Inventory of every corporate social account + owner
Demonstrate that the organization maintains a complete, accurate, and current inventory of all corporate-affiliated social media accounts with assigned ownership and accountability.
Description
What this control does
This control requires the organization to maintain a centralized, current inventory of all social media accounts owned or operated on behalf of the organization, including platform name, account handle, business purpose, and designated account owner/custodian. The inventory must cover official corporate channels, regional or divisional accounts, and any accounts representing the brand or organization. This visibility prevents shadow social media presence, ensures accountability for content and access, and enables rapid response during security incidents or reputation events.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate, and current inventory of all corporate-affiliated social media accounts with assigned ownership and accountability.
Associated risks
Risks this control addresses
- Unauthorized or abandoned social media accounts impersonate the organization and distribute fraudulent content or phishing links
- Former employees or contractors retain access to untracked accounts and post unauthorized or damaging content
- Account compromise goes undetected because no owner monitors the account or receives platform security notifications
- Brand confusion or customer misdirection occurs when unofficial or shadow accounts operate without organizational knowledge
- Incident response is delayed or incomplete because security teams lack visibility into all accounts requiring password resets or takedown requests
- Regulatory or legal obligations are violated when unmanaged accounts disseminate non-compliant marketing, financial disclosures, or customer communications
- Credential stuffing or brute-force attacks succeed against accounts with weak or reused passwords that are not subject to enterprise authentication controls
Testing procedure
How an auditor verifies this control
- Request the organization's official social media account inventory document or asset register containing platform, handle, purpose, and owner details
- Interview the marketing, communications, and brand management teams to identify all known corporate social media accounts including regional, product-specific, and campaign-specific channels
- Perform independent discovery by searching major social platforms (Facebook, Twitter/X, LinkedIn, Instagram, YouTube, TikTok) using the organization's name, brand variations, and domain names
- Compare the official inventory against discovered accounts to identify discrepancies, omissions, or untracked accounts
- Select a sample of 10-15 accounts from the inventory and verify that each listed owner can authenticate, demonstrate administrative access, and describe their role and responsibilities
- Review account access logs or platform audit trails for sampled accounts to confirm owner activity and validate that no unauthorized users retain access
- Verify that the inventory includes metadata such as creation date, last access review date, and authentication method (SSO, MFA, password-only)
- Confirm that a documented process exists for adding new accounts to the inventory and removing or archiving decommissioned accounts within a defined timeframe
Where this control is tested