August 8, 2005
(Computerworld)
In another case of fallout from the passage of the Sarbanes-Oxley Act, some companies are disabling their instant messaging systems because of concerns that the technology's security and archival controls aren't strong enough to comply with the law, according to IT executives, lawyers and auditors interviewed last week.
Section 302 of Sarbanes-Oxley requires CEOs and chief financial officers to certify that their companies have established internal controls and are regularly evaluating the effectiveness of the control measures. Although vendors such as FaceTime Communications Inc. and IMlogic Inc. offer tools for storing messaging traffic and protecting against malware, users like Jefferson Wells International Inc. are erring on the side of caution by simply unplugging their IM systems.
Jefferson Wells disconnected its MSN Messenger system because of concerns that the company wouldn't be able to detect software viruses embedded in messages, said Scott Robertson, manager of corporate IT operations at the Brookfield, Wis.-based provider of technology risk management and other professional services.
"We never had the comfort level that we could scan instant messages appropriately," Robertson said. Another factor that contributed to the decision to disable the IM system last year is that many of the company's employees work at client locations, he added. Executives from Jefferson Wells didn't want to run the risk of having a virus or worm infect a customer's network.
Jefferson Wells is a subsidiary of Manpower Inc. The decision to unplug IM was made as part of the unit's evaluation of whether its IT controls met the provisions of Sarbanes-Oxley, said John Rostern, New York-based director of technology risk management at Jefferson Wells.
Since the system was disabled, the company's IT staff hasn't bothered to evaluate the available IM security tools because it isn't being pushed by workers to re-establish IM, Robertson said.
Steve Ross, a director at Deloitte & Touche LLP in New York and a past president of the Information Systems Audit and Control Association, said he knows of two Deloitte clients that have disabled their IM systems because of Sarbanes-Oxley concerns. Ross declined to identify the companies, saying only that one is a services company in the southern U.S. and the other is a large New York-based insurer.
Other corporate users are taking steps to strengthen the data security and archiving capabilities of their IM systems in order to satisfy Sarbanes-Oxley's requirements.
For example, Chevron Corp. is moving to block outside connections to an IM system used within one of its operating units, said Jay White, global information protection architect at the San Ramon, Calif.-based energy company. The expanded effort follows the adoption in June 2003 of controls for maintaining audit records and reducing security risks on the IM system.
"We manage our own IM system internally on our WAN, but the external connections have presented security [issues]," added White, who declined to identify the business unit involved.
Some observers contended that companies are overreacting to Sarbanes-Oxley by disabling IM. "You can't control a phone call, so I don't see what the difference is between IM and a phone call," said Diana McKenzie, chairwoman of the IT group at Chicago-based law firm Neal Gerber Eisenberg LLP. "To me, it's not logical."
Greg Hedges, managing director of technology risk at Protiviti Inc., a Menlo Park, Calif.-based company that provides internal auditing and business-risk consulting services, said some companies have disconnected IM systems under the pretense of complying with Sarbanes-Oxley instead of justifying those actions for business purposes.
"Sarbanes-Oxley is a wonderful vehicle for taking things out of people's hands," said Hedges, who added that some companies have applied the same rationale for disconnecting wireless systems.
But Ross said that viruses embedded in instant messages could cripple networks. "Given that [corporate] management feels the necessary controls haven't been implemented or can't be," he said, "unplugging instant messaging wouldn't be overkill."