Sarbanes-Oxley trumps IM at some firms

Computerworld - In another case of fallout from the passage of the Sarbanes-Oxley Act, some companies are disabling their instant messaging systems because of concerns that the technology's security and archival controls aren't strong enough to comply with the law, according to IT executives, lawyers and auditors interviewed last week.
Section 302 of Sarbanes-Oxley requires CEOs and chief financial officers to certify that their companies have established internal controls and are regularly evaluating the effectiveness of the control measures. Although vendors such as FaceTime Communications Inc. and IMlogic Inc. offer tools for storing messaging traffic and protecting against malware, users like Jefferson Wells International Inc. are erring on the side of caution by simply unplugging their IM systems.
Jefferson Wells disconnected its MSN Messenger system because of concerns that the company wouldn't be able to detect software viruses embedded in messages, said Scott Robertson, manager of corporate IT operations at the Brookfield, Wis.-based provider of technology risk management and other professional services.
"We never had the comfort level that we could scan instant messages appropriately," Robertson said. Another factor that contributed to the decision to disable the IM system last year is that many of the company's employees work at client locations, he added. Executives from Jefferson Wells didn't want to run the risk of having a virus or worm infect a customer's network.
Jefferson Wells is a subsidiary of Manpower Inc. The decision to unplug IM was made as part of the unit's evaluation of whether its IT controls met the provisions of Sarbanes-Oxley, said John Rostern, New York-based director of technology risk management at Jefferson Wells.
Since the system was disabled, the company's IT staff hasn't bothered to evaluate the available IM security tools because it isn't being pushed by workers to re-establish IM, Robertson said.
Steve Ross, a director at Deloitte & Touche LLP in New York and a past president of the Information Systems Audit and Control Association, said he knows of two Deloitte clients that have disabled their IM systems because of Sarbanes-Oxley concerns. Ross declined to identify the companies, saying only that one is a services company in the southern U.S. and the other is a large New York-based insurer.
Other corporate users are taking steps to strengthen the data security and archiving capabilities of their IM systems in order to satisfy Sarbanes-Oxley's requirements.
For example, Chevron Corp. is moving to block outside connections to an IM system used within one of its operating units, said Jay White, global information protection architect at the San Ramon,