5.3 Corporate IM Security Best Practices

Organizations should balance the legitimate need for IM and the dangers inherent in its use, minimizing their risk with a basic set of security policies. The single most effective method of minimizing risk is to have a corporate policy restricting the use of IM, in addition to the variety of products that can assist in minimizing the risk of infection from malicious threats or information disclosure discussed previously in this book.

You should determine whether IM is a business necessity, weighing the business necessity against the potential risk of information disclosure or infection from malicious threats before even considering the development of an IM security policy. In general, you should standardize on a particular IM client, and, if the client does not support enterprise features such as central logging and encryption, then strict rules should be enforced regarding the usage of the client. In particular, the use of IM to discuss any business matters should be prohibited. Additionally, nicknames should not reflect their association with the corporation. These requirements may make IM almost useless for pure business communication. File sharing should be blocked, and even potential incoming file transfers should be regulated. If incoming file transfers are required, users should be educated on the policies of accepting and executing unknown files that arrive via IM. A password policy should exist for complex passwords of at least eight characters in length (the longer the better) and passwords should not be cached. Finally, an IM system...