Blog

How to write an IM Policy (part 1)


Tags :


Administration and Strategy: How to Write an IM Policy (Part 1)
Our e-ProMag.com editor and Lotus Informer author, Libby, suggested a great topic.  She suggested some tips or direction on creating an Instant Messaging policy.  It seems that you, the ravenous reader, have requested this type of information as your companies start to deploy and grow these installations. So let me begin with the first of two parts.  The first one will deal with the why, who, and how often.  Then, part two will cover the actual implementation.  I will make it as direct and short as possible, intended only to guide you in the iniital planning.  Each company must make some hard choices on allowable clients and usage that fits everyone's needs.  Your companies might have to make an investment to get the right hardware or software in place when the policy is done, but it is one step in better protecting the network and entire company.

Part 1

We can cover statistical information for days, with all the current research that is being done on productivity, who is sending messages to whom, and how many users are accessing the technology at work. The end result of the research will tell you one thing: No matter what number of users your enterprise has, as soon as there is an enterprise, it is time to establish the IM Usage policy.

Why?

The Why's are quite simple. In one sentence: you put a policy in place to protect the enterprise and the employee. Nothing more and nothing less. Every article and tip you read addresses one of those two parts of the puzzle. Many of you understand the issues with viruses via e-mail, but the real attacks on IM have not occurred yet. Imagine not only all those desktops running AOL Instant Messenger (IM)IM and Yahoo!, but also all the connected home machines and laptops with VPN access that dump those clients right onto your network. Mentioning the possibility of data leaving the network is not even necessary anymore (but I still did anyway, for those who have been sleeping on IM deployments)

Who?

Who gets the policy assigned to them? Everyone. This includes the technical staff and CEO. For some reason, when we perform audits (with IM becoming an ever increasing request in audits), we see that the technology bandits excuse themselves, and the CEO or other officers of the company have special requests. This should lead you down the path that any policy has to address all the employees, from the needs of the heavy constant user, to the needs of those who don't understand exactly what IM does.
Identity control is a large portion of the Who. If you run an internal IM system from a corporate directory, then you know who each person you correspond with is. But the name mapping for external systems is the trick. Letting employees use personal accounts with names you cannot control to have communication with customers is asking for trouble. A username on the Internet could be offensive or even derogatory and this may reflect on the enterprise if used in day-to-day business interactions.

How Often?

How often the policy gets applied and updated should be planned for simplicity. Having to revisit the policy on a consistent basis means the original draft was not well constructed. The policy gets applied to every user, on an instantaneous basis. As soon as they need access to the approved IM systems, then they must sign a copy (preferably digitally through Lotus Notes, of course) that shows they have read and understand the regulations surrounding usage. You can do follow-ups by adding addendums to the document as you introduce new technology or expand the deployment. Adding to the policy via Notes mail and a mail-in database can reduce the time needed to add to the policy and notify all the users. With a simple database, you can track usage agreements and add addendums that notify users with a link that a new document must be read and approved.
So you are off and running that fast. Start the document ideas simple before you even get to what technology will make it all happen. The biggest fight seems to be in the Who area. Who will get what rights and who is restricted. The next difficulty is in determining how to do standards enforcement if you choose to use an outside or public system as the prime communication vehicle (I shudder thinking of this one). The next installment looks at the actual deployment and opportunities for controlling the IM traffic.