The first step is to clearly state your organization's policy on instant messaging. Here's a set of questions you should consider when defining your organization's IM policy:
- Is IM use permissible on your network?
- May users run IM software on systems owned by your organization?
- Does the organization endorse/require a specific IM platform?
- Is encryption mandatory?
- Is IM acceptable for corporate use or for personal communications only?
- Are there restrictions on the sensitivity of data that may be communicated via IM?
- Is there a requirement to retain records of IM communication for any period of time?
Once you have a clear policy on IM use, educate your users on policy requirements and their responsibilities.
You can take additional measures to protect instant messaging. Blanket it with layers of protection to ensure you're organization is protected against the viruses, worms and other malicious code that's become prevalent on IM networks. Run a modern antivirus program that includes IM scanning on all workstations, and consider a using network-based content
Unfortunately, encrypted IM is a relatively immature technology that typically requires a specialized client. One standout in this field is the free Trillian client by Cerulean Studios, which supports multiple IM networks and allows encrypted communications with other Trillian users.
The ultimate option in secure instant messaging is to run your own managed IM server or gateway. This eliminates the threat of outsiders intercepting internal messages as they cross the Internet by keeping the traffic on the local network, and it's actually easier than you might think. Many of these products allow you fine-grained control over the types and destinations of IM traffic on your network. In addition to the commercial products available, you may wish to consider the open-source Jabber IM server project.About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This article originally appeared on SearchSecurity.
This was first published in January 2008