Skip to main content

HRS-05.2: Social Media & Social Networking Restrictions

HRS 9 — Critical Identify

Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

Control Question: Does the organization define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information?

General (27)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1 CC1.1-POF2
CIS CSC 8.1 9
CSA CCM 4 HRS-02
GovRAMP Moderate PL-04(01)
GovRAMP High PL-04(01)
ISO 27001 2022 (source) 7.3 7.3(a) 7.3(b) 7.3(c)
ISO 27002 2022 5.4 5.10 6.2
ISO 27017 2015 8.1.3
ISO 42001 2023 7.3
MPA Content Security Program 5.1 OR-1.1
NIST 800-53 R4 PL-4(1)
NIST 800-53 R4 (moderate) PL-4(1)
NIST 800-53 R4 (high) PL-4(1)
NIST 800-53 R5 (source) PL-4(1)
NIST 800-53B R5 (privacy) (source) PL-4(1)
NIST 800-53B R5 (low) (source) PL-4(1)
NIST 800-53B R5 (moderate) (source) PL-4(1)
NIST 800-53B R5 (high) (source) PL-4(1)
NIST 800-82 R3 LOW OT Overlay PL-4(1)
NIST 800-82 R3 MODERATE OT Overlay PL-4(1)
NIST 800-82 R3 HIGH OT Overlay PL-4(1)
NIST 800-171 R2 (source) 3.1.22 NFO-PL-4(1)
NIST 800-171 R3 (source) 03.15.03.a
NIST 800-171A R3 (source) A.03.15.03.a
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) HRS-05.2
SCF CORE ESP Level 2 Critical Infrastructure HRS-05.2
SCF CORE ESP Level 3 Advanced Threats HRS-05.2
US (18)
Framework Mapping Values
US C2M2 2.1 WORKFORCE-1.E.MIL2
US CMMC 2.0 Level 1 (source) AC.L1-B.1.IV
US CMMC 2.0 Level 2 (source) AC.L2-3.1.22
US CMMC 2.0 Level 3 (source) AC.L2-3.1.22
US CMS MARS-E 2.0 PL-4(1)
US DHS ZTCF HRS-05.2
US FAR 52.204-21 52.204-21(b)(1)(iv)
US FedRAMP R4 PL-4(1)
US FedRAMP R4 (moderate) PL-4(1)
US FedRAMP R4 (high) PL-4(1)
US FedRAMP R5 (source) PL-4(1)
US FedRAMP R5 (low) (source) PL-4(1)
US FedRAMP R5 (moderate) (source) PL-4(1)
US FedRAMP R5 (high) (source) PL-4(1)
US FedRAMP R5 (LI-SaaS) (source) PL-4(1)
US IRS 1075 PL-4(1)
US ITAR Part 120 120.11
US - TX TX-RAMP Level 2 PL-4(1)
EMEA (3)
Framework Mapping Values
EMEA Israel CDMO 1.0 4.13 19.6 19.7
EMEA Saudi Arabia ECC-1 2018 1-9-4-2
EMEA UK DEFSTAN 05-138 2604
APAC (3)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0229 ISM-0230 ISM-0233 ISM-0235 ISM-0236 ISM-0240 ISM-0241 ISM-0264 ISM-0267 ISM-0588 ISM-0824 ISM-0931 ISM-1075 ISM-1078 ISM-1092 ISM-1196 ISM-1198 ISM-1199 ISM-1200 ISM-1562 ISM-1644
APAC Japan ISMAP 4.5.2 4.5.2.8 8.1.3
APAC New Zealand NZISM 3.6 9.3.7.C.01 9.3.7.C.02 9.3.7.C.03 9.3.7.C.04 9.3.8.C.01 9.3.8.C.02 9.3.8.C.03
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.15.03.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

Level 1 — Performed Informally

Human Resources Security (HRS) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Personnel management is decentralized, with the responsibility for training users and enforcing policies being assigned to the user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • The Human Resources (HR) department provides guidance on HR practices for hiring, retaining and terminating employees, contractors and other personnel that work on behalf of the organization.
  • Terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior are at the discretion of users’ management.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
Level 2 — Planned & Tracked

Human Resources Security (HRS) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Defines terms of employment, including acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.

  • Personnel management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for personnel management.
  • The Human Resources (HR) department:
  • The responsibility for training users and enforcing policies being assigned to user’s immediate supervisor(s)/manager(s), including the definition and enforcement of the user’s specific role(s) and responsibilities.
  • Personnel managers ensure personnel are routinely made aware of the organization's cybersecurity / data privacy policies and provide acknowledgement.
  • Administrative processes require all employees and contractors to apply cybersecurity and data privacy principles in their daily work.
Level 3 — Well Defined

Human Resources Security (HRS) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures industry-recognized HR practices are implemented for hiring, managing, training, investigating and terminating employees, contractors and other personnel that work on behalf of the organization. o Ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices. o Identifies and implements industry-recognized HR practices related to cybersecurity and data privacy training and awareness to help ensure secure practices are implemented in personnel operations to help manage risk to both technology assets and data. o Manages personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.

  • The Human Resources (HR) department:
  • Administrative processes require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, for both employees and third-parties.
  • Rules of behavior contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.

Assessment Objectives

  1. HRS-05.2_A01 the rules of behavior include restrictions on the use of social media, social networking sites and external sites/applications.
  2. HRS-05.2_A02 the rules of behavior include restrictions on posting organizational information on public websites.
  3. HRS-05.2_A03 the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
  4. HRS-05.2_A04 rules that describe responsibilities and expected behavior for system usage and protecting sensitive / regulated data are established.
  5. HRS-05.2_A05 rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.

Evidence Requirements

E-DCH-11 Authorized Users To Post Publicly Accessible Content

Documented evidence of list of users authorized to post publicly accessible content on organizational systems.

Data Protection
E-HRS-22 Rules of Behavior

Documented evidence of personnel management practices to define "acceptable use" or "rules of behavior" criteria that specify acceptable and unacceptable user behaviors.

Human Resources

Technology Recommendations

Micro/Small

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Small

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Medium

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Large

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

Enterprise

  • Formal onboarding training
  • Acceptable Use / Rules of Behavior (RoB)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free