Social Networking Security Standard

February 10, 2012

Purpose

This standard establishes the minimum security requirements for use of social networking by state employees, contractors, volunteers, and interns.

Overview

Social networking sites offer agencies the ability to communicate directly with customers. Use of social networking also presents risks to agencies including loss of control over posted content and compromise of agency accounts.


Scope
This standard sets the minimum requirements for use of social networking. This standard applies to all agencies as defined by Iowa Code Chapter 8A, Section 101. Non-participating agencies are encouraged to follow the guidelines in this and other enterprise level policies, standards, guidelines, processes and procedures.

Definitions
Social Networking: Social networking is the use of web-based tools to interact with other people through text, images, or sound. Some common social networking tools are Digg, Facebook, Flickr, Linkedin, MySpace, and Twitter. The terms social networking and social media are interchangeable in this standard.

Elements Of The Standard
The following elements apply to all agency employees, contractors, volunteers, and interns conducting state business via social networking.

  1. Policy: Agencies shall establish a policy covering the acceptable use of social networking sites. The policy shall include:
    a. Creation and maintenance of agency sponsored sites,
    b. Agency postings to non-agency sponsored sites.

     
  2. Agency Sponsored Sites: Agency sponsored social networking sites shall:
    a. Require management approval,
    b. Include a statement defining the purpose and scope of the site,
    c. Not include confidential agency information,
    d. Not violate copyright law.
    e. Include a statement that any content posted is subject to public disclosure including Open Records requests.

     
  3. Non-agency Sponsored Sites: Official agency postings to non-agency sponsored social networking sites shall:
    a. Require management approval and acceptance of the terms of service for the site,
    b. Clearly identify the agency and employee name,
    c. Not include confidential agency information,
    d. Not violate copyright law.

     
  4. Passwords: Agencies shall use strong passwords for social networking accounts. Passwords shall be different from agency network passwords and be:
    a. At least eight characters,
    b. A mixture of numbers, upper and lower case letters,
    c. Include at least one special character,
    d. Changed at least every sixty days.

     
  5. Awareness Training: Employees working with social media sites shall receive security awareness training regarding social networking sites.

Updates
This document will be reviewed at least every two years and updated as needed.

Effective Date
This standard shall be effective February 14, 2012.

Enforcement
This standard shall be enforced pursuant to Iowa Administrative Code 11—25.11(8A).

Variance
Iowa Administrative Code 11 - 25.11(2) provides for variances from security standards. Requests for a variance from any of the requirements of this policy will be submitted in writing to the Chief Information Security Officer prior to implementation.

Printed from the Office of the Chief Information Officer website on November 19, 2017 at 1:41pm.