By Simon Thorpe on Sep 17, 2010
I've worked with quite a few customers over the past few years around International Traffic in Arms Regulation (ITAR) compliance and other similar foreign national compliance law here in the US. We've had customers implement Oracle IRM solutions primarily to address their concerns over ITAR regulation and IRM is a great way to really address some of the challenges around controlling who has access to what (preventative controls) and also being able to show that you are able to control this access and provide reports (monitoring controls). ITAR can be quite confusing and the areas of information it covers quite vast.
What is ITAR?Wikipedia is always a good start...
"International Traffic in Arms Regulations (ITAR) is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML). These regulations implement the provisions of the Arms Export Control Act (AECA), and are described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations. The Department of State interprets and enforces ITAR. Its goal is to safeguard US national security and further US foreign policy objectives."
Basically if your company creates any product or intellectual property that can be used to build a weapon then you need to ensure that information about your product is controlled and can only be accessed by "approved" persons. Essentially, the US government doesn't want advanced weapons ending up in Iran, Syria and other embargoed countries.
How does IRM help?
Let me take another phrase from the Wikipedia entry.
Under ITAR, a "US person" who wants to export USML items to a "foreign person" must obtain authorization from the US Department of State before the export can take place.
Put another way... If you want to share a document containing details on how your product works with, say for example, the Chinese partner who is building your product, you have to ensure only the authorized users get access to that information.
What does IRM do? It uses encryption and access control to ensure that only authorized users can open and access IRM secured documents. IRM obviously brings lots of benefits to ensuring you are meeting your ITAR compliance requirements.
- Every document secured with IRM can only be opened by authorized users. The IRM technology can also communicate with any existing system that defines what users can access what.
- IRM records every single access to secured content and also has a simple management interface to be able to view existing rights controls. So proving you are compliant is easy and simple.
- Because IRM is a persistent document security technology, if a person is no longer authorized to access ITAR covered data (for example their Visa expires) then any documents they have in their possession can no longer be accessed. Oracle IRM centralizes access rights on a server, allowing your business to reflect changes in ITAR law, user restrictions and visa status without having to have physical access to the documents.
For more information on IRM and ITAR, please contact us. There is also a video which demonstrates engineering type information being access via a database based repository and how IRM enforces access control.