Social Media’s Effects on the Accountability Professions

forNational Association of State Auditors, Comptrollers and Treasurers

Chase Whitaker, CPA, CIAApril 13, 2011

Session Objectives

• Introduce / review social media tools• Discuss social media applications for business and

accountability functions• Discuss the state of social media policies and their

implications for organizations• Provide resources to advance the conversation about

social media

Types

• Blogs• Microblogging (aka Twitter) • Social networking

• LinkedIn• Facebook• Videos (YouTube, Vimeo)

• Other user-generated content• Wikipedia• Answers• Photos (Photobucket, Flickr, Fotki)

Stats/Visits

• 150 million blogs: http://blogpulse.com/• 84% of social network sites have more women than men• 140 million tweets on Twitter per day • 500 – 600 million users on Facebook.• 50% of Facebook users log-in every day• 2 billion videos YouTube serves in one day• 12.2 billion videos viewed per month on YouTube in the US

(11/2009)• 82% of embedded videos on blogs are YouTube videos

Auditors Dig Numbers, Right?

• 40% of organizations blocked social media sites in 2010• 80% believe social media can enhance customer

relationships and build brand reputation• 60% believe such tools can enhance recruiting• 53% of employees say their social media pages are none of

their employers’ business• 60% of employers believe they have right to know how

employees portray themselves on-line

Source: www.russellherder.com/socialmediaresearch and www.deloitte.com 2009 & 2010 “Ethics & Workplace Survey”

Is the organization linked in?

• Survey: Organizations in the dark about tech-savvy employees

• Effects on recruiting, retention & efficiency?• 50% of devices used by employees co-mingle personal

and business data• About 33% of organizations plan to fund employee

purchases of devices

www.cioinsight.com/c/a/IT-Management/iWorkers-CIOs-Are-In-The-Dark-About-TechSavvy-Employees-676020

normanmarks.wordpress.com

www.govtechblogs.com/securing_govspace

9

LinkedIn

• LinkedIn is used by 80% of companies as primary source of recruiting new job candidates.

• LinkedIn Discussions • Examples:

• SALT State and Local Tax Auditors (30 members)• Washington State Local Government Auditors Association

(9 members)

LinkedIn Groups

Tweeters with accountability themes

• Compliance Week (@complianceweek)• Francine McKenna (@retheauditors)• SAP/Business Objects Norman Marks (@normanmarks)• ACL’s Peter Millar (@PBMillar)• Joe Oringel (@VisualRiskIQ)• Jim Kaplan (@auditnet)• David Hoelzer (@it_audit)• IT Audit Security (@ITauditSecurity)

Really? They’re on Twitter?

Industry Groups• Natl Assn of Insurance Commissioners (@NAIC_news)• Association of Certified Fraud Examiners (@ TheACFE)• Institute of Internal Auditors (@TheIIA)• ISACA and many chapters

Media• Forbes (@forbes)• Wall Street Journal (@wsj)• CFO Magazine (@cfopub)

Authors / Leadership / Creative Thought• Phil Baumann (@philbaumann)• John Maxwell (@johncmaxwell)

Facebook

• Recruiting• Research / knowledge sharing• Building community / loyalty• How NOT to use Facebook

• Personal? Private? • Or is it Public?

Challenges & Risks

• Sensitive/private information leakage• Reputational damages• Litigation (e.g. discrimination, harassment)• Compliance / disclosure (e.g. SEC, HIPAA)• System uptime/consistency• Impact on organization’s IT bandwidth• Employee productivity

http://www.phillyburbs.com/news/local/courier_times_news/article_bb07f422-8bd1-5aba-94e2-70f635e2cf74.html

Information Security Risks

• Viruses, trojans, spyware, malware, and other not-so-good-ware

• Cross-site scripting (XSS for the IT peeps)• URL shorteners – what’s on the other end of that

weird link?

September 21, 2010

HTTP vs. HTTPS – Be careful!

Uptime / Bandwidth – Expectations?

Does YOUR rep have a price tag?

• Twitter exchange:• Original: Cisco just offered me a job! Now I have to

weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.

• Response: @theconnor Who is the hiring manager. I'm sure they would love to know that you will hate the work. We here at Cisco are versed in the web.

• @theconnor soon became labeled by others on the web as “CiscoFatty”

Does your organization’s rep have a price tag?

Huh?

• White House reporter Helen Thomas• BP and the Gulf Oil Spill• CNN Mideast Affairs editor Octavia Nasr• School teachers?• Professional athletes

• NFL’s Chad Ochocinco• NASCAR’s Denny Hamlin• NHL’s Dan Ellis

http://blogs.techrepublic.com.com/career/?p=2191&tag=nl.e101

Regulatory Guidance

Healthcare:• HIPAA – risks of private data leakage• Health Information Technology for Economic and

Clinical Health (HITECH) Act

Financial Services:• Financial Industry Regulatory Authority (FINRA)

26

Regulatory Guidance

• FINRA Regulatory Notice 10-06

• Firms must retain social media communications

• And you thought archiving e-mail was hard??

http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p120779.pdf

Legal Ramifications?

• LinkedIn recommendations• Whose is it? • Individual vs. organization

• Facebook friends• Employees friending competitors• Employees friending former employees

LinkedIn Discussions

• Scenario: • “Help. I’m a staff IT auditor at XYZ in New York, and I’ve

been assigned to do an information security audit of Acme Technology, one of our third-party vendors.”

• Fill in the blank with the nightmare of your choice• Does your organization have a policy on posting

questions or answers to groups?

“Traditionally, IT security professionals are known as the people who say “no” to new projects and innovative ways of doing business. … For instance, I can remember asking attendees at an ISACA conference in 1991 how many had a policy against connecting their business to the Internet because it was too dangerous and nearly every hand went up.

Those companies that waited too long to figure out how to leverage the Internet ended up playing catch-up, while those who figured out how to do it quickly were more likely to prosper.”

Interview with Rob Clyde, CISMISACA JOURNAL VOLUME 2, 2010

Coming Full Circle

Social Media Policy Trends

• OLD – block social media networking tools altogether• 7/2009 - 40% of organizations blocked access to social

media sites

• NEW - written organizational policy defining what employees can do when using social computing and new media tools• 80% of organizations believe social media can enhance

relationships with customers

www.complianceweek.com/blog/aguilar/2010/08/31/poll-companies-still-struggling-to-address-social-media-risks/

HCA IT Executive Organization Chart – April 2011

Senior Adm inistrative Assistant AVPHum an Resources

CFO CSO

Vice PresidentFie ld O perations

Vice President & Chief ArchitectEnterprise Architecture

Vice PresidentProduct Developm ent

Shared Services & Enterprise Systems

Vice PresidentProduct Developm ent

Clinical Systems

Vice PresidentService M anagem ent & Delivery

O utpatient Services, Solution Leader

V irtual Desktop Infrastructure (VDI) Shared Services, Solution Leader

Social M edia, Solution LeaderO pen

CO O DirectorCom m unication & Design Services

Vice PresidentIT Partner Solutions

S en ior V ice P resid entan d C IO

Social Media, Solution Leader

Open

Is Your Accountability Function linked in?

• Does the organization have a strategy for use of social media?

• Review social media policy if it exists• Who is monitoring organization’s name on social

media sites? • Who is coordinating any responses by the

organization?• Is there one/few dedicated social media managers?

Is Accountability Function linked in?

• Can your accountability function help with text mining queries?

• Can your accountability function attract greater number of qualified career applicants?

• Can your accountability function help shape/influence social media policy?

Social Media Policy

• Help with development of policy if it doesn’t exist• Information Technology department• Legal• Human Resources• Ethics/Compliance • Central/Corporate vs. Business-level policies

A good social media policy

• Adhere to the Code of Business Conduct and other applicable policies

• You are responsible for your actions• Be a “scout” for compliments and criticism• Let the subject matter experts respond to negative posts• Be conscious when mixing your business and personal

lives

A simpler policy: Do the right thing. Be nice.

Source: The Coca-Cola Company

Follow, Friend or Connect Me!

Chase Whitaker

twitter.com/43chase

linkedin.com/in/chasewhitaker43

Chase.Whitaker@HCAHealthcare.com

Old fashioned but classic way: (615) 344-5973

Reference materials and links

41

http://www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf

www.isaca.org/Knowledge-Center/Research/Pages/Featured-Deliverables.aspx#socialmedia

FREE White Paper!

Organizations encouraged to address risks in these areas:

• Viruses/malware• Brand hijacking• Lack of control over content• Unrealistic customer

expectations of “Internet-speed” service

• Non-compliance with record management regulations

Wanna go techie?

• Volume 1, 2011• Article: Chain

Exploitation – Social Networks Malware

Available from IIA bookstore

Social Media Policy Examples

• Collection of policies from various organizations:• www.compliancebuilding.com/about/ publications/social-m

edia-policies/• http://socialmediagovernance.com/policies.php

• Colleges & Universities Vanderbilt University• www.vanderbilt.edu/publicaffairs/webcomm/vu-resources/s

ocial-media-handbook/

• Financial Services: Wells Fargo• http://blog.wellsfargo.com/community-guidelines.html

Social Media Policy Examples

• Mayo Clinic• http://sharing.mayoclinic.org/guidelines/for-mayo-clinic-em

ployees/

• Cleveland Clinic• http://my.clevelandclinic.org/social_media_policy.aspx

• Danbury Hospital• http://www.danburyhospital.org/About-Us/Policies/Legal/Bl

ogging-Policy.aspx

Social Media Policy Examples

• Healthcare: MD Anderson• www2.mdanderson.org/cancerwise/policies-and-guideline

s.html

• Retail: Nordstrom• http://about.nordstrom.com/help/our-policies/social-media-

guidelines.asp

• Retail: Best Buy• www.bby.com/2010/01/20/best-buy-social-media-guideline

s/

Social Media Policy Examples

• Local Government: City of Seattle• www.seattle.gov/pan/SocialMediaPolicy.htm

• Federal Government: CIO.gov• www.cio.gov/Documents/Guidelines_for_Secure_Use_Soc

ial_Media_v01-0.pdf

• Non-Profit: Walker Art Center• http://newmedia.walkerart.org/nmiwiki/pmwiki.php/Main/W

alkerBlogGuidelines