1. Identify IM usage. Executives should first determine whether employees are using IM, and how heavily. If they find employees are using IM before the company has a management plan, they may consider addressing their IM risks sooner rather than later.2. Create a plan. Before determining how to manage IM, companies need to decide what role IM will play in corporate communications and how it maps into the company's overall business goals. Then they'll need to determine which employees will use IM and how.
3. Manage IM from the corporate infrastructure level. Rogue IM use is the source of most IM security risks. By routing all IM traffic through a central server, companies can manage IM at the corporate infrastructure level. IT managers can also map user screen names to corporate IDs to eliminate anonymity and ID spoofing problems.
4. Create IM usage policies. Many companies already have communications policies. These policies should be expanded to specify how employees can use instant messaging. Policies that ban anonymous IDs and unauthorized file transfers help minimize risk.
5. Deploy specific security measures. These include:
* Either block file transfers outright or scan all files before transferring data onto the network.
* Authenticate employee IDs against the corporate directory before allowing employees to access the IM network.
* Block external traffic from spam IDs at the corporate firewall to further limit virus infections and lost productivity.
* Use content filtering to scan and block instant messages with confidential information.
* Intelligently route IM traffic on the corporate network to prevent unencrypted conversations from passing the firewall. This keeps proprietary conversations safely inside the firewall.
6. Archive all IM traffic. This not only ensures employees comply with internal policies, but it also helps companies comply with federal regulations from such entities and policies as the Securities Exchange Commission and the Sarbanes-Oxley Act.
Source: IMLogic, Waltham, Mass.
