| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | OFFICIAL - SENSITIVE (when completed) MAKE A COPY | |||||||||||||||||||||||||
2 | ||||||||||||||||||||||||||
3 | NCSC Principle | Security Question / Area | Security Control | Comments (How is the control implemented) | Control Status (Met/ Partially Met/ Not Met) | Residual Risk | Principle RAG Status | Improvements | ||||||||||||||||||
4 | 1. Use reputable social media platforms and tools | 1. What media platforms and accounts are you using? Does the social media platform support 2FA, account recovery mechanisms, incident response mechanism for notification or reporting of issues and how they protect the data (GDPR)? | 1.1. The platform(s) support 2FA for content and account management | Red | ||||||||||||||||||||||
5 | 1.2. The platform(s) have a password or account recovery mechanism | |||||||||||||||||||||||||
6 | 1.3. The platform(s) have an incident response mechanism for notification or reporting of issues | |||||||||||||||||||||||||
7 | 1.4. The platform(s) support protections in accordance with GDPR and describe how they protect data | |||||||||||||||||||||||||
8 | 1.5. Close any accounts that are no longer used or have been inactive for a while, to avoid them being hacked and used to access and compromise active accounts | |||||||||||||||||||||||||
9 | 1.6 You must ensure that the social media platform and social media management tools are approved by your Information Assurance team. | |||||||||||||||||||||||||
10 | 2. What social media management tools are you using? Does the social media management tool support 2FA and generate logs with the user activities? | 1.7. The social media management tool(s) support 2FA for content and account management | ||||||||||||||||||||||||
11 | 1.8. The social media management tool(s) generate logs with the user activities which records, userID, date/time and action to support non-repudiation. | |||||||||||||||||||||||||
12 | 2. Only authorised staff can publish content directly or via social media management tools | 3. Who has access to social media accounts and management tools? | ||||||||||||||||||||||||
13 | 4. How do you control who has access to the social media accounts? | 2.1. Multiple user access is controlled with unique userID, passwords and 2FA code via a social media management tool. | ||||||||||||||||||||||||
14 | 5. What is your password policy with regards to complexity / strength? How do you follow the NCSC password guidance? Do you share passwords? Please provide details? | 2.2. Implement a sound password policy - refer to https://www.ncsc.gov.uk/collection/passwords/updating-your-approach Avoid sharing passwords, if possible. Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight. Some password managers allow users to share passwords in a more secure way (for example, they can audit access to the password and automatically sync password changes). Refer to https://www.ncsc.gov.uk/collection/passwords | ||||||||||||||||||||||||
15 | 6. Where are the social media account passwords stored? Are you using a password management tool? If yes, please provide how passwords are securely stored and accessed? | 2.3. Use credential protection mechanisms (such as password managers) to provide shared access to sensitive systems. Refer to https://www.ncsc.gov.uk/collection/passwords/password-manager-buyers-guide Integrate with Privileged Access Management (PAM) solutions in place which could further protect the social media accounts, as these can help to secure passwords as well as auditing user access. | ||||||||||||||||||||||||
16 | 7. Where are the social media account passwords stored? Are you storing the password in files? Are these files encrypted? How do you control access to the password files? | 2.4. Make sure passwords are stored securely; do not store passwords in plaintext in files, or in shared, unencrypted documents on servers which can be easily accessed by unauthorised persons. As a minimum: Save the file which stores the passwords with a name that doesn’t give away the content. Save the file with encryption on and use a password that follows the NCSC password policy - refer to https://www.ncsc.gov.uk/collection/passwords/updating-your-approach Send just the password to access the file over an out-of-band channel. Change the password to access the password file monthly. | ||||||||||||||||||||||||
17 | 8. Do you use 2 Factor Authentication (2FA) for accessing the social media accounts? If yes, how is the 2FA implemented? | 2.5. 2FA is implemented using a reputable authenticator app on corporately owned devices. Avoid 2FA based on text message / SMS solution. | ||||||||||||||||||||||||
18 | 9. Who is responsible for setting up access to your social media accounts and management tool? | 2.6. There is a nominated person (dedicated social media manager) responsible for user account management and password management. If a member of staff with access to your social media accounts leaves your organisation (or even changes roles), make sure their access to all such accounts is revoked in a timely manner. This needs to be done promptly - ideally before they move - in case there's any animosity surrounding their departure or move. Doing this should form part of your organisation's wider process to manage 'Joiners, Movers and Leavers' (JML), which should cover managing access to all IT systems. Change the social media accounts passwords as part of the leavers process. | ||||||||||||||||||||||||
19 | 10. Who has access to social media accounts and management tools? 11. Is there a register with who has access to the social media accounts and management tools? Please provide a copy What is the respective user management process for Joiners /Movers / Leavers (JML)? | 2.7. Develop and regularly update a register with who has access to what social media accounts Establish an assurance processes to check that JML processes are followed in a timely manner. | ||||||||||||||||||||||||
20 | 12. What devices are used to post content? | 2.8. Social media staff use corporate devices to create and publish content. | ||||||||||||||||||||||||
21 | 3. The content is accurate and up-to-date and the content has gone through the necessary authorisation channels prior to release | 13. What is your content review and approval process? How have you implemented the process? - Are you using a social media management tool? How have you implemented workflows or checks to provide for accidental or intentional publishing of damaging content? - Are you using a record (excel sheet / word document)? How have you implemented checks to provide for accidental or intentional publishing of damaging content? | 3.1. Set up an approval process for all social media posts across all official accounts (and have it managed by the person you establish to oversee these accounts). Develop and implement a publishing workflow (via a social media management tool) or manual governance process to manage the creation, approval, and publication of content. The workflow / governance process should at a minimum identify the required checks that each piece of content must pass in terms of drafting, reviewing, approving and publishing content before it can be published. | |||||||||||||||||||||||
22 | 14. Are you posting natively onto the social media channels? Please provide the circumstances for doing so | 3.2. Post natively only if you do polls (public votes on content) or the social media management tool doesn't support the type / format of the required content | ||||||||||||||||||||||||
23 | 4. Set up account access logging and non-repudiation | 15. How do you track who has posted content on all your social media platforms at a specific time and date with the protection against an individual falsely denying having performed a particular action? - Is it done through the social media management tool log? How? - Is it done through the password management tool log? How? - Is it done through the social media platform log? How? - Is it done though a manual process (rota)? How? | 4.1. Ensure that account access logging is switched on within social media management tools and social media accounts to provide an audit trail for unauthorised posts, or anomalous access to the account. | |||||||||||||||||||||||
24 | 16. Could you provide screenshots of the logs? | 4.2. The implementation of control 4.1 provides a record of the userID, date & time, user activity (login or post content and actual content) | ||||||||||||||||||||||||
25 | 5. Put emergency recovery plans and processes in place and test them | 17. What is your recovery plan and processes in the event - you have forgotten the social media password? - your social media accounts are compromised by someone with authorised access? - your social media accounts are hijacked by external malicious attackers? Could you provide a copy of this document? | 5.1. Develop and document a recovery plan in the event that the social media accounts are compromised. Make sure that it is possible to quickly revoke access, most likely remotely, and regain access to the account. The plan is clear and includes steps for the following scenarios for all social media platforms - you have forgotten the social media password - your social media accounts are compromised by someone with authorised access - your social media accounts are hijacked by external malicious attackers | |||||||||||||||||||||||
26 | 18. Have you communicated the recovery plan to the team and made them aware of their responsibilities? | 5.2. Make sure the team know how to access this recovery plan and are aware of their respective responsibilities. | ||||||||||||||||||||||||
27 | 19. Does the platform have an incident response mechanism for notification, or reporting of issues? | 5.3. Most social media tools provide the means to verify the owner's account(s) using extra identifying information in the case of an account compromise. Ensure that the identifying information is appropriate and documented within the recovery plan. | ||||||||||||||||||||||||
28 | 20. Have you agreed on a point of contact with the platform owner? Please provide details | 5.4. Make sure that the recovery plan includes either points of contact in the social media planform organisation or clear instruction on how to contact the platforms' help centre. This is particular relevant if an attack has also accessed this account recovery information, then the only recourse might be to contact the social media platform owner. | ||||||||||||||||||||||||
29 | 21. Have you been maintaining and testing your recovery plan / processes? When did you last tested it? | 5.5. Ensure that the recovery plan is kept up to date. Test the recovery plan regularly (every 6 months as a minimum). Ensure you know in advance who to contact, and what information you'll need in order to identify yourself to the social media platform owners. | ||||||||||||||||||||||||
30 | 22. Have you had an incident? What have you learned from it and how have you reflected lessons into your security practices? | 5.6. Ensure that the root cause of the incident is analysed adn lessons learded are applied to exisiting security practices | ||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |