The IRS Office of Safeguards prohibits sharing and transferring federal tax information (FTI) using any social media application and/or collaboration tools due to security risks. This document:
- Provides guidance to agencies that allow the use of social media applications,
- Addresses developing or enhancing social media policies to ensure FTI is properly protected and not shared via social media and
- Addresses the security safeguards that agencies should have in place (e.g. restricting to internal users, HTTPS, restricting the sending of URLs, sending file attachments, etc.) to ensure FTI is properly protected and not transferred via instant messaging collaboration tools.
Social media sites such as Facebook, LinkedIn and Twitter have increasingly become popular networking and communication tools. In addition to Web 2.0 applications like instant messaging (IM), web conferencing, Voice over Internet Protocol (VoIP), and blogs, many social networking sites are available to anyone with a browser.
Additionally, many organizations are employing tools like Microsoft Office Communicator (Lync or Skype), AIM and Google Talk for internal communications, and external communication mechanisms such as chat applications that allow a customer service representative to engage in a live chat session over the Internet with the public.
Considering the rapid growth and popularity of these sites and tools, organizations question whether they have the security tools and policies needed to deal with the accelerating number of users, since these applications have become a hot target for hackers.
The collaboration between social and business networks means that more opportunities exist for business assets and intellectual property to leave the safety of the corporate environment, and many more opportunities for unauthorized and unethical entities to gain access. Left unsecured and unmanaged, widespread use of social networking can:
- Create holes for information leakage, resulting in the loss of confidential information,
- Expose organizations to legal liabilities and financial penalties from compliance breaches and
- Compromise network security from malware spread through real-time channels.
Recommended Requirements for FTI in a Social Media Environment
If the agency allows use of social networking sites, then to protect FTI, it is recommended that the agency meet the following security requirements.
1) Security Policies
If the agency allows employees to use of social networking sites, then the agency should implement strict security policies to ensure FTI is prohibited from being shared via any social media application. Limiting what employees share online could decrease the likelihood of social engineering, preserve the agency’s and employees’ reputation and preserve taxpayer information. The agency should implement formal training classes to teach employees the risks of social networks.
2) Content Control
The agency should consider investing in a tool that provides a comprehensive security solution to combine feature and content controls of social networks, as well as monitoring, management and security of Web 2.0 applications, such as instant messaging and Unified Communications, with URL filtering, anti-malware and Web anti- virus protection.
Such tools can control not only Web sites and applications, but also the content posted to blogs, wikis, webmail and social networking sites such as Facebook, LinkedIn and Twitter. Elements of the web content or media can be blocked that fall outside of the security policy, allowing the agency to control and restrict the use of FTI on these sites.
3) Customizable Reporting Capabilities
The agency should consider securing special hardware to set up custom policies across multiple communications modalities - from IM, peer to peer networks, social networking applications and web traffic to protect FTI.
The special hardware can integrate with Lightweight Directory Access Protocol (LDAP) and Active Directory servers to provide simplified group policy setting. Granular controls could include quota setting by employee, time and bandwidth - across all real-time communications modalities - including instant messaging and social networking sites.
These reporting capabilities could provide detailed analysis on employee web browsing and application usage by time spent, data downloaded and instant messaging content transferred. This will allow the agency to determine if FTI data is being transmitted through the use of social networking sites.
4) Public Comments
The agency should disable public comments, unless the comments are moderated. If posted, moderating the comments allows for FTI to be deleted from social networking sites. However, since each of the comments must be opened and analyzed by someone on the agency’s network computer, it poses a risk to the agency’s network.
Although, moderated comments pose a risk to the agency’s network, there is no way to moderate the comments without the moderator’s system being in jeopardy. Therefore, to avoid risk exposure to the agency’s network, the agency should purchase a special computer installed and connected to the internet off the agency’s network to manage and maintain the site.
5) Content Control
To protect FTI, controls should be implemented for not only Web sites and applications, but also the content posted to blogs, wikis, webmail and social networking sites such as Facebook, LinkedIn and Twitter.
Content posted to these social networking sites should be moderated, monitored and logged, reducing outbound data leakage and enabling compliance with industry regulations and legal discovery requirements, and corporate policy standards.
6) Social Networking Profiles
If the agency allows use of social networking sites, it is recommended for the protection of FTI to use separate hardware connected to the Internet to manage and maintain the profiles of friends approved for the sites.
Once friends are approved on a social networking profile, the agency should make sure that the friend’s profile hasn’t changed to include inappropriate content, an inappropriate profile image or malicious code. Reviewing proposed friends may make the administrator’s system vulnerable to attack; therefore, disclaimers about friends and content on their profiles should be posted.
Some sites, such as MySpace allow you to control which friends get listed on your main profile page, whereas others, such as Facebook randomly place any of your friends on the main page. Therefore, security policies on accepting friends and approving friends for social networking sites should be documented and socialized with employees.
7) Rules of Behavior
Rules of Behavior should be updated to include employee and contractor restrictions, as well as acceptable and non-acceptable behavior on the use of social networking sites. Additionally, security awareness training is also critical to combating the increasing security risks that organizations face as attacks become more frequent and effective from employee use of these sites.
8) Security Awareness Training
Many non-technical employees are sharing too much information about their job or the organization they work for on social networking sites, because they have not been properly trained in the area of security awareness.
Security awareness training documents should be updated and disseminated to employees and contractors to facilitate implementation of awareness and training security controls for social networking sites. This should be done prior to authorizing access to social networking sites and FTI.
Security awareness training has proven most beneficial, particularly where training is coupled with rewards for adhering to policy. Handing out rewards to those who pass an on-line test demonstrating their awareness and possibly compliance with policy is a positive reinforcement that further encourages support of the policy. Rewards may include inexpensive items such as tee-shirts with an appropriate message or sporting and entertainment vouchers.
Detection of non-compliance with security policies associated with using social networking sites can be accomplished using many automated tools by an audit team, including H/R staff, or simply visiting the employee accounts on social networking sites. The agency should establish penalties and employees and contractors should be made aware of penalties for not complying with security policies associated with using social networking sites.
9) System Definition and Boundaries
System boundaries should be established for social networking sites. Because social networking sites are not secure, any information published on these sites should not be considered official. Disclaimers should be made on the profiles of each of these sites to direct users where official Safeguard FTI information can be found.
It is not recommended to use these social networks to gather personal information or to be used for private or secure communications.