Page 1 of 3
THE PENNSYLVANIA STATE UNIVERSITY
OFFICE OF HUMAN RESOURCES – INSTANT MESSAGING POLICY
1.0 Purpose
Instant Messaging (IM) services can facilitate collaboration and training, but also have the
potential to dramatically increase computer system vulnerability to malicious exploitation. Like
most e-mail applications, IM services allow the exchange of many file types. These files provide
a vector for the delivery of viruses. Unlike e-mail systems that may route through e-mail servers
and anti-virus gateways, the "payload" of IM services route directly to the user PC. The anti-viral
software installed on the user's machine becomes the single line of defense.
The following policy represents the minimum requirements that OHR must have in place for the
use of IM.
2.0 Scope
This policy applies to but is not limited to faculty, staff, students, vendor representatives,
consultants, temporary staff, and other workers in OHR, including all personnel affiliated with
third parties. This policy applies to but is not limited to all equipment that is connected to OHR
networks, used in OHR facilities, or is used outside OHR facilities to conduct OHR business.
Exceptions to this policy may be necessary to perform security audits or other authorized
purposes. Any exceptions must be coordinated through the OHR Information Technology (IT)
Security Officer and approved by the Senior Director or Associate Vice President for Human
Resources.
3.0 Policy
3.1. External Instant Messaging
OHR will restrict the use of external IM services only to those users who require the use
of IM services for University business.
a. OHR systems administrators will manage the use of external IM services
through programmatic means (i.e., firewalls, Windows Active Directory policies,
etc.). When programmatic means are not practicable, the use of external IM
services will be restricted through this policy.
b. When warranted by business requirements, systems administrators will provide
encrypted external IM services (note that most IM services exchange data in plain
text; this makes IM services particularly vulnerable to interception).
c. Encrypted external IM services should be provided only to workgroups of
University users whose membership remains relatively static. Centrally managed
PSU IM services that are encrypted and have managed access should be used for
communicating with other PSU departments (i.e., chat.psu.edu).