In the previous two blog posts we evaluated vulnerabilities and the organisational structure to determine where the hotspots lay and where you are most at risk.
If you have not yet evaluated the previous two posts, we recommend that you take the time to do so first before coming back to this post.
In this section you are going to evaluate your current working environment; how data is being consumed and used on a daily basis and the technologies used. This exercise is to find out if Microsoft RMS can/should be used to deploy IRM or not.
This part can be challenging to do yourself, if you are in need of any assistance please don’t hesitate to contact us and we will be able to help you.
Cloud or On-Premises
Has your organisation adopted Microsoft's Office 365 cloud solution or do you have all services hosted on-premises?
A company working with Office 365 is better placed for implementation of RMS for IRM rather than an organisation working on-premises. On-premises infrastructures can introduce challenges due to incompatibility with Microsoft RMS if up to date software is not used.
Traditional File Servers
Is the data being stored on file servers or locally on the PC? IRM is potentially not the right way to approach Data Protection if the Data is being stored locally on the PC.
Are your files shares departmentalised? If this is so, protection is easily deployed based on each department's access requirements to each folder.
Or are all files spread out over common shares that everyone can access?
Unless we can find some uniqueness to the documents, IRM can cause hassle for departments that suddenly cannot access files they used to access with ease. To avoid issues, it is highly recommended to organize your files before implementing IRM.
Internal and external email communication/sharing
A company that does not share confidential information with external partners over email has completely different IRM requirements than one that does. Depending on the amount of external partners, an on-premises IRM solution may not even be feasible.
Some organisation use websites to either provide central collaboration sites or team sites where staff can work on projects within their department, cross department or even with an external vendor or partner.
If you are using Microsoft SharePoint for the aforementioned purpose, IRM can easily be implemented to protect the documents. Giving you the additional benefit of protecting and controlling what external partners and vendors can do with the document when they download it from your SharePoint site.
Databases and database applications
When it comes to databases and applications connected to a database, IRM may not be the best way to protect the content found there. If your organisation uses lots of databases and database applications then IRM protection is probably not right for you. This is because RMS and IRM were never designed for use with databases and cannot protect their content.
So now we have firstly completed an overall risk assessment, we also have categorized each department from low to high on their sensitivity and also have made sure that IRM actually can be installed to protect the files. We are now in a position to decide whether or not to install IRM as a content management solution.
By looking at all these aspects you may think that this is a long process, involving a great deal of time and effort just to get through the assessment. That is not true; an assessment shouldn’t take very long at all and is a highly necessary process that it is vital takes place before implementation of IRM in your environment.
IRM allows great power and control for protecting confidential information and one can be tempted to install it straight away, but doing this without a comprehensive assessment may end you up with the following consequences:
I have installed IRM but my company doesn’t really need it.
I have installed IRM but I have no clients that can use it because my software is too old and incompatible.
I installed on-premises IRM but should have gone with the Cloud solution.
I ended up missing out on protecting files for the department that really needed it.
There are many such potential consequences of which these are just a few examples.
Implementing IRM without doing your homework can waste your time and provide difficult complications. It is therefore of the utmost importance that you do your homework before implementing IRM in your organisation.
In an upcoming series we will take a look at how to apply what we learned in these three posts to best plan the deployment of IRM in your organisation.
At DPRMS we are experts in IRM so why not let us help you with the assessment, contact us today!