Given the well-publicized incidences of security and privacy issues in the Enterprise Social Software (ESS) public arena, it is instructive to consider the applicability of traditional security controls in corporate / institutional implementations of ESS. Afterall, one of the primary aims of ESS is to promote openness, to break down barriers and encourage mindshare. Can these two mentalities truly co-exist? It is an interesting question and one that is not entirely easy to answer when you get down to specific issues. I believe that the short answer to this is "yes"; they can co-exist, but there are nuances to the traditional privacy paradigm, for instance. What is a best practice around "opting out" for instance in the corporate ESS implementation ?
This blog purports to propose how to evaluate an ESS system and to implement security and privacy governance best practices in a corporate ESS setting. Of course, the "devil is in the details", but hope to spur discussion around the practicalities of implementing each area.
Implement data security practices based upon overall corporate data classification policies. ESS system should support the ability to implement such policies. For instance, the ESS system could implement "hidden" communities to protect sensitive information and not allow searches to include such content unless you are authorized.
2. Role-Based and Rule-Based Access Control Model
Enforce role-based security to control access to information on a need-to-know basis. As ESS systems exist to promote openness in the sharing of data, the deployment model should encourage open access (perhaps the default)- while providing the mechanism to highly restrict access when required. The system should provide a mechanism to develop custom rules to handle specific use cases.
3. Secure Development Practices
Apply best practices in secure application development and testing when deploying custom portlets or gadgets. ESS developers should undergo training in developing secure applications. Test suites should include vulnerability testing to validate that common attack surfaces are accounted for.
4. Security Compliance
Provide a process whereby security compliance and incident reporting of content can be provided. Compliance "officers" should be able to edit, hide, and/or refer content back to the originating author. The underlying ESS software should provide a framework whereby high-level compliance regulations can be enforced via role or rule-based access controls- for instance in industry-specific or country-specific implementations.
5. Security Awareness Training
In your overall security awareness training, include additional training relevant to social networking
6. Social Networking Conduct Policy
Develop a corporate social networking conduct policy and extend to your internal ESS system
7. Secure Operational Procedures and Policies
Implement an access policy on who has physical or logical access to your ESS system data.
Password policy for your ESS system should follow similar best practices as other applications
Limited access to privileged accounts at an OS, database, and application level.
Maintain a separation of duties for support personnel
Implement ESS network infrastructure best practices - encryption at the transport layer (e.g., HTTPS), security lockdowns on routers, switches, use of VLANS, network segmentation, etc.
Logging and notification of security events
Define and implement data retention and disposal policies (in conformance with regulatory requirements).
Dear Team,We have a call center setup where the callers will be calling a support number and choose options (like 1 for sales, 2 for technical support, etc.). The callers will be connected to the agents. And the agent may do a blind transfer call to the i...
Hello, I know I have done this before, but am having trouble finding where and how to disable the "press any digit to be connected" when answering a Single Number Reach call. On CUCM 11.5.1SU6. Have a situation where it needs to just answ...
Hi All, We have a CMS cluster and one of the devices developed a h/w fault and was RMA'd. The replacement came with 2.1 s/w and was upgraded to 2.5.3 and a backup was restored. The device was sitting in our office during our COVID lockdow...
Hello I am configuring a SIP TRUNK from my CUCM to a Gateway through Internet and the call arrives to the Gatewayy and it's processed successfully. The problem here is that as I am using Internet to create my SIP trunk I am receiving a lot of unknown SIP ...