Risk and Mitigation checklists

From Emergency 2.0 Wiki

Jump to: navigation, search

Main Page | Emergency Preparation | Risk and Mitigation checklists

This page is under development and needs expansion. Please feel free to add relevant and timely content, following the Emergency 2.0 Wiki Style Guide.
  • Every top level page should have an info box with the contributors names. Use ~~~ to get your user name to be saved.
  • Every page should have a breadcrumb back to higher level pages all the way back to the main page
Contributor Info
Reference Group Risk and Mitigation
Additional Contributors Eileen Culleton

The Risk Management Institution of Australasia (RMIA) leads the Risk and Mitigation Reference Group managing the development of content for this section.

The RMIA has formed a knowledge sharing alliance with the Emergency 2.0 Wiki.

The Risk and Mitigation Reference Group will be managing the development of content for this section and will be the point of contact for questions or help.

If your organisation has Risk and Mitigation guidelines for using social media in emergency communications, please adapt them to develop generic policies and procedures guidelines for use by everyone. Also, (if you have permission from your organisation), please link to them in "Examples".

Contents

Introduction

Like business as usual communications, the use of web 2.0 and social media for emergency management communications creates both threats and opportunities.

The purpose of this section is to focus on downside risks and to provide checklists that can be used by organisations from all sectors of the community, to enable them to confidently and effectively use social media tools in emergency communications.

Disclaimer: The guidelines below do not replace legal advice.

The categories below are a guide and may change:

Risk Management Process

The risk management process, outlined below, is simply a tool to help think about, take and manage risk in an informed way. It can be used in any context and by any organisation or individual.


In the context of preparing for, responding to and recovering from emergencies, it is a tool that can help to:

• Identify the sources of risk

• Assess the level of risk

• Inform the decision on how to respond.


The assessment and management of risk is an inherent part of decision-making, whether done unconsciously or explicitly. For this reason, other than the generic risk management process below, you will find content on risk management integrated throughout the relevant sections of the Emergency 2.0 Wiki.


The risk management process, consistent with ISO 31000:2009 Risk management - Principles and guidelines, comprises the following steps:

• Communicate and consult - engage internal and external stakeholders throughout the process

• Establish the context - understand the environment in which risk is being considered, and the objectives that need to be achieved

• Risk assessment - identify the sources of risk, analyse likelihood and impact, and evaluate if further action is required

• Risk treatment - decide if further measures should be taken to modify the level of risk

• Monitor and review - regularly monitor the environment for change and to ensure the effectiveness of risk treatment.


Risks and Mitigations

Human Safety and Wellbeing

Risk 1: Publishing/sharing inaccurate warning or disaster information

Mitigations

  • Ensure that you only share public information from verified sources such as other emergency agencies. Put this in your policy and procedures.
  • Do not share messages from unauthorised sources such as the public until it has been verified. Tips for verification are:
    • the tweet/Facebook message is geocoded
    • the tweet/Facebook image is geocoded
    • multiple messages from different sources in the same location are received, geocoded.
  • Issue a correction as soon as the error is discovered. Ask others to retweet this correction with "please RT"
  • Build trusted community sources as your 'early detectors'... your 'fire detectors', 'flood detectors', 'tornado detectors','tsunami detectors', earthquake detectors


Risk 2: Publishing/sharing warning information or disaster information that is no longer current

Mitigations

  • Ensure that all messages that you share state the time the message is issued eg "Stuart road flooded #qldflood at 10.30am".
  • This is important as your tweet/Facebook message may be shared hours later, by which time the road may then be reopened, or in case of a bushfire/wildfire, the wind may have changed and the location/road/route is no longer safe.
  • If the message that you plan to share doesn't have the time, you need to add it before sharing. Eg if it is "10.00am" and the tweet was sent 10 minutes ago, you need to state the time as "9.50am". This is important to ensure that emergency agencies, the media and the community are acting on accurate, timely information.

Reputation

Risk 1: Delays in issuing updates

Mitigations

  • Use a multichannel approach to your emergency communications eg multiple social media sites plus website, plus sms, call centre, mainstream media etc
  • Ensure that your website, onhold message, media releases point/link to all your emergency communications channels
  • Prepare in advance holding messages ready for issue on how people can request emergency help eg phone numbers of your organisation/agency as well as other emergency agencies.
  • Issue these messages regularly during an emergency eg every hour
  • Issue holding messages that acknowledge that there is an emergency, that you are trying to source information and that you will get back to them as soon as you have information - to give peace of mind and comfort to the community and your stakeholders
  • Enlist trusted volunteers to monitor the emergency via social media and also to monitor your social media message feeds for requests for emergency help. This can be done remotely, indeed globally. See Integration with other agencies Working with Volunteer Technical Communities Ideally this should be done in the Emergency preparation phase.
  • Setup automated emails to advise you whenever anyone has contacted you via your social media channels
  • Utilise third party tools eg Hootsuite for Twitter to share responsibility and to allocate tasks to reply to messages.
  • Establish a "Trends Map" to enable monitoring of all mentions of the emergency - based on location
  • Utilise third party websites which aggregate multiple feeds for information and also point your community and stakeholders to these sites
  • Locate and monitor crowdsource maps providing realtime, localised information
  • Find and follow emergency hashtags eg #flood
  • Monitor social media channels of key emergency agencies and share their messages and updates via retweeting, sharing on Facebook etc

Risk 2: Criticism of your organisation's timeliness in responding

Mitigations

  • Manage expectations by stating your levels of response in your terms of use guidelines. Eg "We will endeavour to respond to individual messages, however we will not always be able to reply individually to everyone"
  • Also make sure that your terms of use guidelines also include the hours that you will be monitoring the account eg "We will monitor this account during business hours only. In the event of an emergency, please contact (list contact details)."
  • During an emergency enlist trusted volunteers to monitor your social media message feeds for requests for information or for emergency help. This can be done remotely, indeed globally. See Integration with other agencies Working with Volunteer Technical Communities Ideally this should be done in the Emergency preparation phase.
  • Establish automated emails to notify you of comments on your social media accounts or @mentions
  • Prepare holding messages for when answers are pending or will need research
  • Prepare Frequently asked questions and answers list in advance for each type of emergency.
  • If swamped, reply to themes, not individual replies eg identify the 'top 5 topics' every hour and respond to these on all channels


Risk 3: Comments posted on your social media site containing defamatory or unlawful content or links

Mitigations

  • Report to service provider and the Police
  • Make a copy of the record and put in a log created for social media content issues
  • Seek legal advice
  • If a Facebook message, mark as "spam" so that it appears to the public to be removed from the site but the record is still kept
  • Remove from site
  • Send a message and block perpetrator
  • Have a link from your social media sites to a terms of use statement outlining what is inappropriate content. Also include a disclaimer
  • Undertake daily monitoring of sites
  • Establish and publish policies concerning employee use of social media websites

Risk 4: Comments by others on social media sites linking your organisation to defamatory or unlawful content

Mitigations

  • Report to social media site and the Police
  • Make a copy of the record and put in a log created for social media content issues
  • Seek legal advice


Risk 5: Service availability down due to over capacity of social media channels

Mitigations

  • Use a multichannel approach to your emergency communications eg multiple social media sites plus website, plus sms, call centre, mainstream media etc
  • Ensure that your website, onhold message, media releases point/link to all your communications channels
  • Terms of Use statement to include provision that availability of service is not guaranteed and your organisation accepts no responsibility for lack of service

Legal

Risk 1: Litigation for loss or damage as a result of messages or information on social network sites

Mitigations

  • Develop and post a Conditions of Use Policy on your website and link to all social media sites. This policy should include the following:
    • Disclaimer
    • Acceptable Use policy
    • Moderation policy
    • Copyright policy
    • Privacy policy
  • Conduct daily monitoring of all sites
  • Establish and follow guidelines and procedures to ensure the information your organisation publishes and shares via social media channels is lawful, timely and correct (see Human Safety and Wellbeing section).
  • Establish and publish policies concerning employee use of social media websites.

Security and Confidentiality

Risk 1: Security breaches of social media accounts (hacking) resulting in vandalism of content and/or installation of malware

Mitigations

  • Perform a risk assessment of each social media site before using it, including reviewing its security and privacy controls
  • Create a central register of all key social media sites (including third party applications) and place them into one of four categories: 1. can be used at work or at home, 2. can only be used at work, where there is a firewall, 3. can only be used on certain work computers that are isolated from the network 4. cannot be used. Ensure all employees have access to this register and regularly review and update it.
  • Use computers isolated from the network to test new social media websites and applications
  • Be wary when using third party applications within social media sites
  • Consider separating the network used for social media access from the general office network
  • Install the latest web browsers on PCs as they are likely to have better security controls.
  • If available,connect to the internet via a 'trusted internet connection'. These connections offer increased levels of security. The US federal government for instance has a Trusted Internet Connection program.
  • Take measures to protect user PCs
  • Develop guidelines to warn employees and your community of the risk
  • Educate your employees of the risks via regular training sessions, particularly for those managing your social media accounts
  • Establish and publish policies concerning employee use of social media websites. Policy regarding passwords should include:
    • only approved, nominated staff have password access
    • Use strong passwords - eg 10 characters long, with a mixture of letters (upper and lower case), numbers and symbols eg ZwF27-#nVz
    • Use a different password for each social media site, so that if the password is discovered, only one site is compromised.
    • Use third party tools such as CoTweet to devolve access securely
    • Avoid using unknown third party applications that require the account password


Risk 2: Hijacking your identity (creating an account and posing as your organisation)

Mitigations

  • Register accounts with your name with all key social media channels so that nooone else can beat you to it
  • Add the wording 'official' 'this is the official account' and have it verified
  • Accept residual risk and monitor for this occuring
  • Report any spoof accounts to the social media provider eg Twitter for suspension

Risk 3: Identity theft via information scraping, social engineering, phishing or spoofing

Information scraping

Risk

  • Personal identifying information such as a phone number on one site, a photo on another and a birthdate on another is 'scraped' from many websites and compiled into a single comprehensive identity of the person. This can then be used to commit identity fraud. Personal identifiable information includes tagged photos, social security numbers, full name, date of birth, schools attended, work address and phone number, home address and phone numbers, names of children and family members.

Mitigations

  • Develop guidelines to warn employees and your community not to post any personally identifiable information than is absolutely necessary.
  • Link to those guidelines from your social media sites.
  • Educate your employees of the risks
  • Delete personal identifying information once it is no longer necessary
  • Regularly warn the community of the threat of identity theft from information shared on social media sites.
  • Update security patches as required

Social engineering

Risk

  • Where hackers acquire confidential personal information through fraud. This may involve the hacker trying to solicit personal information through creating a fake identity online and trying to befriend others. This could involve creating a fake Facebook profile, Twitter account or LinkedIn account.

Mitigations

  • Develop guidelines to warn employees and your community of the risk and not to post any personally identifiable information than is absolutely necessary.
  • Establish and publish policies concerning employee use of social media websites
  • Educate your employees of the risks via regular training sessions, particularly for those managing your social media accounts
  • Do not reveal personally identifiable information unless certain of the person's credentials

Phishing

Risk

  • This is where messages are sent by cyber criminals posing as someone else. This can be done via email or a social media site. The message may be sent indiscriminately or be targeted to a specific individual, group or organisation.

Mitigations

  • Join only those social media sites that have explicit and strong privacy policies
  • Check the privacy options on social media sites and use the setting that will limit access to your profile and personal data
  • Many web browsers have a phishing filter in them that detect suspicious websites by comparing them against a list of known phishing websites, and by checking whether the website fits the profile of a phishing website.
  • Establish and publish policies concerning employee use of social media websites.
  • Develop guidelines to warn employees of the risk of phishing and what information is appropriate to share online and what is not.
  • Educate your employees of the risks via regular training sessions, particularly for those managing your social media accounts
  • Share as little personally identifiable information online as necessary
  • Regularly warn citizens of the threat of identity theft from information shared on social media sites and what information should not be shared on social media
  • Encourage staff to consider using a screen name when interacting online (where appropriate)
  • Use only private messages (if available) to send personal or sensitive information
  • Build up a relationship first and check the credentials of people before sending personal identifying information such as your phone number. This may involve doing a web search, checking their LinkedIn profile for an employment history, to see who their friends and connections are, what they are saying online.

Spoofing

Risk

  • This is where a fake website is created to mirror a trusted website in order to undertake identity theft. This may be by asking users to send login information or to install malware on the user's computer. Spoofing can also occur when a website is compromised with malicious scripts downloaded to the brower of the user when the web page is displayed. And it can occur by clicking on a link via an email or social media message (eg Tweet) that takes the user to a malicious webpage.

Mitigation Establish and publish policies concerning employee use of social media websites

  • Do not click on unsolicited messages.
  • Be wary of clicking on links
  • Before clicking on a shortened URL eg tinyurl hover your curser over it to reveal the full URL.
  • In the case of TinyURL, enter "preview.tinyurl.com/LINKNAME" to reveal the full URL.
  • Use your government's own services, if available to shorten a URL eg go.usa.gov and 1.usa.gov
  • Consider manually entering a URL instead of following a link
  • Develop guidelines to warn employees and your community of the risk
  • Educate your employees of the risks via regular training sessions, particularly for those managing your social media accounts

Risk 4: Message attachments containing malware

  • This is where social media messages are sent with an attached malware file.

Mitigations

  • Do not click on unsolicited messages via social media
  • Be wary of clicking on files attached to social media message
  • Install the latest web browsers on PCs as they are likely to have better security controls.
  • If available,connect to the internet via a 'trusted internet connection'. These connections offer increased levels of security. The US federal government for instance has a Trusted Internet Connection program.
  • Develop guidelines to warn employees and your community of the risk
  • Educate your employees of the risks via regular training sessions, particularly for those managing your social media accounts


Risk 5: Privacy of followers/members is breached

Mitigations

  • Develop and publish a privacy policy on the use of private information of followers/members of social media sites
  • Include a privacy statement that your agency does not use private information for any other purpose other than what was intended
  • Publish links to the privacy statements of social media sites used
  • Publish links to your privacy policy/statement from your social media sites
  • Regularly warn citizens of the importance of protecting their privacy and what information should not be shared online

Service Delivery

Risk 1: Lack of availability of social media sites due to being over capacity or other technical issues by the provider

Mitigations

  • Use a multichannel communication approach for emergency communications.
  • Regularly remind the public via all channels how to seek emergency help (eg call a hotline) and how to get live information (via your social media channels).
  • Ensure your terms of use policy for the public in relation to their use of your social media channels includes a statement that the service may occasionally be unavailable and the organisation accepts no responsibility for lack of service due to downtime.

NB this is an additional channel to current communication channels

Risk 2: Loss of data due to problems with social media accounts, accidental account termination etc

Mitigations

  • Conduct a monthly backup of your social media sites (many third party applications offer a free service)

Risk 3: Changes to the social media platform (to add or change features)

Mitigations

  • Social networks are continually adding features to improve services, so this is generally a benefit. The key risk is in regard to changing the privacy settings.
  • Regularly review the sites and keep up to date with any changes and their potential impacts on your organisation and your customers

Financial

Risk 1: Introduction of charges for accessing the social network

Mitigations

  • Review business case for continuing to use the service if fees are applied

Additional Risks and Mitigations by Sector

Emergency Sector Risks and Mitigations

Government Sector Risks and Mitigations

Community sector Risks and Mitigations

Education Sector Risk and Mitigations

Health Sector Risks and Mitigations

Business Sector Risks and Mitigations

Examples

Case Studies

References and Links

Emergency 2.0

Business as Usual

Personal tools