Social media guidance
Follow this guidance if you’re a security assurance subject matter expert (SME) and you're responsible for assessing security, management and usage of your social media accounts at your public sector organisation.
Follow this guidance if you’re a security assurance subject matter expert (SME) and you’re responsible for assessing security, management and usage of your social media accounts at your public sector organisation.
This guidance will help you carry out a security review of your social media platforms using the following Report Template.
Please email securing-gov-services@digital.cabinet-office.gov.uk if you have any questions or comments.
The Central Digital and Data Office (CDDO) developed this guidance based on the National Cyber Security Centre’s protecting what you publish guidance which recommends the following.
- Use reputable social media platforms and tools that provide good security features.
- Only authorised staff can publish content.
- Make sure there is a content approval process in place.
- Set up account access logging and non-repudiation.
- Put emergency recovery plans and processes in place and test them.
How to assess your social media security
Step 1. Identify your stakeholders and scope
Identify the stakeholders who are responsible or accountable for the social media accounts and have the authority to provide responses to the proposed recommendations.
In most cases, the stakeholder group includes the ‘Head of the Communications’ or ‘Head of Content and Innovation’ and ‘Communications Manager’ or ‘Social Media Manager’.
Contact the stakeholders to start your review. You can let them know you would “like to discuss with you the latest NCSC protecting what you publish guidance and help you identify and implement potential improvements to avoid potential security incidents”.
Work with the stakeholders to clearly define the scope of the security assessment. This will include identifying:
- who you need to contact on the communications or social media teams
- which social media accounts you will be reviewing
- who will be responsible for making any necessary security improvements
Step 2. Interview the social media team
You will need to interview the identified stakeholders to understand the existing technical controls and procedures around the social media working practices and get some evidence for your assessment.
NOTE: You can use this social media assessment workbook, which includes questions to ask during the
interview and allows you to document the responses in relation to the social media security controls being applied.
You may need to carry out more than one interview and follow-up discussions before you get all the information to make the findings and recommendations.
Step 3. Analyse your findings
You will need to analyse and assess the information and evidence from the interviewees to develop findings, residual risks and recommendations.
- Start by going through each security control in the social media assessment workbook and mark it as either ‘Met’, ‘Partially met’ or ‘Not met’ based on the information gathered.
- Identify and note down any residual risks (such as unattended social media accounts, unsecured mobile phones, unauthorised staff posting content).
- Enter a Red, Amber, Green (RAG) status and enter any improvements that need to be made to meet the security principle.
Step 4. Report back your recommendations
Use this Report Template to record the outcome of the review and discuss it with the stakeholders. This report will help you to:
- outline the scope of the assessment
- provide a summary of current good practices and security controls in place
- provide a snapshot of how well the organisation is meeting NCSC principles by using a Red, Amber, Green status
- provide details about any risks and recommendations on how to minimise them
NOTE: To help you make recommendations you should cross reference
your findings with the Using social media securely guidance.
We recommend discussing and iterating the report with your interviewees to agree an action plan for each recommendation.
Step 5. Follow up
Depending on the type of recommendations, it may be essential to set up regular checkpoint meetings with the person who is going to implement the improvement plan. This will help you to monitor the progression of these improvements and provide direction and advice.