2.Determine your posture toward IM.

The first question to ask: Should we allow it or block it? The easiest thing to do, of course, would be to say: I don't want to deal with this headache, let's just ban it. For starters, Don Montgomery, VP of marketing and customer support at IM security company Akonix, says that trying to block it from a technology standpoint is darn near impossible. "Once the public clients, which are free, are installed, they are port-seeking clients. So you can identify a protocol and try to shut down the port it uses at the firewall, but all of these clients use multiple ports, and they seek the next open one," says Montgomery. An IMlogic report titled "Understanding the IM Security Threat" notes that any attempt to secure IM "using purely network-layer tools and techniques such as combinations of port, IP and URL blocking is bound to be partial at best".

Firewall purveyors might hold the solution with deeper inspection of network traffic. And you can also by various means attempt to block end users from installing IM clients on their systems in the first place. Regardless of technical measures, though, the social issues are even harder to surmount. An IM ban could bring a revolt from users. "Trying to shut down the use of public IM has proven to be futile because typically in large companies, you have a user base using it for business purposes, and they scream bloody murder if you try to shut it down," says Montgomery.

So before taking drastic and potentially futile steps, talk to your users and find out whether there's a business need for keeping IM on the premises - odds are, there is.

3.Decide which type of IM network works best for your company.

There are multiple network types. Public networks are the most common. Enterprise networks, offered by companies such as IBM, Jabber and Microsoft, allow companies to purchase client/server solutions in which users typically can talk only to others on their own corporate network. (Though deSouza says that enterprise vendors are starting to offer connectivity to public networks.) Industry-specific networks are tailored to meet the needs of particular industries. Bloomberg and Reuters, for example, offer networks for the financial services industry. There are also geography-specific networks.

In choosing the type or types of networks to allow, assess your business needs and the risk factors. For example, Pete Lindstrom, research director at Spire Security, advises using more easily protected enterprise networks, not public networks, if employees are passing along sensitive data over the IM pipes.

4. Create an IM policy.

Most companies already have a policy that covers electronic communication - that is: We own the machines you're communicating on. Therefore, any information being transmitted on the machines can be monitored. IM should be part of that policy. Rubinow says that Archipelago had an e-mail policy first, then added Web and IM sections to that policy. "There are various pieces of IM software [our employees] can use, provided they understand our usage policy. We are able to control it and monitor it; no information can come in or out of the company without us being able to log it. It will always be at our fingertips because that's good business practice and a regulatory requirement," he says.

It's also part of the overall policy at Amerex, says Trudeau. "In the employee handbook, we have privacy policies that there isn't any privacy on a company-owned machine. Any electronic data can be monitored. The employees sign off on that knowingly," he says. Trudeau notes that it's interesting what people say on IM, even though they may know in the back of their minds that their messages are being logged. "They may either forget about it or think no one cares. It does come around to bite people sometimes," he says.

5. Develop rules.

One best practice to consider is not allowing file transfers. You could do it in the we-trust-our-employees kind of way and create a rule that bans them; or you could use technical means to enforce the ban, which is what Amerex has done. "We shut down the file transfer capability of all instant messengers. We try to block down through file names and file extensions and shut those ports down for file transfer," says Trudeau.

Montgomery says that file transfer is one of two primary methods of IM attacks (the other, he says, is malicious URLs). A user downloads a file that appears to come from a buddy, which launches some piece of insidious code, which propagates.

DeSouza recommends a rule outlawing games. "There's no real business reason for games to be allowed," he says.

CIOs may want to create rules for different levels of users. Montgomery says you could block file transfer capabilities for all except for those in the executive or financial or legal ranks, for example. Or you could say that executives and customer support people can have access to videoconferencing or VoIP, but no one else can, says deSouza.