Getting the Word Out About DRM

Computerworld - Trouble Ticket

Issue: Before rolling out digital rights management technology to top executives, you need to make sure they fully understand the implications.

Action plan: Communicate effectively with all the right people.

After months of preparation, I got the OK to go live with my digital rights management (DRM) project this past week.

The final hurdle to deploying Microsoft Rights Management Service (RMS) was a new step in the project management process, called operational readiness. (My past columns explaining why we need DRM and why we chose RMS can be found online.) This step was mandated by our CIO after he learned that several critical business applications werent being monitored for performance and capacity. When employees are being kept from conducting revenue-generating work, the CIO is going to step in. Operational readiness requires each functional group to literally sign off on the readiness of projects, from support and maintenance to monitoring and documentation. Another aspect of this directive is that managers have a chance to ask questions before theyre saddled with using new applications and infrastructure.

The operational readiness sign-off for RMS went off without a hitch. I had every piece of support documentation in place, including a backup plan and end-user instructions. I even had the support team create a Web-based form so the help desk would have relevant information easily at hand. I got all the signatures needed, and then I sat down with the CIO.

I needed to ensure that he was ready to get the executive acceptance we will need to roll out RMS to the initial users were targeting at the director level and above. I asked him whether he knew what he was signing up for. After all, users who arent fully aware of how RMS works may be locked out of critical business documents. And when one of those users is the CEO, you dont want to take any chances.

Potential Trouble

For example, if the CFO sends a protected document to the CEO, the chief executive is going to have to recognize what it is and deal with it properly. In order to open it, hell have to be logged into the corporate domain so that the RMS client can talk to the server and obtain the proper credentials. (Reopening it is easier, because the credentials are cached, so there is no need to be connected.) If the CEO doesnt understand these implications of receiving an RMS-protected document, and he then gets on a plane heading to China, hoping to spend the 18-hour flight using that document from the CFO to prepare for a meeting, he is likely to take it out on our CIO for deploying technology that kept him from essential work.

With all this in mind, the CIO and I decided to craft two e-mails explaining the implementation of RMS. The first e-mail went out to everyone at the director level and above, as well as to their administrative assistants. The second, from the CIO, went only to the CEO and CFO.

Was it enough? Well, more than a week after our initial RMS deployment, we have approximately 50 employees using the tool. Ive been keeping track, and so far, only three support calls have been logged. And there have been no calls from 35,000 feet.

This weeks journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons. Contact him at mathias_ thurman@yahoo.com.

Read more about Security in Computerworld's Security Topic Center.