Social Media Operating Procedure - Security
For the purpose of this standard operating procedure, "social media" is a term for user-driven content technologies that allow people to create, share and exchange information and content, which may include photos and videos. Examples include, but are not limited to, Facebook, Instagram, LinkedIn, Twitter and YouTube.
Account Setup, Access, and Settings
All social media platforms utilized by a division, college, school, etc. should use an email address linked to their uppermost parent organizations. For example, department social media accounts should be tied to an email address owned by the MarComm team in their school/college. Only MarComm staff should have complete access social media accounts, and their accounts' associated email inbox. Other university employees can be granted account access to certain platforms and the inbox at the discretion of the Director of Social Media.
Account settings on each social media platform will be reviewed annually at the start of each fall semester OR when a platform updates its user agreements or terms of services. Account settings must accurately reflect any and all social media policies enacted by The Texas A&M University System and Texas A&M University.
Employee Requirements for Account Access on Personal Devices
If employees are using their personal devices to access university social media accounts (examples include mobile phones, tablets, and other such computing devices), those devices must have a passcode or password enabled. In the event that a personal device with university account access is lost or compromised, all active sessions on all university social media platforms will be terminated and all passwords will immediately be changed.
Password Protection and Updates
Passwords to all Texas A&M social media platforms must meet university password requirements, as outlined in Security Control 1A-5. Passwords are updated*:
- annually at the start of each fall semester; or
- when an account becomes compromised; or
- when an employee with access to the accounts leaves the organization.
When possible, account credentials for all social media platforms shall be stored in a password manager application approved by the Chief Information Security Officer. When feasible, multi-factor authentication will be enabled on social media platforms.
*Note on Facebook
Employees who have Page Roles on the university's Facebook Page are required to 1) have a personal Facebook password that meets university password requirements and 2) have two-factor authentication enable on their Facebook profile.