Online Social Media Policy: Best Practices and Template

What is a social media policy?

The growing importance of online social media networks as a communication tool is highly recognized. The good social media policy needs to be developed and should address employees’ use of such networks, including personal websites, web logs (blogs), wikis, social networks, online forums, virtual worlds, and any other kind of social media. The right of employees and other personnel to use these mediums during their personal time should be allowed and respected. However, use of these mediums for personal social media networks during working time of the organization or on equipment of the organization, however, should be prohibited.

What a social media policy should include?

If the employee chooses to identify him or herself as an employee of the company on any online social media network, he or she should adhere to the following:

  • employees should be required to state in clear terms that the views expressed on any social media network are the employee’s alone and that they do not necessarily reflect the views of the organization.
  • Employees should be prohibited from disclosing information on any social media network that is Confidential or Business Sensitive to the organization or to a third party that has disclosed information to the organization. For example, information about or identifying customers, co-workers, incidents that occur at the organization, or information that may be valuable to a competitor, including specific product information or pricing, should be within this prohibition.
  • Employees should be prohibited from displaying the company logo on any social media network without express prior written permission. Also, employees should not post images of co-workers without the co-worker’s express prior consent. Finally, employees should be prohibited from posting any nonpublic images of the organization’s premises and property.
  • Employees should be prohibited from making statements about the organization, their co-workers, our customers, competitors, agents, or partners that could be considered as harassing, threatening, libelous, or defamatory in any way.
  • Employees should be prohibited from acting as a spokesperson for the organization or posting comments as a representative of the organization unless doing so with prior authorization from an appropriate resource in management.
  • Employees should be prohibited from sharing any communication that engages in personal or sexual harassment, unfounded accusations, or remarks that would contribute to a hostile work environment (racial, sexual, religious, etc.), as well as any behavior not in agreement with the company’s policies.
  • Employees who participate in social media may still decide to include information about their work as part of their personal profile, as it would relate to a typical social conversation.
  • This may include: Work information including a personal profile, to include organization name, job title, and job duties. Status updates regarding a workforce member’s own job promotion. Personal participation in sponsored events, including volunteer activities.
  • Anything posted on a workforce member’s website or web log or other internet content for which the employee is responsible should be subject to all policies, rules, regulations, and guidelines.

Why is social networking a social engineering threat?

Social engineering describes a technique that could be employed as a vector of attack that relies on human interaction or tricking an individual into doing something that they normally wouldn’t do to violate a security practice. There is a lot of information available on the Internet that can be utilized by a malicious individual to target a company. This information may seem general, at first, but, in conjunction with other information, could potentially cause harm to a company. All employees should NEVER click on a link or go to a website that an unknown (or untrusted) sender or caller requests you to go to.

Social media security awareness training

Security awareness training should be provided related to social media or social networking use that is consistent and completed on at least an annual basis. Updates to these policies/procedures should be provided to employees as needed.

Final thoughts

In general, employees who participate in social media should be free to publish personal information without censorship. Employees should avoid; however, posting information that could harm the company using common sense and the guidance and best practices in this social media policy.

Suggested Reading
Acceptable Use Policy: Best Practices and Template
Mobile Device or BYOD Security Best Practices

If you need help creating this policy or developing other policies and procedures, we can help. Contact us today!

    Discover more from Information Security Program

    Subscribe now to keep reading and get access to the full archive.

    Continue reading