Please may I request approval to publish the final draft of the Instant Messaging (Slack) guidance? The content has been reviewed by security technical people, and the IALC.
Have you run this past the corporate applications people (Workplace Tech) to make sure it aligns with anything they're saying about the corporately provisioned apps like Skype?
I worry that the guidance puts too much emphasis on the user doing stuff with these applications to get them secure, versus how their accounts are simply set up for them. For example, if you are a Dom1 user, you are automatically set up on O365 for Skype with 2FA - so we really shouldn't be worrying people about this. Whereas if they're setting up to use Slack it is on them to enable it.
The 'don't use IM for this' section pretty much rules out using IM tools for almost anything! Isn't this tool-specific - e.g. slack and skype really should be ok for these data types, whereas WhatsApp isn't a corporately-provided tool, so is more like having a chat down the pub.
...which leads to the list of tools - this makes them all look equivalent in terms of their approval status.
Please may I request approval to publish the final draft of the Instant Messaging (Slack) guidance? The content has been reviewed by security technical people, and the IALC.
You can see the content here.