6 - IM Security Risk Management

Abstract

This chapter focuses on the general requirements for an instant messaging (IM) Risk Management program and describes the various regulatory requirements that drive the need for risk mitigation in an enterprise. Risk management challenges associated with the use of IM include revealing confidential information over an unsecured delivery channel, spreading viruses and worms, and exposing the network to backdoor Trojan horses. IM is also vulnerable to denial-of-service attacks, hijacking sessions, and legal liability resulting from downloading copyrighted files. The numerous vulnerabilities inherent in IM dictate that senior management perform a risk assessment on the business benefit of allowing the use of public IM on corporate networks. Corporations should establish a policy to restrict public IM usage and require employees to sign an acknowledgment of receipt of the policy. They should include the vulnerabilities of public IM in information security awareness training, ensure a strong virus protection program, ensure a strong patch (software update) management program, and create firewall rules to block IM delivery and file sharing. Technology vendors have released various enterprise IM products for corporate use that authenticate, encrypt, audit, log, and monitor IM communication, and provide an alternative to public IM solutions used in a corporate environment. Risk management considerations for IM include antivirus, privacy, antihijacking, firewall, intrusion detection, and other risk mitigation controls and practices. Regulations imposed by the Securities Exchange Commission (SEC), the Freedom of Information Act and the Sarbanes-Oxley Act require the financial institutions to meet security compliance mandates, failing to which can result in significant financial and legal liabilities. In July 2004, the Federal Deposit Insurance Corporation (FDIC) issued its 5,300 member banks and financial institutions a warning about unmanaged IM access.