An important aspect of my research focuses on Enterprise DRM. The purpose of this part of the blog is to serve as a global discussion forum on Digital Policy Management (DPM) trying to set the foundation and jointly elaborate an agenda surrounding this important emerging issue.
How to Participate : JOIN the Conversation !
You have interest on these issues and want to join the conversation, contact me () and I’ll include you in the contributors of this initiative.
Short Intro :
Currently Enterprise DRM is still driven by walled gardened approaches addressing specific issues such as :
- Document management (i.e. persistent protection of information, managed content, repositories, etc.)
- Email and communication (i.e. usage rules such as no print, no forward, expiry dates, etc.)
- Retention policies (i.e. time information needs to be kept)
- Classification (e.g. company confidential, board of directors, project XYZ, etc.)
- Compliance (e.g. SOX, Basel II, HIPAA, NASD2711, GLBA, etc.)
These are just a few current examples of issues today addressed in the field of Enterprise DRM mostly through siloed and proprietary approaches often using vendor specific solutions thus lacking fundamental interoperability properties required to consistently address Digital Policy Management in a coherent and sustainable way.
As a result, we need to take a step back and think about this from an enterprise wide perspective in a similar way ERP systems have federated enterprise back office best practices from an enterprise wide point of view. Definitely while compliance and regulatory frameworks have initially fulled this domain, it appears there are also other drivers behind organizational adoption of Enterprise DRM.
Companies are more and more concerned with how their data is managed both inside and outside the corporate perimeter. Examples cover Intellectual Property, trade and business secrets, CAD documents, outputs of Enterprise Applications, strategic and financial planing information, etc. In many cases, these information represent knowledge and or corporate assets, each having various levels of sensitivity and consequently security requirements. These are now often included in Knowledge Management Systems. Moreover, companies are increasingly involved in various forms of partnerships and collaborations, including outsourcing, contractors and consultants, using Interorganizational Systems (IOS) and processes. These rely on traditional ACL and perimeter based approaches to information security which have become insufficient given the current complex flow and usage patterns of information.
As a result, the issue is definitely not technical or product oriented. It is a strategic issue also covering Corporate Governance and enterprise wide Operational Risk Management. In this context, Enterprise DRM is just the means to instrument the parts of Policy Management which may be digitally instrumented.
It is only in doing so and positioning the debate at that level that we will be able to rethink enterprise policy management in the digital age in a sustainable way, therefor enabling the full span of capabilities required to provide and capture in addition to the above mentioned issues the following important enterprise wide features:
- Enterprise wide managed digital policies (i.e. not only regulatory compliance but also internal policies and rules, security policies or industry practices, etc.)
- Digital policy design, impact analysis, assessment and deployment
- Digital policy governance and engineering
- Dynamic delegation models
- Centralized management of revocation and granting of rights
- Traceability (i.e. audit trails, tracking, monitoring, metering)
So, now that the stage has been set, let’s get the ball rolling. The “floor” is ours to discuss and hopefully define an interesting and challenging agenda towards Digital Policy Management. Contributions are welcome from all disciplines such as management, technology, social, legal, ethical, etc.
Two references on these issues are provided at the end of this post, the first one is accessible on line in PDF (courtesy of JISSec) and can serve as a basis to start discussion. It is very preliminary but the intent was to set the ground and propose a very initial conceptual framework towards global digital policy management.
So, welcome, join the fun, stay tuned and don’t hesitate to participate in this conversation. I will do my best to organize this in the best possible way using the tags and other features. All comments welcome, and remember to JOIN !
J.-H. Morin and M. Pawlak, “Towards a Global Framework for Corporate and Enterprise Digital Policy Management“, in Journal of Information System Security, Vol 2, Issue 2, 2006, pp 15-24.
Web link : http://www.globalinformationservices.net/jissec/Volumes/Vol2/Vol2-Is2/2.pdf
J.-H. Morin and M. Pawlak, “From Digital Rights Management to Enterprise Rights and Policy Management: Challenges and Opportunities”, chapter 9 in Advances in Enterprise Information Technology Security, F. Herrmann and D. Khadraoui (Eds), Information Science Reference, IGI Global, July 2007, ISBN: 978-1-59904-090-5, pp 169-188.
Web link : http://www.igi-pub.com/reference/details.asp?id=6378