As my colleague Carl has mentioned on his blog this last week, our webinar on Content Security (available for replay) was a great success (and quite a lot of fun on our end at least), so much so that we did not have time to handle all the questions that our 200+ live audience submitted - sorry about that, but we'll continue those questions here and on Carl's blog (www.takingAIIM.com). Over the next 2 weeks, we'll be answering those questions, and in the spirit of Web 2.0 and an ECM community encourage to continue to feed questions ala comments to these postings. We promise, all questions/comments will be addressed, so please, ask away.
Question 1, from my queue:
Q: The MarketIQ Report mentions "Rights Creep" on Pg. 12... can you elaborate and discuss how to avoid it?
A: I did cover this in the live Q&A of the webinar, but it's worth repeating.
"Rights Creep" is something we didn't address in much detail in the formal slides of the webinar. This is an area that doesn't get nearly enough attention, as it is a serious and pervasive problem. For any employee who has been with an organization for more a few years, and especially who has held different positions within the organization, they have more than likely acquired quite a number of access rights to various information systems (ECM or otherwise). As people move about within the organization, or are promoted even within the same area of the business, it's fairly rare that the "old rights" that they had, perfectly appropriate to the old role, are no longer appropriate to the new role. As these rights accumulate, or "creep," this is a very serious security and compliance problem. What happens in the ultimate situation where this becomes obvious, and an employee is fired, or leaves voluntarily, yet the rights continue to creep, by virtue of the fact that their access isn't turned off for some time after they've left. This can cause BIG gaps to appear in your security strategy, and risk management plan, and if you poke around in your organization, you may scare yourself with this.
Why mention this in the context of Content Security? Any Content Security deployment should leverage other existing security solutions, and the more modern version of an Identity Management solution, might be able to help you with this particular aspect of the scenario.