Primary recommendations:

Primary recommendations:

Since most Web 2.0 technologies are still emerging and secure coding practices are not industry-wide, it is recommended to do a risk assessment for each social networking, Web 2.0 community you wish to use for official CDC communications to determine whether Web mail and public comments are allowed and are necessary. Most times they are either required or greatly preferred, and in those cases the only way to currently protect the CDC network is to manage and maintain these sites on hardware off the CDC network.

Programs must work with OCISO to develop appropriate Rules of Behavior (ROB) for those who will use the special hardware to manage these profiles. These ROB will include provisions of not connecting the hardware to the CDC network, trying to reenable ports if OCISO has blocked them, or moving files from the system to the network directly in any way. Special connections to the Internet must be acquired, which is usually a wireless Internet card. If DSL, cable or T1 connections are required, then the program must also include ITSO in on the discussions at an early stage.

Programs should develop a system to regularly and systematically review the URLs in any comment for XSS on the destination. Those who do the scanning and review should be trained on how to look for suspicious XSS type of code in a page. The use of automated tools are generally restricted by license agreements.

Programs should also develop a system to regularly and systematically review the profile pages of friends as well, to ensure that content has not changed since initial acceptance and that those profiles have not been compromised.

Programs should also routinely scan the security environment and vulnerabilities databases to stay breast of the changing security landscape associated with these sites.