OFFICE OF HUMAN RESOURCES – INSTANT MESSAGING POLICY

Page 1 of 3

THE PENNSYLVANIA STATE UNIVERSITY

1.0 Purpose

Instant Messaging (IM) services can facilitate collaboration and training, but also have the

potential to dramatically increase computer system vulnerability to malicious exploitation. Like

most e-mail applications, IM services allow the exchange of many file types. These files provide

a vector for the delivery of viruses. Unlike e-mail systems that may route through e-mail servers

and anti-virus gateways, the "payload" of IM services route directly to the user PC. The anti-viral

software installed on the user's machine becomes the single line of defense.

The following policy represents the minimum requirements that OHR must have in place for the

use of IM.

2.0 Scope

This policy applies to but is not limited to faculty, staff, students, vendor representatives,

consultants, temporary staff, and other workers in OHR, including all personnel affiliated with

third parties. This policy applies to but is not limited to all equipment that is connected to OHR

networks, used in OHR facilities, or is used outside OHR facilities to conduct OHR business.

Exceptions to this policy may be necessary to perform security audits or other authorized

purposes. Any exceptions must be coordinated through the OHR Information Technology (IT)

Security Officer and approved by the Senior Director or Associate Vice President for Human

Resources.

3.0 Policy

3.1. External Instant Messaging

OHR will restrict the use of external IM services only to those users who require the use

of IM services for University business.

a. OHR systems administrators will manage the use of external IM services

through programmatic means (i.e., firewalls, Windows Active Directory policies,

etc.). When programmatic means are not practicable, the use of external IM

services will be restricted through this policy.

b. When warranted by business requirements, systems administrators will provide

encrypted external IM services (note that most IM services exchange data in plain

text; this makes IM services particularly vulnerable to interception).

c. Encrypted external IM services should be provided only to workgroups of

University users whose membership remains relatively static. Centrally managed

PSU IM services that are encrypted and have managed access should be used for

communicating with other PSU departments (i.e., chat.psu.edu).

Page 2 of 3

3.2. Internal Instant Messaging

OHR will provide use of internal IM services only to those users who require the use of

IM services for OHR business and are securely connected to OHR networks.

a. OHR systems administrators will manage use of internal IM services through

programmatic means (i. e., firewalls, Windows Active Directory policies,

etc.). When programmatic means are not practicable, the use of internal IM

services will be restricted through this policy.

b. Systems administrators will provide secure internal IM services. Secure

internal IM services should be provided only to OHR users who are securely

connected to OHR networks.

3.3. Acceptable Instant Messaging Use

IM services and all University-owned computer equipment and services, should be used

only for University-related business activities. IM should not be used to send Personally

Identifiable Information (PII) or sensitive information.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action by their

Administrative unit or the University. Disciplinary action may include termination of

employment.

5.0 Definitions

Term Definition

Instant Messaging (IM) An application that allows instant text

communication and file sharing between two or

more people through a network such as the Internet.

External IM An IM application that allows communication and

file sharing with users outside of OHR networks.

Internal IM An IM application that allows communication and

file sharing only with users inside of OHR

networks.

Personally Identifiable Information (PII) Information that identifies or describes an

individual, including but not limited to name,

address, telephone number, social security number,

credit card number, and personal characteristics that

would make the individual’s identity easily

discoverable.

Page 3 of 3

6.0 Resources

For additional guidance, refer to PSU Policies:

ADG01 – Glossary of Computer Data and System Terminology

AD20 – Computer and Network Security

AD22 – HIPAA

AD23 – Use of Institutional Data

AD35 – University Archives and Records Management

7.0 Revision History

This Version Effective Date – 07/28/10

Policy’s Initial Date (Interim Draft) – 07/28/10

Original Draft – 6/22/08