, YouTube, LinkedIn, and so on) to communicate, collaborate, and converse with customers, prospective donors, vendors, decision makers, the media, business partners, and other important audiences? Yes No Don't Know 56. Does Mercyworks use enterprise-‐grade social media software, in-‐house wikis, and internal blogs for knowledge sharing, brainstorming, communication, and collaboration among employees, executives, donors, business partners, or other authorized parties? Yes No Don't Know 57. Do you maintain a/an organization blog(s)? Yes No Don't Know 58. Do you provide employees or interns access to instant messaging (IM) for internal chat with colleagues?

JRN 370



Yes No Don't Know 59. Do you provide employees or intern’s access to public instant messaging (IM) for external chat with customers, donors, and other outsiders? Yes No Don't Know 60. Does Mercyworks use technology (URL blocks) to prevent employees from accessing off-‐limits websites? Yes No Don't Know 61. If yes, what type of sites does Mercyworks block? (Check all that apply.) ___Social networking sites ___External blogs ___"Adult" sites (sexual, pornographic, or romantic content) ___Game sites ___News sites ___Shopping or auction sites ___Entertainment sites ___Sports sites ___Gambling sites ___Illegal or otherwise inappropriate or offensive sites

Acceptable Use Policies (AUP’s) 62. What type of acceptable use policies (AUPs) does Mercyworks currently have in place? (Check all that apply.) ___Social media policy (governing business use and content) ___Social media policy (governing personal use and content) ___Blog policy (governing business use and content) ___Blog policy (governing personal use and content) ___Business record retention policy ___Email policy (governing business use and content) ___Email policy (governing personal use and content) ___Internet policy (governing business use and content) ___Internet policy (governing personal use and content) ___Instant messenger (IM) policy (governing business use and content) ___Instant messenger (IM) policy (governing personal use and content) ___Text messaging policy (governing business use and content) ___Text messaging policy (governing personal use and content) ___Smartphone/cell phone policy (governing business use and content) ___Smartphone/cell phone policy (governing personal use and content)

JRN 370



___Mobile device policy (governing business use and content) ___Mobile device policy (governing personal use and content) 63. Have all of your AUPs been reviewed and updated as necessary within the past 12 months? Yes No Don't Know 64. Are your AUPs easy to ready, understand, and adhere to? Yes No Don't Know 65. How do you distribute AUPs to employees? (Check all that apply.) ___Formal employee training programs ___Employee handbook ___Company Intranet ___Company Intranet ___Email ___Online policy portal 66. Do you conduct mandatory employee training related to each AUP Mercyworks has developed and distributed to employees? Yes No Don't Know 67. Do you clearly date each new or revised AUP? Yes No Don't Know 68. Do you take old AUPs out of circulation when new AUPs are introduced? Yes No Don't Know 69. In the event of a lawsuit, are you confident that Mercyworks could demonstrate to the court that it has established a best-‐practices-‐based AUP program that combines effective policies, supported by comprehensive employee education, and enforced by best-‐in-‐class technology tools? Yes No Don't Know

JRN 370



Risks for Mercyworks

At the present time the risks for using social media have not been completely evaluated, but from the work that we have done in researching this, the risks of failure to use social media outweigh the risks involved in utilizing these technological advances.

Below I have outlined the previously identified risks and how each risk could be handled via social media and the projected solutions, resources, etc. to take care of each potential problem.

1. Threats to intellectual property.

One of the risks would be that information that Mercyworks considers to be confidential in nature would be leaked to those who should not be privy to the information. Specifically in dealing with Eden Urban Farms, LLC this could come into play. The technology for this endeavor has recently been placed under patent pending status (October 9, 2011) through the Aquatic Productions Consulting, LLC hydro biologist that originally developed this aquaponic system. There is a high level of risk to the technology and to the patent itself if this information were to be shared with the public or worse yet, other Consulting firms who are developing similar technologies.

There are several ways to deal with this risk and address it proactively. First would be to create a Confidentiality/ Non-‐disclosure agreement that any employee or unpaid intern, consultant, or contractor would need to sign before beginning with Mercyworks. Another way to deal with this issue would be to address it in employee training and discuss the legal implications if this information were to get out. Also, staff could continuously monitor the content being placed online to make sure that the confidentiality agreements were being upheld at all times.

2. Negative feedback from the program members or community. / Defamation

A very real risk an organization takes when placing significant emphasis on relationships via social media is feedback that is not positive. We run programs for various niches in the community and each of these groups has the ability to respond to our programs, staff, initiatives, etc. on social media platforms.

One of the aspects of JRN 370 that I paid particular attention to was reputation management. All too often we see companies or organizations take a beating online because of negative feedback. I propose we deal with these comments and feedback with a positive attitude and let these things run their course. It is not recommended to remove these comments or reviews because we do not

JRN 370



want to appear as though we are not genuine in our efforts to help the community. We want to make sure that each of the employees and interns dealing with social media are properly equipped with the knowledge and tact necessary to deal with such issues when they arise. This can be dealt with during the employee/intern training. The steps for dealing with a donor/program attendee, etc. will be outlined in concise details for anyone dealing with this particular problem.

3. Financial information could be at risk of being exposed.

With the nature of being a non-‐profit organization it is expected that a significant portion of our time and resources would be spent in the fund-‐raising arena. With the different aspects of donations, potential donors, events, and online giving the potential for sensitive and private financial information to become available in public areas is somewhat greater than if we were not active in social media platforms. With this being said, this is a risk to the donor first and foremost but also to Mercyworks as an organization because of the liability that could ensue if something were to happen upon accidental release of the sensitive information.

It would be understood at the time of donation for any previous, current, and potential donors that Mercyworks would strive to maintain a level of professionalism and discretion that any of these donors would desire. We will develop a donation security form or policy that would be distributed to those being solicited. In the meantime, it is important that we develop policy for those staff and interns dealing with this sensitive financial data to ensure confidentiality, precaution and professionalism in an effort to protect each person involved in the transaction.

4. Integrity and Professionalism.

I see this as one of the major risks of our organization in regard to developing a social media presence. Mercyworks strives to uphold Christian and ethical principles at all times, in every aspect of our organization. Any event, problem, issue, etc. has the remote potential to end in a dispute in which our organization, an employee, a program, or any other entity representing Mercyworks integrity is brought into question.

I want us to deal with this issue from the very beginning. I think that it is crucial that in the hiring and interview process we bring these ethics and values into play and make sure that each and every person who will be representing Mercyworks is comfortable with being asked to sign a morality agreement prior to employment. In addition to this morality policy, or Code of Conduct, it

JRN 370



is important that each person employed or otherwise representative of Mercyworks be fully educated on the values and mission of Mercyworks and sign that they understand that even in dealing with social media, their presence online and offline reflect the integrity and professionalism of the organization as a whole.

Best Practices for Social Media

In my opinion, Mercyworks should adopt the best Practices from Nancy Flynn in Social Media Handbook. Only the practices that best suit Mercyworks are below. These will be discussed among the Board of Directors and decided on at a later date.

Best practices are necessary because of the constant evolution of technology and ways to implement all of the platforms within Mercyworks. I want to address the major concerns and changes within the world of Social Media through the education of our staff, program attendees, community members, and leadership team through onsite training, online training, and through these recommendations. Technology itself can handle a fair amount of training in the following recommendations and pieces of vital information.

Legal Risks 1. Because the law has not kept pace with social media, it’s essential for Mercyworks to implement rules, policies, and procedures to help manage behavior, mitigate risk, and maximize legal compliance. 2. Social media policy that is supported by employee education may provide some defense from liability in the event of a workplace lawsuit. 3. Reduce blog-‐related legal risks by posting community blogging guidelines; requiring visitors to register before commenting; reviewing all comments prepublication; rejecting any comments that violate your community blogging guidelines or other company policies; or deactivating the comment function on your business blogs. 4. If an employee or third party were to violate the law by posting copyright protected content on a business blog or social networking site, your organization could be held legally responsible. Help shield your organization from liability with policy, training, and the Digital Millennium Copyright Act (DMCA). 5. Exercise caution when using public social media sites to recruit job applicants or conduct background checks. Misguided online research could trigger discrimination claims.

Records Management & E-‐Discovery 6. Know and adhere to the amended Federal Rules of Civil Procedure (FRCP).

JRN 370



7. Research and comply with the state rules of civil procedure governing e-‐discovery and record retention in every state in which we operate, have employees, host programs, or litigate lawsuits. 8. Don’t assume employees know what business records are. Define “business record” on a companywide or department-‐by-‐department basis. 9. Update Mercyworks record retention policy and disposition procedures annually. 10. Support record retention policy with archiving technology to ensure that electronic business records are legally compliant.

Regulatory Risks 11. Establish policies and procedures to help ensure 100 percent compliance with government and industry regulatory rules governing electronic use, content, and records. 12. Adopt policies and procedures to help ensure compliance with federal and state data breach notification laws, encryption laws, and other laws and regulations designed to keep consumers’ (donors) personal information and financial data safe and secure.

Privacy & Security Risks 13. The federal Electronic Communications Privacy Act (ECPA) makes it clear that, in the U.S., the company’s computer system is the property of Mercyworks. 14. ECPA gives Mercyworks the legal right to monitor all computer activity and transmissions. Employees, on the other hand, have no reasonable expectation of privacy when using the company’s computer system, sites, accounts, or devices. 15. Employers who operate abroad must comply with the privacy and monitoring laws of every country in which they have employees, facilities, or customers. (This applies to our operations in Peru.) 16. Advise employees to safeguard their own privacy, and the privacy of their families and friends, when using public social networking sites. 17. Use proven-‐effective technology (software, hardware, or cloud technology) to monitor social media use, manage content, and minimize threats to customer privacy and data security.

Blog Risks 18. Monitor the blogosphere, and inform workers that Mercyworks is keeping an eye on their blog activity—at work and home.

JRN 370



19. Just like email messages and attachments, blog posts and comments have the potential to create electronic business records. Compliance requires their preservation, protection, and production in the event of a workplace lawsuit or regulatory investigation. Manage blog business records with retention policy and archiving technology. 20. In addition to implementing employee policy, be sure to publish community guidelines, governing the content posted by third parties on Mercyworks-‐hosted blogs.

Policy Audit 21. Before committing social media policy to writing, conduct a comprehensive review (audit) all of the social networking-‐related risks and challenges, laws and regulations, opportunities and benefits facing Mercyworks. 22. Use the results of your social media policy audit to update old policies and create new rules and policies. 23. Audit, and as necessary revise, social media policy and other Acceptable Use Policies (AUPs) annually.

Writing Effective Policy 24. Create one freestanding policy for each electronic business communication tool. In other words, draft one social media policy, a separate email policy, and another policy for the Internet, etc. 25. Have a legal expert review your social media policy and all other AUPs before distributing them to employees. 26. Collect and destroy all but one file copy of any old, outdated policy that you are replacing with a new, updated version. Date each version of every AUP.

Content Management Risk 27. The easiest way to control social networking risks is to control published content. 28. Use social media policy to spell out clear and specific content, language, and netiquette rules that are not open to interpretation by individual users. 29. Electronic content can create regulatory risks. Provide employees with content guidelines of the regulatory bodies that oversee your industry, as well as their usage and records rules.

Employee Training 30. You cannot expect an untrained workforce to be compliant. Educate everyone who works on behalf of your organization. 31. Conduct formal, companywide social media policy training annually, in conjunction with your organization’s yearly policy audit and policy updates.

JRN 370



32. The courts and regulators have consistently demonstrated appreciation for acceptable use policies that are clearly written and supported by comprehensive employee education. 33. Communicate the fact that social media applies at all times, regardless of whether employees are using company resources to network and blog at the office or are at home using their own devices, accounts, and sites. 34. Remind employees that the easiest way to control social media risks is to control online content. Spell out content rules, language guidelines, and netiquette policy. Review personal-‐use dos and don’ts. Discuss lawful content versus illegal content. 35. Educate users about Mercyworks confidentiality rules, computer security policy, and other applicable guidelines. 36. Conclude training with a certification quiz, or series of quizzes, designed to demonstrate users’ understanding of the rules, as well as Mercyworks commitment to operating a compliant and business-‐appropriate electronic environment. 37. Support social media policy and training with technology tools designed to monitor use, filter content, block intruders, secure data, archive records, and otherwise manage legal, regulatory, and organizational compliance. 38. Require all employees to sign and date a copy of the organization’s social media policy, attesting to the fact that they understand and agree to adhere to the rules or accept the consequences, up to and including their termination.

Reputation Management 39. You cannot control what outside parties say about Mercyworks, but you can use written policy to help manage employees’ content, comments, and conversations about Mercyworks people and products, services and sales, financials and future, donor and confidential data. 40. Inform employees about the reputation risks facing Mercyworks in the age of social media. Notify employees that, if Mercyworks sustains significant brand damage online, the resulting loss of reputation and customers, sales and revenues could lead to a reduction in working hours or a loss of jobs. 41. Recruit employees to act as Mercyworks first line of defense, watching for online attacks against Mercyworks and promptly reporting them to management. 42. Ban anonymous blogging and commenting, tweeting and posting. 43. Create news and respond to news via social media. 44. Establish and grow relationships with influential bloggers, tweeters, and social networkers. 45. Encourage and engage brand bloggers and customer evangelists.

JRN 370



Policies It is recommended that Mercyworks develop and strategize several different policies and implement them all if adopted by the Board of Directors upon recommendation from the Executive Director. The schedule that follows is my recommendation for policies and procedures. Prior to Hire:

§ Confidentiality/Non-‐Disclosure Agreement § Morality Agreement (Code of Conduct) § Consent to run criminal background check § Social Media Policy § Acceptable Use Policy § Violation of Social Media Policy Guidelines

Periodically as the policies are updated: § Blog Policy § Email Policy § Personal Use Policy § Mobile Device Policy § Social Media Policy § Reputation Management Form

*Highlighted policies or procedures denote those that are currently in progress or recently developed. The remaining policies are currently in the process of being discussed with the Executive Director and the consulting team before heading to the Board of Directors for a Vote.

JRN 370



71 Garfield #160 Detroit, MI 48201

www.mercyworks.net

Confidentiality / Non-Competition Dated: “Contractor” refers to: “Organization” refers to: Mercyworks International “Agreement” refers to this document. Confidentiality. Contractor will not disclose or use, either during or after the term of this Agreement, any proprietary or confidential information of Organization without Organization’s prior written permission except to the extent necessary to perform services on Organization’s behalf. Proprietary or Confidential information includes the written, printed, graphic, or electronically recorded materials furnished by Organization for Contractor to use; business plans, customer lists, databases, operating procedures, trade secrets, design formulas, know-‐how and processes, computer programs and inventories, discoveries and improvements of any kind; and information belonging to customers and suppliers of Organization about whom Contractor gained knowledge as a result of Contractor’s services to Organization. Contractor shall not be restricted in using any material that is publicly available, already in Contractor’s possession, or known to Contractor without restriction, or that is rightfully obtained by Contractor from sources other than Organization. On termination of Contractor’s services to Organization, or at organization’s request, Contractor shall deliver to Organization all materials in Contractor’s possession relating to Organization’s business. Non-‐Competition. During the period of the Contractor’s relationship with the Organization, the Contractor shall not directly or indirectly contract in any capacity by, engage in business with, serve as an agent or consultant for any agency similar in nature to the Organization. Contractor Signature Printed Name Date

JRN 370



Ethical Code of Conduct Mercyworks is a faith-‐based organization and seeks to serve the community by meeting not only physical and social needs but most importantly the spiritual needs of the residents. This organization can effectively serve the community only when its employees, volunteers, and interns maintain personal lifestyles and standards of morality consistent with the values of Mercyworks. The purpose of this policy is to put into writing the previously unwritten expectations and conditions of employment relating to ethical conduct by employees. Mercyworks holds life to be sacred and the family model as fundamental. Employees are required to avoid conduct that is unethical or immoral or behavior that is contrary to the Biblical principles and values of the organization, including, without limiting the generality of the following:

1. Substance abuse including the abuse of tobacco, alcohol, and drugs 2. Reading or viewing of pornographic materials 3. Theft or fraud 4. Physical aggression 5. Sexual assault or harassment 6. Lying, deceit, or dishonesty and 7. Premarital sexual relationships 8. Extra-‐marital sexual relationships or 9. Criminal activity

If an employee violates, breaches (or is accused of violation) of any of these requirements, Mercyworks will investigate and as necessary, take appropriate disciplinary action, including, where called for, suspension or termination of employment. Acknowledgement by Employee: I have read and understand the above policy statement. I understand that compliance with the policy statement is a term and condition of my employment with Mercyworks. ________________________________________________________ __________________ Signature of Employee, Volunteer, or Intern Date

JRN 370



Authorization to Run Criminal Background Check

Please read and sign this form in the space provided below. Your written authorization is necessary for completion of the application process.

I, ____________, authorize/ do not authorize (circle one) Mercyworks to investigate my background and qualifications that pertain to my potential employment for purposes of evaluating whether I am adequately qualified for the position for which I am applying. I understand that Mercyworks will utilize third party firm to assist them in checking my personal information, and I specifically authorize such an investigation by information services and outside entities chosen by Mercyworks. I also understand that I may withhold my permission and that in such a case, no investigation will be done, and my application for employment will no longer be considered for the position to which I originally applied.

__________________________________ __________________

Signature of Employee Date

__________________________________

Employee's Name -‐ Printed

JRN 370



Social Media Policy Overview PURPOSE: To address the ever-‐changing world of the Internet and the way that staff, volunteers, community members, and outside entities obtain information online, our organization’s participation in social media formats to reach a broader audience are inevitable. Mercyworks encourages the use of Social Media to further the goals of the organization and its mission including all departments and collaborations where appropriate. The Board of Directors and Leadership team of Mercyworks have an interest and a say in deciding who will represent and what will be represented on behalf of these two entities in regards to all social media sites. The leadership team along with the Board of Directors will collectively approve which channels of social media are best suited for Mercyworks and the organizational goals and objectives. The leadership will be responsible for all training and education for best practices, new platforms, and expectations in regard to social media in order to achieve success. POLICY: A. All Mercyworks presence on any social media sites are considered by the Leadership and the Board of Directors to be an extension of the entity and are governed by both the code of conduct for Mercyworks and any other policies set forth in regards to ethics and professional behavior standards. B. The Board of Directors will review any requests to use additional social media sites and will, if necessary, delegate this decision to the Social Media Director. C. Any departments that are required to use social media will adhere and comply with the best of their abilities to applicable federal, state, and county laws, regulations and policies. This includes adherence to established laws and policies regarding copyright, records retention, Freedom of Information Act (FOIA), the First Amendment, and privacy laws set forth by the State of Michigan and the County of Wayne. D. Employees and Volunteers (including those working on an Internship basis) who represent Mercyworks via various Social Media outlets agree to conduct themselves at all times as representatives of the entity, including representation of its goals and values outlined in the Mission/Vision Statement and the Code of Conduct. Employees and Volunteers (including interns)

JRN 370



who fail to conduct themselves in a proper manner will be subject to disciplinary action, up to and including termination. E. The leadership and direct supervisors of those engaging in Social Media will be monitoring all of the content of social media outlets as approved by the Board of Directors. Routine maintenance and monitoring will be used to check that the messaging and branding is consistent with the goals of the organization. I hereby sign that I have read and understand the Social Media Policy outlined above and have no reservations about the implications on my employment should I choose to act in a manner contrary to the outlined guidelines.

________________________________________________________________ _________________________

Signature of Employee Date

JRN 370



Internet Usage Policy

Internet Usage Internet use, on paid company time, is authorized to conduct Mercyworks business only. Internet use holds the potential of breaching security of confidential information pertinent to Mercyworks. Internet use also creates the possibility of contamination to our system via viruses or spyware. Spyware allows unauthorized people, outside Mercyworks, potential access to Mercyworks passwords and other confidential information. Removing such programs from our internal network requires IT staff to invest time and attention that is better devoted to previously designated tasks. For this reason, and to assure the use of work time appropriately for work, we ask staff members to limit Internet use. For interns and social media staff, this policy will be explained in more detail in your manual. Additionally, under no circumstances may Mercyworks computers or other electronic equipment be used to obtain, view, or reach any pornographic, or otherwise immoral, unethical, or non-business-related Internet sites. Doing so can lead to disciplinary action up to and including termination of your employment. I am signing this form to indicate that I have read the above policy and will adhere to this policy. If at any time I need further clarification or would like to address this policy or any part therein, I will immediately speak to my supervisor and voice my concerns. I understand that violating this policy will lead to disciplinary action potentially resulting in my termination. _____________________________________________ _____________________ Signature of Employee Date Signed

JRN 370



Email Usage Policy Email is the main source of communication within Mercyworks as well as with our potential donors, partners, and community members. Mercyworks confidential information must not be shared outside of the Company, without authorization, at any time. You are also not to conduct personal business using the computer supplied by Mercyworks, unless prior authorization or extenuating circumstances ensue. Please keep this in mind, also, as you consider forwarding non-business emails to associates, family or friends. Non-Mercyworks related emails waste company time, money and attention. Viewing pornography, or sending pornographic jokes or stories via email, is considered sexual harassment and will result in immediate termination as a violation of our Ethical Code of Conduct. Any emails that discriminate against colleagues, partners, community members, or those who enroll in our programs by virtue of any protected classification including race, gender, nationality, religion, and sexual orientation will be dealt with according to the Ethical Code of Conduct and a harassment policy. These emails are prohibited at Mercyworks under any circumstances. Sending or forwarding such emails will result in disciplinary action that may lead to termination of your employment. Operate with the understanding that Mercyworks owns any communication sent via email or that is stored on company purchased equipment. Management and other authorized staff have the right to access any material in your email or on your computer at any time without prior notice. Please do not consider your electronic communication, storage or access to be private if it is created or stored at work. I am signing this form to indicate that I have read the above policy and will adhere to this policy. If at any time I need further clarification or would like to address this policy or any part therein, I will immediately speak to my supervisor and voice my concerns. I understand that violating this policy will lead to disciplinary action potentially resulting in my termination. _____________________________________________ _____________________ Signature of Employee Date Signed

JRN 370



Definition & Schedule of Retention for Business Records Mercyworks has defined “business record” as a record providing evidence of business-‐related activities, events and transactions. Mercyworks is obligated to retain business records including social networking content, blog posts, emails, IM, and other electronic information for our ongoing business, legal, regulatory, compliance, operational, and historic value. Mercyworks will keep the following documents stored in an area that is safe and easily accessible for a minimum of three years:

• Bank Reconciliations and Statements • Canceled Checks • Correspondence with customers and vendors • Duplicate bank deposit slips • Employment applications • Monthly accounts receivable and accounts payable aging reports • Purchase orders and receiving reports • Sales Records and Journals

Mercyworks will keep the following documents stored in an area that is safe and easily accessible for a minimum of seven years:

• Accounts receivable and accounts payable ledgers • Accounts receivable and accounts payable year end aging reports • Bank statements • Expired Contracts & Leases • Interim financial statements (monthly or quarterly) • Inventory summaries • Loan payments and schedules • Payroll Records & Tax Returns • Time Sheets • Personnel records after termination • Vendor invoices • Vouchers for Payment to Employees for Reimbursements, Allowances, etc. • Any forms or receipts from IRS form 1023i indicating tax exempt 501(c) 3 status.

JRN 370



Mercyworks will keep the following documents stored in an area that is safe and easily accessible indefinitely or until dissolution of the organization:

• Annual financial statements • Contracts & Leases Still in Effect • Articles of Incorporation and By-‐Laws • Company Policy & Practice Manuals • Board meeting minutes • Insurance Policies (including expired policies) • Charts of Account • General ledger • IRS audit reports (including 1023i and 990EZ) • Real estate records-‐ according to the IRS Mercyworks will keep these records for the

duration of ownership plus an additional three years. • Completed tax returns • Backup copies of any document we feel may be of value in a legal matter.

By signing this form I indicate that I understand the retention policy and what Mercyworks defines a Business Record as. I will adhere to this policy by retaining any of the above documents that I create, work on, or maintain. I understand that failure to comply with this policy will result in disciplinary action up to and including termination of my employment. _____________________________________________ _____________________ Signature of Employee Date Signed

JRN 370



References Social Media Handbook, Nancy Flynn ©2012-‐ Used for Social Media Audit Questionnaire and for portions of Social Media Best Practices http://humanresources.about.com-‐ Accessed for guidelines of a corporate Email policy. http://www.jmorganmarketing.com/evaluating-‐risks-‐social-‐business-‐framework/-‐ Used for rubric for evaluating social media risks for Mercyworks. http://www.practicalecommerce.com/articles/3609-‐Social-‐Media-‐5-‐Legal-‐Risks-‐to-‐Your-‐Company-‐ Social Media risks analysis did not use same guidelines but did use the format. http://www.twc.state.tx.us/news/efte/authorization_for_background_check.html-‐ Form similar to Michigan’s with some changes for intent to authorize criminal check. Amazon.com-‐ Used to locate and review training materials for Social Media Marketing http://nonprofit.socialmediastrategiessummit.com/tuition.html-‐ Information regarding the Social Media Summit training dates for 2012. Woodside Bible Church-‐ Pre-‐employment screening materials used for my previous employment used the formatting from their Biblical Code of Conduct. Kimberly Buffington, Executive Director of Mercyworks-‐ discussed goals/objectives of strategy.

social’media policies(&(standards( proposal -...

Documents