Secure Instant Messaging Guidelines
Risk Reduction Guidelines | Where the risk lies in IM
The Access to Information and Protection of Privacy Act (ATIPPA) requires Memorial University to protect the personal information it collects, uses and discloses. Instant Messaging (IM) presents security risks, including unauthorized access to ATIPPA protected information.
Instant Messaging: also known as "IM", refers to the real-time interactive exchange of text messages or files with other IM users. It differs from e-mail in its immediacy of the message exchange.
Some examples of currently used IM services include:
- MSN Messenger;
- Yahoo! Messenger;
- Google Talk;
- AOL Instant Messenger (AIM);
- Apple's iChat
Risk Reduction Guidelines
The following guidelines act as acceptable safeguards to minimize the risks associated with Instant Messaging.
Never send confidential or otherwise sensitive information via instant messaging:
Instant messages are typically sent unencrypted, meaning they can be read by others if intercepted. An excellent rule of thumb is to never send any information via instant messaging that you would not send via a postcard.
Encrypt sensitive file transfers:
If you must send a file containing sensitive information via instant messaging, encrypt it before sending. Having done so, do not send the encryption password to the recipient via IM; call him or her, or preferably provide the password face-to-face.
- Do not accept file transfers or click on web links unless they are expected and come from somebody you know and trust:
It is not enough to ignore attachments and links from unknown or untrusted individuals. An unexpected or out-of-character message from a trusted colleague is as likely to contain a computer virus or worm as an IM from a complete stranger.
- Update your anti-virus software:
As alluded above, instant messaging can be a significant source of malware. Run anti-virus software and make sure it is kept up-to-date.
- Update your instant messaging software:
Old unpatched software containing known security holes is more likely to be compromised than the latest release. Microsoft Update will only update Microsoft IM clients like Windows/MSN Messenger. If you run other IM software, visit Secuni'a Software Inspector
at least monthly to determine if your IM software needs patching or upgrading.
- Update your operating system:
Viruses and worms can spread not just by exploiting known vulnerabilities in your IM software, but by exploiting vulnerabilities in your underlying operating system. Run a legitimately licensed copy of your operating system, and ensure it is configured to automatically download vendor updates.
- Verify your correspondents' identities; do so via some means other than chat or e-mail:
Most people would agree firstname.lastname@example.org reveals nothing about that account holder's true identity, yet many will believe email@example.com is whichever John Doe the sender purports to be. In reality, anyone can create a public IM/webmail account using any username that's not already reserved. Be suspicious of new contacts, especially correspondents claiming to have switched from one address to another. Pick up the phone, or ask your correspondent a question that only the real account holder would know. Base your level of trust on something other than claimed identity.
If you require further information/clarification or have any questions/concerns regarding these guidelines, please call the ITS Service Desk (709)864-4595 or e-mail firstname.lastname@example.org .
Where the risks lie in IM
Instant Messaging (IM) clients like Windows Messenger, Yahoo Messenger, AOL Instant Messenger (AIM), and Google Talk enable near real-time communication between online correspondents. Such software has evolved significantly since the early days of terminal-based 'talk' and 'IRC' utilities; today's IM clients often support file transfers, application sharing, and audio / videoconferencing in addition to traditional text-only chat.
While the utility of IM is undeniable, such increased functionality invariably brings with it new risks and vulnerabilities. Compounding this is the fact that the technologies available for managing distributed IM risks are far fewer and less mature than those available for older centralized services like e-mail.
Instant messaging risks must nonetheless be minimized if IM is to enjoy a risk-benefit profile akin to that of e-mail. With a view to achieving that acceptable level of risk, Information Technology Services in consultation with the Campus Community and the University's Information Access and Privacy Protection Office, is issuing the above guidelines for secure instant messaging.