Instant messaging planet is a good place to
start. I have been asked to review instant messaging for our organization
and have found several useful links on this site. I believe (although not
absolutely sure) that the SEC has certain logging and retention requirements for
messaging of this type.
Some
of the more prevalent issues would be: systems integration, level of required
support, logging and tracking, cost per user, well documented policy and
procedure, firewall integration and rulesets, connectivity with outside sources
(i.e. AOL, Yahoo, etc) or proprietary connectivity, intended use of the system,
ease of roll-out, real time monitoring access, file transfer controls, remote
operations (some IM apps allow remote administration of the desktop), virus
scanner interoperability, etc.
Patrick Yager, CIA
-----Original Message-----
From: Kaplan, Jim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 09, 2002 2:38 PM
To: '[EMAIL PROTECTED]'
Subject: Security and Control of Instant MessagingHas anyone looked at audit security and control issues associated with instant messaging? A user on the ISACA discussion list was asked by IT to assemble a list of audit requirements prior to selecting a technology solution. If you have any experience in this area please share. I will post a list of audit security and control issues on the AuditNet web site based on the responses.To start things off here are a few that I was able to come up with:Security and Control of Instant MessagingIM Compliance Supervision - the ability to monitor IM message content for words or phrases restricted by employee roles
IM Access Control - the ability to allow or disallow certain employees to use IM, and to enforce the use of only business professional IM screen names
IM Identity Management - the ability to map IM screen names with corporate employee Ids
IM Export - the ability to export complete IM conversations as e-mails to any corporate e-mail system, e-mail compliance systems, or storage systems
Jim Kaplan MSA, CIA, CFE, CSMFairfax County Public SchoolsSuperintendent's OfficeDirector - Internal Audit(703) 591-2590 Phone(703) 591-4113 FAX
