IM policy pointers

As with any enterprise network application, good security for instant messaging starts with smart business practices. If public instant-message services are permitted within the company, users first must agree to a corporate usage policy. Meta Group recommends that an instant-message use policy should at least cover these points:

• Privacy. Instant-message users should have no expectation of privacy, and are subject to monitoring when policy abuse is suspected. Users of public instant-message services should be aware that they are broadcasting their presence to all users on the public network.
• Offensive content. Circulation of offensive material (racist, sexist, among others) is prohibited and grounds for immediate termination.
• Personal use. Personal use is either acceptable within reason, or forbidden.
• Security. External communication can be intercepted and redirected. Disclosure of any sensitive material is strictly prohibited.
• Contact lists. Business and personal contacts should be on separate lists to minimize the risk of mistaken communication.
• Screen names. Use a business-appropriate screen name that meets corporate conventions.
• Liability. Judges can subpoena instant messages. Avoid libelous, defamatory and other unsavory communications.
• Personal information. Do not include personal data (passwords, credit-card numbers) in instant messages.
• Viruses. Be aware that instant messages can contain viruses and other destructive payloads. Be alert to any suspicious messages. Decide whether file transfer via instant messaging is permitted or not.
• Etiquette. Observe all forms of personal etiquette when communicating via instant messaging. Use of the “Do not disturb” feature is acceptable.