PL-4 (1) - Social Media and External Site/application Usage Restrictions
Control requirements
PL-4 (1) (a)
Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications.
PL-4 (1) (b)
Include in the rules of behavior, restrictions on: Posting organizational information on public websites.
PL-4 (1) (c)
Include in the rules of behavior, restrictions on: Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
Additional IBM Cloud for Financial Services specifications
Restrictions on the use of social media/networking sites must include that customer data must not be processed, stored, or transmitted to open/global social spaces or collaboration sites. Any customer data discovered must be deleted and/or restricted to authorized personnel.
Customer data must not be processed, stored, or transmitted to social media/networking sites without explicit customer approval.
NIST supplemental guidance
Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.