SO-11-005 Instant Messaging Services

Issue Date:  9/30/2011

Revision Effective Date:  9/30/2011 


Technology has provided innovative services of Instant Messaging (IM) and telephony texting. These services represent a hybrid of digital messaging (email) and telephony, and may contain image, video and sound content. 

Records and official communications related to State business are subject to court subpoena and State Open Records Act.  Storage and retention of State business records are governed by the Secretary of State’s Records Retention Schedules.  Notably missing from these schedules are telephone calls, as no records are generated which can be inspected to determine what State business was transacted on the calls. 

IM can be configured to capture and log the messaging traffic.   Recorded instant messages are the property of the agency or institution and are subject to the requirements of the laws applicable to state records retention.

Much like e-mail, IM potentially spreads computer viruses and may be used for phishing attacks. As e-mail becomes more secure, IM is increasingly a target of hackers and thieves.  IM malware are transmitted as executable file attachments or as Hyperlinks in IM text directing victims to malicious Web servers.  In most cases, these threats require victims to manually execute the malware or they attack known vulnerabilities.

This standard addresses IM services from the standpoint of official State communication.


  1. An agency which authorizes IM services to support State business shall ensure that the IM services are subject to the following minimum controls.  IM Services shall:
    1. Be limited to the specific service(s) and specific business functions defined by the agency.
    2. Not be used by employees for personal matters, including the following provisions:
      1. Employees shall not download/install any Instant Messaging (IM) software without specific authorization in writing from the Senior Agency Information Security Officer (SAISO).
      2. Employees shall not download any illegal and/or unauthorized copyrighted content. The SAISO shall approve in writing the use of IM technology to download copyrighted material and require the employee to follow appropriate state and federal laws and guidelines when copying, storing, or transferring copyrighted material.
  2. An agency which uses an outside IM service shall operate through a proxy server to scan for malware, to filter content for sensitive keywords or number patterns (e.g., Social Security Numbers), and to attach disclaimers to messages.
  3. An agency which authorizes IM services to support State business shall, after considering applicable State and federal laws and regulations, decide the applicable retention periods for the messages.  The agency shall utilize features such as audit and reporting, malware scanning, and user authentication, and shall retain message transcripts in a database.
  4. An Agency which does not authorize IM services for State business shall have a formal policy prohibiting the use of IM for any official communication that is normally filed for recordkeeping. 
  5. This standard shall not be construed to supersede any State or federal laws, or any State policies regarding confidentiality, information dissemination, or standards of conduct.


Information Technology Review (PM-06-001)

Telecommunications Technology Review (SM-05-001)  

Appropriate Use of IT Resources (PS-08-003)

Appropriate Use and Monitoring (SS-08-001)