ARMA TR 21-2012 : Using social media in organizations
This document is an extension of ARMA's GARP.
It gives us a good definition of governance. It is about: "providing leadership, setting goals and strategies, obtaining and allocating resources, protecting resources and/or assets, monitoring results and trends."
This contrasts to "management": "implementing programs, achieving goals, using allocated resources, directing operations, reporting results."
So social media governance involves chartering a group or board to:
- develop a strategy for using social media to achieve the org's goals
- identify required resources for integration
- identifying social media tools and service terms that are appropriate
- identifying training needs
- developoing policies, including official vs. personal use, monitoring, and enforcement and correction
- identifying mechanisms for capturing records
There are some laws that are applicable to social media. NARA guidance, for example, is consistent to other types of information. Provisions of the National Labor Relations Act (NLRA) may be breached by common social media policies. Other provisions inlude FOIA, Privacy Act, HIPAA, COPPA, DMCA, SOX, US Safe Web Act, GINA, HITECH, FINRA, etc.
Basically, don't breach personal information or use social to bypass existing controls.
Case law is interesting: don't remove (or tell your clients to remove) incriminating information such as photos. That said, a simple printout doesn't necessarily establish authorship.
We cover some stuff about typical social constraints (service levels, technology, etc.) and then we get into risk management. Legal discovery risks include problems with admissibility, preservation (access, hold, etc.), and privacy.
We are to minimize risk by reviewing and expanding policy, developing a compliance strategy, deploy a monitoring process, assigning responsibility, developing a crisis decision tree workflow, updating the retention schedule, taking an inventory, and monitoring.
We also have to assess "behavioral norms" via: training on use and risks, providing updated tools, migrating content, putting records controls in place, and monitoring privacy laws.
The standard then provides some guidance on how to develop the appropriate policies. Elements of the policy should include: purpose/objectives; scope statement; mandate statement; definitions; roles and responsibilities; references; version control; review statement; behavioral expectations; expectation of privacy; confidentiality guidance; social media site; permissible information; records management; account management; legal statement; intellectual property; ownership; enforcement; signature.
Section nine introduces challenges with records management. Common activities may include:
- mechanisms for capturing records
- creating a repository
- protecting secure records
- ensuring non-reputability
- access controls
- record destruction
- applying holds
- maintaining access logs
It also provides guidance on necessary metadata, which is kind of nice. Specifically:
- Author or creator
- Individual performing the posting
- Identification of external/internal publisher
- Access restrictions
- Date of creation
- Time of creation
- Date and time of modification
- Individual performing the modification
Hmmm... but how would you apply retention on that metadata? Particularly a functional classification scheme? It gives us more guidance, specifically Dublin Core, and ISO 23081. And I didn't know that ISO 23081 had a part 3. Oh well, another one for the list!
We then have to develop a data map, which is consistent with other ARMA stuff.
Section 10 is on change management. Apparently there is an Association for Change Management Professionals (ACMP). It has conferences, standards, and certification. So it gives us some common failure vectors:
- failure to identify appropriate software solutions
- lack of training and education
- failure to create policies
- lack of resources
- lack of exec management support
- failure to develop a strategy
- excessive reliance on interns and/or volunteers
Section 11 moves on to training. Topics should include:
- definition of social media
- organizational goals and objectives
- benefits and risks
- explanation of policies and expectations, including consequences
- tips on behavioral practices
- contact for those responsible in the org
The we're into auditing. It has some good advice but I have yet to talk to an organization with sufficient risk management capabilities to actually justify (and fund) an audit program.
The Appendix is a policy development workflow that is awesome!