Controlling Messaging Services
Controlling messaging services starts at the top. Sure, technologies like IM and Internet phone can start in an organization through grass roots adoption but once we start to depend in our day to day work need to manage them. That's when the focus of control is going to swing away from early adopters towards IT management. This is also the point where the formal controls are needed and the first thing to control is planning and organizing.
If you are familiar with COBIT, you'll recognize this as the first of the four activities that make up the governance framework. It delves into questions like "how does this service fit with the broader strategic objectives of the organization?", "how will it fit with the existing IT infrastructure?", and "what processes are needed to control the service?"
Take IM for example. When instant messaging reaches a critical mass within an organization, management will need to decide if it will be a supported service. If so, it needs an owner who is responsible for it, it needs to comply with existing policies (e.g. acceptable use, access control, backup and recovery, etc.), and it needs to be prioritized relative to other services.
It's not always obvious when a messaging service reaches that critical mass where it needs formal management. Even if you aren't to the point where you need a new messaging technology from a strategic perspective, you probably need to control the use of the technology. If IM is used in your network, then you need to address the security risks associated with it, regardless of whether or not it is a formally supported system. If regulations require you keep copies of business related communications, as in the securities exchange industries, then you may need to include IM exchanges as well.
At the end of the day, we need to control messaging technologies whether we adopt them as part of the IT infrastrcuture or not.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
