Controls Mitigating the Risk of Confidential Information Disclosure by Facebook: Essential Concern in Auditing Information Security

Facebook allows people to easily share information about themselves which in some cases could be classified as confidential or sensitive in the organisation they’re working for. In this paper we discuss the type of data stored by Facebook and the scope of the terms “confidential” and “sensitive data”. The intersection of these areas shows that there is high possibility for confidential data disclosure in organisations with none or ineffective security policy. This paper proposes a strategy for managing the risks of information leakage. We define five levels of controls against posting non-public data on Facebook - security policy, applications installed on employees’ workstations, specific router software or firmware, software in the cloud, Facebook itself. Advantages and disadvantages of every level are evaluated. As a result we propose developing of new control integrated in the social media.