Enterprise Rights Management (ERM) is an umbrella term for products that mix elements of intellectual property protection with document control.
Unlike digital rights management technologies that strive to manage consumer use of published media, ERM focuses on business documents and data, seeking to control their creation, use and distribution. Rights management systems typically rely on servers operating in the background performing such functions as applying policies to content, authenticating users and granting rights. Rights management vendors and products have differing approaches and architectures.
In a nutshell, rights products can:
– Encrypt content;
– Assure that only the intended recipient can open the content;
– Control the recipient’s ability to copy, print, forward, alter or otherwise tamper with the information;
– Revoke access rights or expire the content itself to prevent further access; and
– Log all of the above to an audit trail.
Rights management vendors and products have differing approaches and architectures. SealedMedia, for example, works on the premise that content sent to external users gets returned to the sender once the sharing process is done. Liquid Machines sees rights management as enabling collaboration among trusted parties and focuses on usability — the idea that policy application and consequent document access should be as unobtrusive to processes as possible.
Some products — usually those that require server connectivity — allow rights to be changed even after the recipient has accessed the content.
Rights management shouldn’t be confused with records management. Although access rights to content can be expired using a rights management system, the content itself isn’t always destroyed, as it can be by a records management system. Losing the encryption key on a rights-protected document, for example, disables the recipient’s access to it, but the document itself may stay on the recipient’s drive.
Vendors such as PSS Systems offer a records management foundation and concentrate on applying company policy to internal documents so they can be controlled from creation to disposition, regardless of where they reside.
The Plan:
– Define the risks;
-Determine what content is worth protecting;
-Identify levels of trust and appropriate controls;
-Prescribe appropriate security for the content and the situation;
-Determine what assurance must be provided that content reaches only the intended recipient(s);
-Determine what should happen when content should no longer be shared; and
-Describe who has the authority to apply policies and what happens if policies conflict.
http://www.securitypipeline.com/49400427