topic Re: Managing the use of ephemeral Instant Messaging applications in Governance, Risk, Compliance

Managing the use of ephemeral Instant Messaging applications

JungH — Wed, 22 Mar 2023 12:51:57 GMT

Managing the use of ephemeral Instant Messaging applications (IM apps) for business communications is difficult:

IM apps can be considered as an information security risk for reasons like privacy, confidentiality or data retention in case of legal disputes.

On the other hand, in some regions IM apps have become the primary channel for conducting business and communicating with customers.

How does your organization balance this?

Do you prohibit IM apps, do you define use cases or do you accept the risk?

Please choose your option and provide just 3 answers regarding your current practice.

I'm interested in the use of ephemeral Instant Messengers which are not centrally managed by your own corporate IT, such as WhatsApp, Line, Hike or WeChat.

FORBID - My organization prohibits the use of IM apps in a business context

Did you define strict policies against it

Did you implement technology to prevent these apps from being installed or used

Yes
Not yet, but planning to
No

Do you follow a COPE (Corporate Owned, Personally Enabled) mobile device strategy?

DEFINE - My organization defines the use of IM apps in business context, allowing but a few justified exceptions

Did you define allowed use cases at policy level?

Did you create an exception process?

Exceptions are approved by Corporate Board level
Exceptions are approved by other level of management
No

Did you implement supporting technology (for e.g. central backups or monitoring)?

Yes
Not yet, but planning to
No

ACCEPT - My organization accepts the risks

Did leadership accept the risk?

Risk accepted by Corporate Board level
Risk accepted by other level of management
No

Did you implement supporting technology (for e.g. central backups or monitoring)?

Yes
Not yet, but planning to
No

Re: Managing the use of Instant Messaging applications

JungH — Tue, 21 Mar 2023 13:28:49 GMT

I'll start:

FORBID

Re: Managing the use of Instant Messaging applications

Steve-Wilme — Tue, 21 Mar 2023 15:37:22 GMT

I suppose I'm going to say define your terms. So you could argue for example that MS Teams has an IM function in it or that Slack is just an IM application. What about Linkedin messaging?

Re: Managing the use of Instant Messaging applications

JungH — Wed, 22 Mar 2023 12:50:38 GMT

Hi Steve,

Thanks for pointing this out, I'll edit the first post accordingly.

I'm interested in the use of ephemeral Instant Messengers which are not centrally managed by your own corporate IT, such as WhatsApp, Line, Hike or WeChat.

Re: Managing the use of Instant Messaging applications

Steve-Wilme — Wed, 22 Mar 2023 14:28:37 GMT

Whilst we ban IMs like WhatsApp on corporate devices, our staff have personal mobiles and can set-up group within that platform themselves. Generally, this then becomes a conduct matter in that non public topics should not be discussed in any potentially public fora. It is the same principal as would apply to conversations in public places, allowing yourself to be shoulder surfed, using your mobile to discuss matters on a crowded train etc. So often better to treat these are misconduct issues rather than try to impose technical controls on platforms that you do not control.

Re: Managing the use of ephemeral Instant Messaging applications

DHerrmann — Fri, 05 May 2023 17:30:13 GMT

Keep in mind that IM is restricted in various sectors.

Here's a story on a broker running afoul of FINRA's text messaging regulations: https://www.smarsh.com/blog/thought-leadership/FINRA-increases-scrutiny-of-brokers-text-messages-for-business#:~:text=FINRA%20suspended%20a%20broker%20for,settlement%20finalized%20earlier%20this%20month.