Skip to main content

ALPHA This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Social Media Guidance
  3. Perform Social Media Security Assessment

Performing a social media security assessment

Follow this guidance if you’re a security assurance subject matter expert (SME) and you're responsible for assessing security, management and usage of your social media accounts at your public sector organisation.

This guidance will help you carry out a security review of your social media platforms using the following Report Template.

Please email securing-gov-services@digital.cabinet-office.gov.uk if you have any questions or comments.

The Central Digital and Data Office (CDDO) developed this guidance based on the National Cyber Security Centre's protecting what you publish guidance which recommends the following.

  1. Use reputable social media platforms and tools that provide good security features.
  2. Only authorised staff can publish content.
  3. Make sure there is a content approval process in place.
  4. Set up account access logging and non-repudiation.
  5. Put emergency recovery plans and processes in place and test them.

How to assess your social media security

Step 1. Identify your stakeholders and scope

Identify the stakeholders who are responsible or accountable for the social media accounts and have the authority to provide responses to the proposed recommendations.

In most cases, the stakeholder group includes the ‘Head of the Communications’ or ‘Head of Content and Innovation’ and ‘Communications Manager’ or ‘Social Media Manager’.

Contact the stakeholders to start your review. You can let them know you would “like to discuss with you the latest NCSC protecting what you publish guidance and help you identify and implement potential improvements to avoid potential security incidents”.

Work with the stakeholders to clearly define the scope of the security assessment. This will include identifying:

Step 2. Interview the social media team

You will need to interview the identified stakeholders to understand the existing technical controls and procedures around the social media working practices and get some evidence for your assessment.

NOTE: You can use this social media assessment workbook, which includes questions to ask during the interview and allows you to document the responses in relation to the social media security controls being applied.

You may need to carry out more than one interview and follow-up discussions before you get all the information to make the findings and recommendations.

Step 3. Analyse your findings

You will need to analyse and assess the information and evidence from the interviewees to develop findings, residual risks and recommendations.

  1. Start by going through each security control in the social media assessment workbook and mark it as either ‘Met’, ‘Partially met’ or ‘Not met’ based on the information gathered.
  2. Identify and note down any residual risks (such as unattended social media accounts, unsecured mobile phones, unauthorised staff posting content).
  3. Enter a Red, Amber, Green (RAG) status and enter any improvements that need to be made to meet the security principle.

Step 4. Report back your recommendations

Use this Report Template to record the outcome of the review and discuss it with the stakeholders. This report will help you to:

NOTE: To help you make recommendations you should cross reference your findings with the Using social media securely guidance.

We recommend discussing and iterating the report with your interviewees to agree an action plan for each recommendation.

Step 5. Follow up

Depending on the type of recommendations, it may be essential to set up regular checkpoint meetings with the person who is going to implement the improvement plan. This will help you to monitor the progression of these improvements and provide direction and advice.

 

OFFICIAL