Introduction

Social media has become an integral part of our daily lives, both personally and professionally. It allows us to connect with others, share information and ideas, and stay up to date on current events. However, it is important to remember that social media also presents risks to our personal and professional reputations, as well as to the security of our information. To protect ourselves and our organizations, it is essential to follow best practices for securing our social media accounts. In this policy, we will outline the steps that should be taken to ensure the safety and security of our social media presence.

University of Iowa social media accounts represent the institution, and as such should be protected as an institutional asset. This requires careful consideration of the risks and security best-practices.

Exceptions to existing institutional policy may be necessary. Please submit exception requests to the Information Security & Policy Office (it-security@uiowa.edu ).

Additional clarification on management best-practices will be coordinated via the Office of Strategic Communications & ISPO. If you have a question related to this guidance, please contact ISPO.

Account management

• Register institutionally-owned social media accounts to @uiowa.edu email accounts. This allows the account to be recoverable in the event that an account takeover occurs by a third-party. If the account is tied to a personal gmail, yahoo, or other account, the email account could be non-recoverable as well.
• Enable Multi-Factor Authentication. This prevents most phishing and credential compromise attacks from being successful. Most social media sites now allow or require MFA by default – if not, please enable.
• Do not re-use passwords. Using the same (or similar) passwords across multiple accounts makes it easier for an attacker to compromise a number of accounts. Attackers will frequently attempt the same password across similar accounts due to the likelihood of password reuse.
• Change account passwords upon termination or transfer of any staff. If an account password is not changed, the terminated employee may still retain access (whether via an existing app connection or via knowledge of the password). Regardless of whether the termination was voluntary or not, it is best-practice to remove their access to the account.

Social media integrations

• Use institutional accounts for feed integration. Feeds normally require an initial authentication via a user account. This account should be an institutionally-managed account, in order to avoid disruption or confusion during employee transitions.
• Beware of the risks of social media integration. Integrating social media into a website may risk unintended consequences for users of your website. Some integrations can tell if the website visitor has an existing account on their social media platform, thus allowing the company to know who accessed your website.

Prohibited service/ application uses

TikTok

• Please see the Iowa Board of Regents guidance on the management of Tiktok accounts, found here: https://www.iowaregents.edu/news/board-news/statement-from-president-mike-richards-on-governor-reynolds-directive-to-ban-access-to-tiktok
• Please contact ISPO if you have questions or concerns about the applicability of this guidance to your specific integration or situation.

Last updated 12/16/2022