ERM products remain poorly integrated with other IT processes and applications.
Despite its promise, ERM has yet to attract widespread interest, even among small workgroups, much less across entire corporations. For one thing, it adds complexity to a company's -infrastructure at a time when IT departments are looking to consolidate and simplify. And according to Trent Henry, senior analyst with Burton Group, an IT research firm in Midvale, Utah, CIOs (especially at large companies) are also concerned about integrating ERM software with numerous other IT processes, systems and applications, including backup and recovery systems and records-management systems.
Consider FGG. As a registered broker/dealer, the firm must archive documents for seven years. Documents with rights attached must either be opened on FGG's network, or unprotected before they are released to its third-party records-management provider, Boston-based Iron Mountain Inc. At Bern, Switzerland-based Swisscom AG, a telecommunications provider with $7.6 billion in 2005 net revenues, documents must be archived for ten years. The firm plans to keep a copy of the policy server on hand for ten years, just in case it needs to access archived documents that inadvertently still have rights attached.
Burton Group's Henry also points out that many CIOs are suspicious of any security technology that places so much control, and responsibility, in the hands of individual users. That's why so many have settled for less invasive measuressuch as network controls, or content sniffersthat can be managed by the IT team.
Companies that have deployed ERM usually cite ease of use and user acceptance as the most essential requirements for any ERM product. Says FGG's Elizaitis, "We're putting the onus on the authors to protect documents, so ease of use was the most important requirement." He claims their current ERM setup is minimally disruptive. "Applying rights involves two or three extra clicks for the author, who simply has to pull down a droplet and assign a policy."
Technology aside, ERM assumes all users are clearly versed in company policy, and know which documents to protect. Swisscom implemented Microsoft RMS for all 16,000 full-time employees when it upgraded to Windows 2003 server and Office Professional. According to Markus Schütz, project manager for Swisscom IT Services AG, certain documents need to be classified, and users simply need to know when to do thatwith or without RMS in place. "Those decisions are made at the group company level, not at corporate. We've just provided technology that makes it easier to comply."
Finally, preserving document rights once the documents travel outside the company is generally difficult, unless recipients have rights-management software running on their machines and are connected to the policy server that enforces those rights.
What are the key document formats that would benefit from document-level security?
Are we sufficiently protecting the information we exchange with trading partners?