Fraud Management & Cybercrime , Social Media

How to Write a Social Media Policy

5 Tips for Creating a Successful Strategy
How to Write a Social Media Policy
A California hospital recently fired five employees and disciplined another because they used social media to post personal discussions about hospital patients. This is but one example of what happens when employees violate social media policy - or worse, when there's no policy at all.

Having a social media policy comes down to a risk management issue, says Jill Frisby-Czerwinski, a social media strategist for Crowe Horwath, a professional services firm. "If your organization provides very clear social network guidelines on your employee engagement, you immediately mitigate many of the potential pitfalls of social media."

It is critical for employees to clearly understand the implications of social networking, its extensive reach, its permanency and the possibility of things going viral.

"If you at all have any inclination of allowing Internet access in your company networks, you need a social media policy," says Hemu Nigam, former CSO at MySpace and News Corp. Employees will use FaceBook, Twitter, MySpace and all other sites during work hours, either posting something or connecting on somebody's wall, he says. So the question becomes: "Are you allowed to do that?"

Organizations such as Navy Federal Credit Union and EMC have implemented a social media policy for all employees, addressing appropriate conduct on social networks. However, success of social media policy is not the easiest thing to quantify, says Aisha Rasul, project manager, delivery channels at Navy Federal Credit Union. The key is to measure success by relationship building and the positive influence the institution has on their members and community, Rasul says. "Our success lies when our members are talking positively about us and are satisfied with the services we provide through these channels."

5 Steps to a Successful Policy:

  1. Cross-Functional Teams: Engage a multidisciplinary team from key areas such as human resources, public relations, marketing, business, information technology and security. These members need to participate and discuss the objective of the policy and what they are trying to achieve by using and promoting social media. Is it brand awareness, education, to increase product sales or customer base? The answer is going to determine the strategy an organization needs to use, says Sherrie Madia, director of communications, External Affairs at the Wharton School of the University of Pennsylvania, and managing partner of EyeCatcher Digital, a strategy consulting firm.

    "Organizations need to ensure that they are not just coming out with a one-time campaign, but that they have really thought through 'What's the plan for engagement? What's the plan for creating touch-points?'" Madia says.

    In the case of Navy Federal Credit Union, its leaders saw conversations happening about the institutions in these channels and decided to participate and leverage the networks for building their online reputation and brand. They had department heads from varied functional areas help establish goals and how they wanted to be part of this initiative.

  2. Involve Employees: Len Devanna, director of social engagement and media strategy at EMC, believes in engaging and empowering people from the ground up. "If your organization is not using social media to engage employees, it is risking obsolescence."

    He has spent the last three years at EMC working on an open company policy based on employee's feedback and insights, and then founding the policy on values of integrity and trust. EMC initially started an internal social media network for its employees to get them acquainted and comfortable with the idea of digital collaboration.

    "We believe in crowd sourcing and getting views and opinions from our existing employees on how to shape our policies," says Devanna. Using the internal platform, he has addressed employees with questions on what should be their scope and usage of social media and how the policy should be designed for them. He has received insightful responses, which have helped him create his social media policy. His advice to organizations: Value employees' point of view in these issues, as ultimately they are the true owners of this process.

  3. Document a Strategy: The policy team needs to write a strategy based on its objectives and use of social media. According to Frisby-Czerwinski, companies need to address key questions such as: How will they engage in social media-now vs. the future? How will they align this with their over all business strategy? Which networks will they leverage to promote and represent their company? What is the impact if they ban social media sites?

    "The organization has to take a stance on these issues," Frisby-Czerwinski says. "They need to be crystal clear on ground rules and set expectations so that everyone is on the same page."

    In the case of Navy Federal, for example, leaders wanted a simple social media presence with the main objective of reputation building, and thus decided to adopt a restrictive policy. Only a handful of employees are given authorized access to represent the organization on social media networks. For the majority, social media is banned at work, and they have specific rules for engaging in social networks even on a personal basis. One of the 13 key guidelines, says Rasul, is "Act with the highest degree of integrity at all times, posting honest, candid and appropriate information," focused on employees who are authorized to use social media at the institution.

    Further, the institution selected Twitter as their first choice of channel because of their member's presence, its viral nature and ability to micro blog. "We wanted to be where conversations were being discussed about us," says Rasul, "and show our members and non-members the human side of our organization and who we represented."

  4. Build Upon Existing Corporate Policies:
  5. Organizations usually have policies such as employee non -disclosure, user acceptance and employment contracts spelling out the code of ethics, in addition to privacy and risk assessment policies. As a best practice, the company needs to perform a gap analysis to see what already exists and what new policies need to be created around social media.

    A general trend is that most organizations have human resources owning the policy, says Madia. "The smartest thing for organizations to do is to have different off-shoots of existing policies specific for different departments."

    At Navy Federal, social media policies are part of three different documents. As part of the employment contract, the code of ethics spells out what is acceptable behavior in discussing corporate and client information and how employees need to represent themselves in protecting the reputation of the company. Second, there is a blanket social media policy for all authorized employees consisting of 13 key points, discussing how employees need to engage in social networks. Finally, there is a "rules of engagement" policy directed at all authorized employees to understand the workflow and response mechanism on these networks. For instance, authorized employees have rules to follow based on whether a comment or post is positive or negative about the organization regarding its loan or interest rates. If, say, the comment is negative, the employees need to find out the reason, which perhaps could be miscommunication. And if so, appropriately respond by providing the right information.

    Apart from organization-wide rules, each department may have its own guidelines. For example, human resources has social media guidelines that cover candidate screening procedures and social media and management review of employee's participation on these sites. Information security department have their own policy on how they monitor employee activities and escalate threats such as phishing, malware and breach to their response team.

  6. Training & Education: At EMC, Devanna strongly believes in on-the-job training for employees to make them understand the different ways to collaborate and communicate in the digital world. The internal social network called EMC1 was started with an intention to help EMC employees get comfortable with using social web and get over any anxiety of being out there, says Devanna. The network today has close to 20,000 active members and 10,000 passive watchers, and the forum encourages individual and group participation on social media learning by the EMC community internationally through training handbooks, emails, posts on social media.

    They have topics discussing the landscape of sites such Twitter, Facebook, MySpace and YouTube. Additionally, frequent posts are made relating to examples of how other businesses have used these outlets and how employees should and, maybe more importantly, should not use them.

    "But really nothing comes close to the actual experience of being out there, and this is what we encourage at EMC," Devanna says. Today, there are close to 26 bloggers representing EMC, and "many of those established their voices and learned on EMC1 before they ventured outside."

The effectiveness of a social media policy is based on the key theme of "integrity, trust, responsibility and respect for others," Devanna says. "Organizations going forward will need to see employees as their trusted advisors in social media engagement in order to exist and be relevant."

See Also: The 6 Essentials of Social Media Policy, which addresses the must-have elements that organizations need within their policies.


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.