Follow this guidance if you work in a social media communications team and you’re responsible for setting up, posting content to and managing social media platforms at your public sector organisation.
This guidance will help reduce the likelihood that damaging content is published on your social media accounts. The Central Digital and Data Office (CDDO) developed this guidance based on the NCSC protecting what you publish guidance and the Cabinet Office social media security policy.
Please email securing-gov-services@digital.cabinet-office.gov.uk if you have any questions or comments.
The NCSC protecting what you publish guidance recommends you must:
The person responsible for the social media management in your organisation must take the following steps to protect social media accounts.
You must make sure you only use social media and analytics tools which support:
You must know which social media platforms and analytics tools your staff are using, keep a record of any changes and decommission any accounts when they are no longer used. You must ensure the social media platform is approved by your Information Assurance team.
To control access to your social media accounts do the following.
We strongly recommend securing your social media passwords using a password management tool.
A password management tool will provide a secure vault to store the social media account passwords so users can access social media accounts without knowing the actual passwords. Password management tools can also provide password rules for creating “tough” passwords and stop the need for staff to share passwords through emails or other ways in which they may be compromised.
This will help to mediate privilege access to social media accounts, including:
If there is no alternative but to store passwords in a file, you must encrypt the file and only share the password for the file with authorised recipients using an “out-of-band” channel like a phone call or text message. Discuss this password management arrangement with your local Senior Security Advisers (SSAs) or equivalent and Information Assurance team.
Note: Never store passwords in files that are not password protected, or in shared, unencrypted documents on servers. Unauthorised people may get access to these files.
Refer to the NCSC Password administration for system owners for more help setting secure passwords.
You must make sure content is approved before being published. This will help to minimise the risk of accidentally or deliberately publishing incorrect content which could cause reputational damage. You must do the following to make sure appropriate content is published.
Formally agree a process around maintaining the manual log of user activities about content creation and approval. This process must make sure logs are protected from unauthorised changes. The log must only be editable by an appointed person who is responsible for maintaining this. All other team members should have read-only access to the log.
Social media management tools can provide automatic content approval workflows and extra level of user activities tracking for non repudiation. Review social media management tools on the market to see how these meet your business needs and the recommendation made in this report.
It is important to be able to track who or what has posted content on all your social media platforms at a specific time and date, and to what extent this can be attributed to an identifiable individual. The ability to record irrefutable events associated with personal actions significantly helps in any security incident investigation.
When multiple users access social media accounts, consider using a:
PAM tools can create a record of activity on social media accounts to trace all posts directly back to individual authorised users. This helps identify weak areas of security as well as rogue employees who may be posting damaging content.
Note: Avoid posting content directly to social media platforms as this makes it hard to track who has posted content. Wherever possible you must use a social media management tool which can provide this audit capability for you.
You must make sure you have a documented and tested recovery plan to follow in the event of an incident. Your social media teams must know their responsibilities as documented in this plan. You must have processes to identify the root cause of an incident and apply lessons learned on current security practices.
Your social media accounts must be set up with contact details of a role-based account, which can be accessed by trusted individuals to reset the password and get access to an account. Do not use individual accounts like jane.smith@yourorganisation.gov.uk.
Where anyone with authorised access to the account has published damaging content, you must be able to quickly revoke their access remotely. You can do this by logging out of all sessions and changing all passwords related to the account.
If your account is hijacked by an attacker and you are locked out of it, you must have a step by step process to regain control of the account. It is essential that you have a point of contact with the social media platform owner to escalate any issues with the recovery activities. If an attacker has accessed the account recovery information, then the only recourse might be to contact the social media platform owner.
Test the recovery plan regularly. Make sure you know in advance who to contact, and what information you'll need in order to identify yourself to the social media platform owners.
OFFICIAL