cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JungH
Newcomer I

Managing the use of ephemeral Instant Messaging applications

Managing the use of ephemeral Instant Messaging applications (IM apps) for business communications is difficult:

 

IM apps can be considered as an information security risk for reasons like privacy, confidentiality or data retention in case of legal disputes.

On the other hand, in some regions IM apps have become the primary channel for conducting business and communicating with customers.

 

How does your organization balance this?

Do you prohibit IM apps, do you define use cases or do you accept the risk?

Please choose your option and provide just 3 answers regarding your current practice.

 

I'm interested in the use of ephemeral Instant Messengers which are not centrally managed by your own corporate IT, such as WhatsApp, Line, Hike or WeChat.

 

FORBID - My organization prohibits the use of IM apps in a business context

 

  1. Did you define strict policies against it
    1. Yes
    2. No

  2. Did you implement technology to prevent these apps from being installed or used
    1. Yes
    2. Not yet, but planning to
    3. No

  3. Do you follow a COPE (Corporate Owned, Personally Enabled) mobile device strategy?
    1. Yes
    2. No

 

DEFINE - My organization defines the use of IM apps in business context, allowing but a few justified exceptions

 

  1. Did you define allowed use cases at policy level?
    1. Yes
    2. No

  2. Did you create an exception process?
    1. Exceptions are approved by Corporate Board level
    2. Exceptions are approved by other level of management
    3. No

  3. Did you implement supporting technology (for e.g. central backups or monitoring)?
    1. Yes
    2. Not yet, but planning to
    3. No

 

ACCEPT - My organization accepts the risks

 

  1. Did leadership accept the risk?
    1. Risk accepted by Corporate Board level
    2. Risk accepted by other level of management
    3. No

  2. Did you implement supporting technology (for e.g. central backups or monitoring)?
    1. Yes
    2. Not yet, but planning to
    3. No
5 Replies
JungH
Newcomer I

I'll start:

 

FORBID

1a

2b

3b

Steve-Wilme
Advocate II

I suppose I'm going to say define your terms.  So you could argue for example that MS Teams has an IM function in it or that Slack is just an IM application.  What about Linkedin messaging?  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
JungH
Newcomer I

Hi Steve,

 

Thanks for pointing this out, I'll edit the first post accordingly.

 

I'm interested in the use of ephemeral Instant Messengers which are not centrally managed by your own corporate IT, such as WhatsApp, Line, Hike or WeChat.

Steve-Wilme
Advocate II

Whilst we ban IMs like WhatsApp on corporate devices, our staff have personal mobiles and can set-up group within that platform themselves.  Generally, this then becomes a conduct matter in that non public topics should not be discussed in any potentially public fora.  It is the same principal as would apply to conversations in public places, allowing yourself to be shoulder surfed, using your mobile to discuss matters on a crowded train etc.  So often better to treat these are misconduct issues rather than try to impose technical controls on platforms that you do not control.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
DHerrmann
Contributor II

Keep in mind that IM is restricted in various sectors.

 

Here's a story on a broker running afoul of FINRA's text messaging regulations:  https://www.smarsh.com/blog/thought-leadership/FINRA-increases-scrutiny-of-brokers-text-messages-for....