Social Media Best Practices for Account Access & Security
The following best practices for managing social media account access should be followed by University of Illinois at Urbana-Champaign accounts to ensure they remain secure and only authorized individuals have access.
Unit-level accounts are a direct extension of the University and should to be treated as a university resource. They need to be secured and may be subject to public records requests and other laws and policies.
Managing Account Access
Document everyone who has access and passwords for each of the unit’s social media accounts. At least once a year, units should audit the access list to make sure it is up to date. Remove people who should no longer have access to post to the unit account.
- Make sure at least two people have access to every social media account. At least one of them should be a full-time University employee. When multiple people have access to an account, it reduces the risk of the unit being locked out of the account when an account manager leaves or changes roles.
- Use department emails, rather than personal ones, for account email needs. When possible, use a department email that many users can access rather than an email tied to a specific person. This will help reduce the risk of units losing access to the account when staffing changes occur. Additionally, notifications sent to the shared department email account will be seen by everyone managing the social media account.
- When possible, use the account management tools provided by the platform. The tools for group management of social media accounts vary from platform to platform. Use these tools, like Facebook’s Business Manager, to provide greater resources for managing access and to make a clearer distinction between personal and unit accounts.
- If working with outside vendors, limit the account access to only what is necessary. If the unit is contracting someone else to work on the accounts, use secure practices when sharing account information. When possible, use official platform tools like Facebook Ads Manager and Twitter Ads Manager to limit vendor access to necessary levels. Sharing passwords to university accounts should be done only when no other alternative is available.
- Only people who are currently managing the account should have the current password. Change passwords as quickly as possible each time someone who has access leaves the unit or changes roles and no longer needs access to the account.
- New passwords should be securely shared. Admins should be notified of new passwords either over the phone or in-person. No passwords should be shared via email.
- Create a new password for account takeovers. Units that allow individuals or groups, including contracted outside vendors, to temporarily take over their social media accounts should create a temporary password for the takeover and change it immediately after the takeover ends.
- Follow best practices for creating strong passwords and do not reuse passwords for multiple accounts. Make sure passwords are complex and unique for each platform. When accounts reuse passwords, compromising one account puts all of the other accounts at risk.