Please Enter a Search Term

Secure Instant Messaging Guidelines


Risk Reduction Guidelines | Where the risk lies in IM

The Access to Information and Protection of Privacy Act (ATIPPA) requires Memorial University to protect the personal information it collects, uses and discloses. Instant Messaging (IM) presents security risks, including unauthorized access to ATIPPA protected information.

Instant Messaging: also known as "IM", refers to the real-time interactive exchange of text messages or files with other IM users. It differs from e-mail in its immediacy of the message exchange.

Some examples of currently used IM services include:

  • MSN Messenger;
  • Yahoo! Messenger;
  • Google Talk;
  • AOL Instant Messenger (AIM);
  • Apple's iChat

Risk Reduction Guidelines

The following guidelines act as acceptable safeguards to minimize the risks associated with Instant Messaging.

  • Never send confidential or otherwise sensitive information via instant messaging:

  • Encrypt sensitive file transfers:

  • Do not accept file transfers or click on web links unless they are expected and come from somebody you know and trust:
  • Update your anti-virus software:
    As alluded above, instant messaging can be a significant source of malware. Run anti-virus software and make sure it is kept up-to-date.
  • Update your instant messaging software:
    Old unpatched software containing known security holes is more likely to be compromised than the latest release. Microsoft Update will only update Microsoft IM clients like Windows/MSN Messenger. If you run other IM software, visit Secuni'a Software Inspector at least monthly to determine if your IM software needs patching or upgrading.
  • Update your operating system:
    Viruses and worms can spread not just by exploiting known vulnerabilities in your IM software, but by exploiting vulnerabilities in your underlying operating system. Run a legitimately licensed copy of your operating system, and ensure it is configured to automatically download vendor updates.
  • Verify your correspondents' identities; do so via some means other than chat or e-mail:
    Most people would agree dude87@hotmail.com reveals nothing about that account holder's true identity, yet many will believe john.doe@hotmail.com is whichever John Doe the sender purports to be. In reality, anyone can create a public IM/webmail account using any username that's not already reserved. Be suspicious of new contacts, especially correspondents claiming to have switched from one address to another. Pick up the phone, or ask your correspondent a question that only the real account holder would know. Base your level of trust on something other than claimed identity.

If you require further information/clarification or have any questions/concerns regarding these guidelines, please call the C&C Service Desk (709)864-4595 or e-mail help@mun.ca .

Where the risks lie in IM

Instant Messaging (IM) clients like Windows Messenger, Yahoo Messenger, AOL Instant Messenger (AIM), and Google Talk enable near real-time communication between online correspondents. Such software has evolved significantly since the early days of terminal-based 'talk' and 'IRC' utilities; today's IM clients often support file transfers, application sharing, and audio / videoconferencing in addition to traditional text-only chat.

While the utility of IM is undeniable, such increased functionality invariably brings with it new risks and vulnerabilities. Compounding this is the fact that the technologies available for managing distributed IM risks are far fewer and less mature than those available for older centralized services like e-mail.

Image depicting the move of the use of IM to move from a high risk to an acceptable risk.

Instant messaging risks must nonetheless be minimized if IM is to enjoy a risk-benefit profile akin to that of e-mail. With a view to achieving that acceptable level of risk, Computing and Communications in consultation with the Campus Community and the University's Information Access and Privacy Protection Office, is issuing the above guidelines for secure instant messaging.

Top

Share