From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Watchdog Report: Use of Social Media by Federal Agencies

Audio interview by GAO staff with Greg Wilshusen, Director, Information
Technology

Related GAO Work: GAO-11-605: Social Media: Federal Agencies Need
Policies and Procedures for Managing and Protecting Information They
Access and Disseminate

Released on: July 28, 2011

[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and
information from the Government Accountability Office. It's July 28,
2011. Social media sites, such as Facebook, Twitter, and YouTube provide
opportunities for federal agencies to more readily share information and
interact with the public. However, these services can also pose risks to
both personal and government information. A group led by Greg Wilshusen,
a director in GAO's Information Technology team, recently reviewed
federal agencies' use of social media. GAO's Jeremy Cluchey sat down
with Greg to learn more.

[ Jeremy Cluchey: ] What are some of the ways in which agencies are
using different social media platforms today?

[ Greg Wilshusen: ] Well, the agencies are using, actually, those
platforms in a variety of ways. In fact, we found that most of the
agencies -- in fact, 23 out of the 24 agencies that we reviewed as part
of this examination -- were using Web services to repost information
that was already on their agency Web sites, to post new content that
wasn't included on their Web sites, and we also found that they were
using those services to solicit comments from the public on various
different issues, as well as responding to comments on some of their
posts. And finally, we found that agencies were using the social media
sites to help provide links to other nongovernmental Web sites.

[ Jeremy Cluchey: ] In some of these activities, you mentioned, some
issues can arise. Can you talk a little bit about some of the issues
that agencies face, as they use social media sites?

[ Greg Wilshusen: ] Well, certainly, one of the key issues is just
knowing what information should be identified and preserved as federal
records. Another is to protect the personal information that the agency
may have access to -- using those sites -- and ensuring the security of
the agency's own federal information and systems.

[ Jeremy Cluchey: ] To what extent did you find that agencies are
complying with the guidance that currently exists around privacy,
security, and records management, as you mentioned?

[ Greg Wilshusen: ] Well, we found that the agencies have made mixed
progress in developing and implementing policies and procedures for
managing and protecting information associated with social media use.
For example, 12 out of the 23 agencies had developed policies for
identifying and preserving records associated with social media use. We
also found, however, that agencies were challenged in trying to come up
with the mechanisms for preserving that information, and that guidance
was needed, in order to help them to do that. We also found that
agencies had -- about 12 of them, in fact -- had updated their policies
for personal privacy, as well as 8 had conducted pers -- privacy impact
assessments. And these are required, in order to help identify the
privacy risks and the types of controls that are needed to protect the
personal information. And we found that only 7 agencies had actually
conducted security risk assessments of the information that is exchanged
through -- in the use of social media, and that could prevent them from
identifying the appropriate controls.

[ Jeremy Cluchey: ] What are some of the risks that are posed when
agencies don't comply with this guidance?

[ Greg Wilshusen: ] Well, one, officials that are responsible for
creating and administering content on agency social media sites may not
be making the right decisions or appropriate determinations about the
information being social media records. We also found that potentially
important records of government activity may not be appropriately
preserved. In addition, agency officials and the public may lack
assurance that the privacy of their personal information that's
available to the agencies is actually being protected accordingly. And
finally, the agency officials could not necessarily assure that the
security controls and measures in place over the use of social media
protected their own systems and information from risk.

[ Jeremy Cluchey: ] What sorts of recommendations is GAO making in this
report?

[ Greg Wilshusen: ] We made one recommendation to the Archivist of the
United States, who leads the National Archives and Records
Administration, to develop policies and procedures for and guidance for
-- that can be given to the agencies to effectively capture the records
from social media -- and that this guidance be incorporated into best
practices. We also made recommendations to 21 of the 23 agencies that
were using social media. And these had to do with updating their
policies, to address use of social media, [background music] and to
conduct privacy impact analyses, as well as to conduct risk assessments
with the use of social media.

[ Background Music ]

[ Narrator: ] To learn more, visit GAO's Web site at GAO.gov and be sure
to tune in to the next edition of GAO's Watchdog Report for more from
the congressional watchdog, the Government Accountability Office.