Independent Evaluation of NRC’s Use and Security of Social Media

Update the agency‟s information management and security policies to include social media
A) Include social media policy guidance in the revised MD 3.2, Privacy Act in accordance with guidance provided in OMB Memorandum 10-23, Guidance for Agency Use of Third Party Web Sites and Applications.
B) Revise MD 3.53, Records and Document Management Program and include social media in accordance with the guidance provided in NARA Bulletin 2011-02, Guidance on Managing Records in Web2.0/Social Media Platforms.
C) Revise the existing PII Breach Notification Policy and Computer Security Incident Response Policy to include the following statement: All of the information contained in this policy applies to the use of social media.

Conduct annual security and vulnerability assessments of NRC‟s social media channels. CSO should outline the requirements to perform the assessments and facilitate the process.

Develop a section on social media security for inclusion in the annual mandatory Computer Security Awareness Course. Include information on Federal and NRC social media policies and employee responsibilities to safeguard PII and sensitive agency information when using social media inside and outside of the NRC network.

Develop a section on social media security for inclusion in the OPA social media training for all official NRC bloggers. Include an overview of social media security and Federal and NRC social media policies, as well as guidelines regarding employee responsibilities to safeguard PII and sensitive agency information when developing posts for the NRC blog.

Disseminate electronic agencywide Yellow Announcements on a periodic basis regarding social media security, NRC-approved social media sites and the responsibilities of employees to safeguard PII, sensitive agency data, and proprietary information when using social media sites inside and outside of the NRC network.