Jonathan Tudor, CCNA
My two coauthors and I started to write the Customer Relationship Information Technology Internal Control and Security (Critics) Framework a little over a year ago as part of an IT audit, control and governance course we were taking at Miami University. Originally, we found the idea of applying an IT risk mitigation framework to customer relationship management (CRM) systems a good choice for a class paper because of our academic backgrounds, which span management information systems, marketing and accounting. Now, reflecting on the data breach events of 2011, I see that IT risk mitigation for CRM systems is not only something that we had the proper background to write about, it is something that needs to be addressed with action. Action, I hope, the CRITICS Framework can help create.
2011 was arguably the most active year in history with customer-data breaches. Six months of 2011 saw more data breaches recorded than the most active month in 2010. Two of these months—June and November—set records as the most data breaches in one month—118 in June and 119 in November. Additionally in 2011, four of the largest data breaches in history occurred and two of the most expensive at Sony and Epsilon.
This information is alarming for all stakeholders involved. Customers are concerned about the security of their personal data as they hear of more data breaches and identity theft, and they begin to lose trust in companies. Executives become increasingly fearful of data breaches, as they see the huge costs, negative publicity and loss of customer trust involved. IT professionals keep working but cannot seem to keep these attacks from being successful due to either limited funding, lack of security professionals or stretched resources.
This is driving an increased attention to IT governance, control and security for customer data. CRM systems are central to this, as they are the primary systems for handling customer data. Mitigation of the business, regulatory-compliance and IT-specific risk of CRM systems will help protect companies from the harsh effects of a major data breach. A coordinated actionable approach by executive management, business, IT and security professionals is essential for success. Properly integrated governance, internal controls and security, as proposed by the CRITICS Framework, can be part of the answer to success. The stage has been set, and the negative consequences observed, now it is time for us to take action and protect customer data.
Read Jonathan Tudor, Robbie Sauerberg and Weston Smith’s recent Journal article:
“Customer Relationship Information Technology Internal Control and Security (CRITICS) Framework,” ISACA Journal, JOnline, volume 2, 2012