I've security colleagues, who have blocked social media sites in their organizations. Mostly the reason has been that "using social media is wasting valuable working hours". First - social media for many organizations is not wasting time, but learning essential new skills and networking. Second - if employees are wasting their time, it's not CSO/CISO problem. Why not block Internet access or email also?
Security threats of Facebook, LinkedIn, Twitter, et al. are mostly publishing confidential information or getting malware infection. Your security guidelines and training should cover the first and your technical security controls the second. If not, you are in trouble anyway.
How about zero-day targeted attacks - you ask? Well - you are mostly out of luck anyway. You have to trust your awareness program and you employees being Internet-smart. Blocking everything is effective security measure, but it's effectively harming your business and employees also.
Many organizations are busy writing social media polices and security guidelines. Of course it makes sense to give some advice how organization should be visible on social media and teach the principles of collaboration. You shouldn't need too much social media specific security guidelines, though. Just reminder, that all existing guidelines of confidentiality and Internet use are still valid.
As I tweeted a while ago, I think that Mr. T has given us a good advice for social media use: "I pity the fool". As good advice came from sergeant Phil Esterhaus on Hill Street Blues: "Let's be careful out there."
Good advice comes also from F-Secure who have defined the golden rule of social media security: "Links are not your friends." Good advice, but Intel CISO's security law #1 says: "Users want to click on things."
OK - I understand the interest for some organizations to be more verbose on that. I like IBM social media policy - it's short enough, right on the point and can be squeezed to main message: "Be responsible, learn, contribute and don't forget your day job."
So, my point is that access to social media is a must for most organizations. It's up to people management to see that access is used for good and it benefits the organization. CSO/CISO certainly can handle the security advice/controls and if needed, inform the business management about risks. Giving access to social media is business decision, not security decision.
If you want more information, good analysis about social media security threats is published by ENISA: Security issues and recommendations for online social networks. Finnish Ministry of Finance has also published draft of its social media guidelines (in Finnish). Draft is pretty good for background information, but maybe a bit heavy for actual guidelines.
