"Having worked with many organizations, I agree there's a broad range of policies and enforcement, which reflect the culture of the organization. There is also a broad range of abilities to detect usage down to the individual level. It is best to have a broad high-level policy that should be changed as little as possible. Use of tools you mention, Twitter and Facebook, can be invaluable for recruiters and can also be used by managers. There are many warnings out to individuals that information can and is used by companies for screening potential candidates and for understanding current staff. Some companies use these tools to keep up with customers, both contact and desire, to help modify strategic plans or marketing programs. Therefore these tools are considered business use. Many organizations permit reasonable personal use as a productivity enhancer. If a person can get there errands done online from their desks they are less likely to take long breaks and can be readily reached should the need arise. There are tools that can be configured to block or allow based on roles or timeframes. With these tools a very broad policy can be implemented and enforced, such as: It is the policy of the company that computer resources are company owned, monitored, and usage is restricted to business purpose (can be added that reasonable personal use is allowed as approved by management). This broad type of policy is already in place for most organizations meaning that no change is required to policy, again as Michael mentioned. This is then backed up with awareness training and consistent enforcement. Should problems arise that impact resources, then the company must determine if more stringent detection and enforcement capabilities must be implemented. The cost of these tools and processes must be weighed against potential or realized risk. Once shown to be cost effective, implementation of role and time-based filtering/blocking tools along with appropriate processes and awareness training would then be the change resulting from the introduction of these online tools." Patricia George, independent security executive, former corporate information security director at Harley-Davidson Inc., Washington D.C.
"There is a lot to consider when companies tweak their social networking policies. We want to embrace social networking, but there has to be a balance. We need to protect our clients, our employees, and our reputation as a company. They previously did not permit even anonymous blogging about their company. I personally think that enforcing a policy on this with your users would be challenging. Rather, I feel that the company should be using this information -- and more importantly, meta-information and trending -- from these tools as an internal tool. Consider this another metric or barometer for employee health and welfare. As the data in this profile changes and develops -- consider conducting internal reconnaissance as if you were a competitor, just like recon for a social penetration test. Determine what information is available and posted." Dan Holt, co-founder and CEO of HEIT, Inc., Fort Collins, Col.