Chapter III – Security Control of Social Media |
| Article 10 | (Definition of social media)
An online application combining technologies, social interactions and content creation, allowing creation or exchanges of contents generated by its users. On this highly interactive platform, individual users or groups of individual users can share, co-create, discuss and change the content generated by the users.
|
|
| Article 11 | (Scope of application of directions on social media)
For purpose of these directions, the social media do not include the social media or platform used for internal communications within an organization.
|
|
| Article 12 | (Social media use policy)
- An organization shall prepare the social media use policy that should be reviewed at least once a year to govern its employees’ use of social media, covering:
- defining what social media and functions may be used, and the rules of use;
- defining what business related information may be shared on the social media;
- defining the distinction between social media for personal use and for business use, and important information; and
- defining what a specific role is authorized to speak on social media, and avoiding unauthorized statements about business affairs.
- An organization shall assess the degree of risks in the social media employees are allowed to use based on the types of social media, including, unauthorized data disclosure, social engineering, attacks by malware, and take adequate security control and management measures against high risks, such as educational trainings or promotion of awareness, content filtering and monitoring, and preventive measures including detection of malware.
|
|
| Article 13 | (Official social media profile operated by organization)
- An organization shall understand the privacy policy of the social media operator before launching its official profile, and regularly examine changes in its privacy policy and evaluate its risks.
- When an organization provides a link on its official website that will take a user to the social media pages outside the organization, there should be a prompt window informing the user that by clicking the link they will be taken to a website not owned by the organization.
- The social media profile operated by the organization shall identify the organization’s name, contact method and license number so that visitors will know it is an official social media profile operated by the organization.
- When operating the social medial profile, an organization shall create the account access control system, and establish the screening and monitoring policy on the published contents. Its monitoring should at least cover efforts to prevent disclosure of client’s privacy and the organization’s secrets, posts published by unauthorized user or fake profile owner, and prevent attacks or disparaging remarks against other enterprises in the same trade.
|
|
| Article 14 | (Establish irregularity reporting and complaint processing method)
- An organization shall establish the social media irregularity reporting procedures. The management body of its official social media profile is advised to monitor the discussions on the social media profile on a random basis, and make necessary reporting or take necessary measures in the event of improper comments or irregularities.
- The social media profile operated by an organization shall identify the contact method for clients to file a complaint and the liaison who handles complaints.
|
|