Information Age: News, analysis & insight for IT & business leaders

New organisational drivers, such as local European Union data privacy regulations and the Sarbanes-Oxley and US Patriot Acts, plus a new appetite for solid corporate governance, are focusing closer attention on the potential of digital records to incriminate organisations.

Unfortunately, we see organisations making the same classic mistakes in their approach to IM archiving and compliance that they made with email - assuming that some software or hardware tool will address the issue completely or, most usually, burying their head in the sand and hoping the problem will simply go away.

Of course, neither of these approaches is best practice - or indeed a good way to go about getting a good appraisal from your boss! The good news, though, for those organisations wanting to solve the problem the first time around is that most already possess the required skills. The question is, 'Do you have the will to do so?'

It's a lot easier to buy a product or write a simple policy but we see the best practices for IM archiving focusing on three initiatives: policy definition, risk assessment and remediation.

Policy definition

Most organisations should start with a policy to describe what IM should be used for (what business activities), what it should not be used for (unacceptable use), what messages should be kept or not (retention), and what specific IM tools should be used by employees (the preferred environment).

The first two are pretty standard features of an email or Internet access policy (which all readers of this article already have, of course!); the third needs to be defined; and the fourth element needs to be established, since users are typically more familiar with their personal IM environment choices than any defined corporate standards.

We do not recommend that personal IM use be banned altogether but instead recommend that usage rules be clearly defined (AOL AIM for personal use, IBM Sametime for organisational use, for example). We've found that permitting personal IM as an augmentation to corporate IM is beneficial to overall adoption of the technology and is a cheap way to provide an additional employee 'perk'.

In line with email best practices we recommend the 'three strikes and out' principle for dealing with IM misuse (verbal warning, written warning, then disciplinary action).

Risk assessment

Risk assessment is typically the piece most organisations neglect. This is significant since different organisations have very specific risk factors and areas of exposure. Nonetheless, we see many making an IM archiving decision (e.g. keep everything/keep nothing) based on gut feeling rather than a proper assessment of exposure.

Investment bank trading environments, for example, have a very much higher risk profile than most other organisations, because of compliance requirements and because they need to maintain 'Chinese walls' between different internal departments.

In fact, the National Association of Securities Dealers and the New York Stock Exchange recently made it clear that member firms must save all their instant message traffic for a minimum of three years. While we expect other industries such as pharmaceuticals to come under similar regulatory pressure, many industries will experience much lighter influence. In retail environments, for instance, IM may be used purely as a conversational tool with minimal business impact.

The assessment should determine the risks IM poses that are similar to those already identified for dealing with physical mail and electronic mail, as well as those risks specific to the IM environment. Based on this assessment the organisation should determine which existing risk principles apply to IM management and what new principles need to be established.

In most cases the major risk will be lack of persistence (i.e. the inability to prove or disprove the content of an instant message). Many organisations will elect to store IM temporarily (holding all messages for between one and three months) to defend against potential accusations of inappropriate or illegal behaviour by IM users.

As with other communication mechanisms, both security and monitoring/compliance requirements must be addressed as part of the risk assessment. Typically for IM, monitoring requirements include tracking (especially for regulated industries) and filtering (to restrict loss of sensitive information and to enforce anti-spam and anti-virus policies).

Remediation

Having done the above you should now be in a good position to identify the right technology. Be tactical about buying these IM management tools since most are from small vendors or providers not necessarily focused on supporting corporate or government environments (e.g. AIM Enterprise Gateway, Blue Coat Systems, Akonix, IMlogic and FaceTime).

We expect many of these vendors to either re-target their products or be acquired, so look at these as fairly short term investments (24 to 36 months) rather than as ones for life. Based on your requirements in the risk assessment you should focus on the following features: