Where networking and knowledge intersect.
Robbie Sauerberg, Weston Smith and Jonathan Tudor, CCNA
The Customer Relationship Information Technology Internal Control and Security (CRITICS) framework (figure 1), developed by the authors, is intended to help organizations mitigate the risk inherent in customer relationship management (CRM) systems to realize maximum system benefits. This article first describes the benefits of CRM systems and identifies risk areas inherent in CRM systems that threaten the benefits an organization can receive from a CRM system.
To mitigate risk, organizations should implement a CRM system governance structure at an organizational governance level, an internal control (IC) structure at the IT governance level, and an IT security structure at the IT management level. The objectives of the governance-level structure should directly address the organization’s CRM system risks and should drive and be supported by the IC structure objectives, which, in turn, are driven and supported by IT-security-level objectives.
To help organizations create a structure to meet objectives at each level, a relevant, established framework associated with that level has been identified. The Internal Control—Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is identified for the governance level, the COBIT framework is identified for the IT governance level, and ISO 27002:2005 Information technology—Security techniques—Code of practice for information security management (formerly ISO 17799) is identified for the IT management level. Aspects of each structure are also identified for successful mitigation of risks, including management tone at the top at the governance level, CRM-related internal controls at the IT governance level and CRM-related specific security components at the IT management level.
The CRITICS framework is intended to serve as a catalyst for thinking about structuring effective CRM system risk mitigation.
CRM involves the collection and utilization of customer information during electronic data transactions and other data-capturing techniques to assist in optimization of business goals and objectives.1 Customer data are stored in a centralized location that is accessible to business personnel with authorized access. All captured customer information, regardless of source, is combined under a single customer record.2
All levels of business—management and employees alike—can utilize CRM for goal optimization. Executive management can incorporate CRM data for entitywide strategic decisions by utilizing CRM applications that convert customer information into useful business data. The executive team pursues new industries based on data derived from customer information that depicts changing market conditions. Business unit managers utilize CRM data to determine new consumer product releases to the market.3 Customer-facing staff can collect product interest suggestions through CRM data and can better serve customers through use of the information gathered.4
The primary reason for implementing a CRM system is to connect the organization’s marketing objectives with customer needs. The most critical advantage of a CRM system is its enablement of obtaining an outside perspective of the organization from the customer’s point of view.5 Utilized optimally, this information provides the opportunity to retain customers, improve customer satisfaction and loyalty, and gain the benefits of customer lifetime value (i.e., the total profit that can be derived from a customer over the entirety of transactions they make with the organization).6 To achieve this outcome, the firm must effectively collect and analyze customer data to create information that is useful for building one-to-one relationships.7 A company can align customers with similar interests and segment its marketing approach using this alignment. Company predictions about consumer behavior based upon information obtained can permit strategic item placement, thereby reducing overall marketing costs and effectively increasing company profits.8 This process of continuously capturing and storing data is accompanied by a number of risk factors that must be identified by management and mitigated. The CRITICS framework can be used to help identify these risk factors and to take the steps to mitigate them.
Three categories of inherent risk accompany CRM system benefits: business, regulatory compliance and IT-specific (figure 1). Business risk can negatively impact business goals and operations, including the efficiency and effectiveness of the organization. Effectiveness, the intensity impact by which management executes business objectives,9 is negatively influenced by angering customers through data collection or data trading processes. A company that gathers excessive information can overwhelm its customers and cause business processes to become slower as the amount of data being collected increases, which generates customer dissatisfaction.10 Trading customer data can also anger customers and initiate organizational loss of credibility and trust by those same customers.11
Efficiency objectives relate business output to input. Increasing while maintaining input—or decreasing input while maintaining output—increases efficiency. CRM system efficiency risk includes inaccurate marketing decisions based upon incomplete or incorrect data, which wastes business resources. Consistent CRM system data definition usage is also required to avoid inefficient market decisions. Acknowledgment and control of business risk associated with the goals of efficiency and effectiveness are important to business health.12
CRM data collection is susceptible to regulatory compliance risk. There are three prominent external regulations that govern this type of risk in the US: the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). Three regulatory bodies oversee compliance with these regulations: the US Securities and Exchange Commission, the US Department of Health and Human Services, and a consortium of major credit card corporations, respectively. The regulations focus on three areas: how companies obtain customer information, what information they obtain and how this information is used.
Both the GLBA and HIPAA are enforced only in the US, but the PCI DSS is enforced globally. Many external regulations exist that pose a regulatory compliance risk for CRM systems in different countries around the world, such as the Data Protection Directive in the European Union and the recently drafted but not enforced Information Security Technology—Guide of Personal Information Protection in China.13 To fully understand the regulatory compliance risks that a CRM system faces in different countries around the world, one must conduct research about each country’s current laws and regulations regarding personal data privacy and security.
GLBA specifies that an enterprise should provide its customers with notice of its internal privacy regulations and allow them the opportunity to opt out of data collection.14 HIPAA similarly requires patient permission for collection of personal health information.15 PCI DSS requires companies that accept credit card transactions to achieve an acceptable level of security before collecting credit card information and specifies what information a company can obtain.16 All three regulations require customer permission before gathering any nonpublic information.
There are several limitations on how collected customer data can be used. GLBA specifies that a company must obtain customer consent to further disclose information to a third party, and that the customer will have the ability to opt out of this consent.17 HIPAA requires the primary company to first have a contract with the third party and to meet the patient’s predetermined qualifications for authorized use of customer data.18 PCI DSS mandates that credit card information be shared only with the credit card company associated with the transaction, and not with other entities.19 These regulations must be followed and protection must be provided when companies collect and share customer data.
CRM data collection is also susceptible to IT-specific risk. The five major objectives of IT security are information integrity, confidentiality, system availability, user authentication and nonrepudiation, and there are CRM-related risk factors associated with each.
The risk factors associated with information integrity are data collection methods used, data definition types used and possible manipulation of data by attackers.20 Confidentiality risk factors include theft of CRM data and the viewing of personally identifiable information (PII) by nonauthorized parties.21 System availability risk factors include denial-of-service attacks and the availability of CRM data to customer-facing staff. User authentication risk factors include data tampering by internal, nonauthorized employees and data access by nonauthorized external parties. Risk factors associated with nonrepudiation include failure to log information sources and nonassurance that CRM information submitters are legitimate. A CRM system achieves proper IT security measures upon assurance that these risks are mitigated.22
Achieving organizational goals through CRM system benefits requires implementing an entitywide governance structure as shown in figure 1. Governance assigns responsibility within an organization for achieving business objectives, including employee designation assignments of who is responsible, accountable, consulted or informed for a particular business objective. A governance framework is used to create an organizational governance model that integrates controls throughout the entire organization, and to inform and create the IC frameworks and security frameworks for more specific parts of the company.23 COSO’s Internal Control—Integrated Framework, is a popular governance framework that focuses on five components of IC—the control environment, risk assessment, control activities, information and communication, and monitoring—to achieve governance and business objectives.24
The control environment COSO component evaluates the environment in which the COSO framework will be applied, including analysis of the board of directors’ and management’s philosophy, the organizational structure, and upper management’s policies. This component is critical to the implementation of the COSO framework because a strong understanding of the environment is needed for successful governance. Void of organizational understanding, the remaining IC components will be ineffective. The control environment assessment provides assurance that the organization can utilize the COSO framework to obtain the benefits of a CRM system.
Risk assessments focus on identifying and evaluating risk in achieving organizational goals; once determined, the organization must create a strategy for risk mitigation. Many risk factors can be identified within the CRM system, and the control activities component is used to reduce risk to an acceptable level. A control activity for a CRM system incorporates three integrated segments: the CRM system structure, the customer data within the system and the processes involved.
The fourth component, information and communication, involves collecting and providing structure, data and process information to those accountable for the business process that contains the identified risk. Monitoring control activities to determine effectiveness, required improvements and removal of weaknesses is the final IC component, and is essential to the overall COSO governance framework within an organization.25
An environment conducive to the implementation of entitywide governance, as determined by management’s company culture of governance criticality, is the most important factor in the success of the COSO framework. Upper management’s commitment is a defining factor in the effectiveness of a CRM system. C-level employees, such as the chief technology officer and chief information officer, are responsible for managing costs, assigning roles and ensuring consistency of governance, and they must also communicate the importance of CRM system roles in organizational operations. CRM system use is continuing to grow as an effective management tool, and top management must commit to a positive and thorough tone to effectively integrate a CRM system throughout the organization.26
ICs, as shown in figure 1, must be implemented to control potential risk to a CRM system to ensure accurate data capture and efficient data access. A balance must be struck, however, between company control and user accessibility of data. Risk appetite must be addressed when controls are established to achieve an organization’s acceptable risk levels for data access, security and input.
Once established, CRM system controls should be monitored to ensure that they are aiding in achievement of business objectives. Customer feedback should be used to improve CRM ICs. The COBIT framework describes IC as “the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.”27 COBIT can be applied to CRM systems by utilizing specific high-level objectives from the framework.28 The CRITICS framework prioritizes the specific processes from the COBIT framework that apply specifically to CRM systems.
COBIT 4.1 consists of four domains for achieving the goals of IT systems:
Nearly all 34 COBIT 4.1 processes within the four domains can be applied to the success of realizing CRM system benefits; however, there are specific processes from each domain that should be prioritized for a CRM system based on the CRITICS framework. Processes PO2 Define the information architecture, PO6 Communicate management aims and direction, AI1 Identify automated solutions, AI4 Enable operation and use, DS5 Ensure systems security, DS11 Manage data, ME2 Monitor and evaluate internal control, and ME4 Provide IT governance apply most directly to CRM systems. These processes should be used to establish ICs that are applied to a company’s overall IT architecture. This will ensure that CRM operations are effective and secure and that they align with the company’s goals and objectives.29 Integration of these ICs should be considered during implementation of a CRM system.
Proper measures must be taken to ensure the security of the CRM system prior to, during and upon completion of implementation. Security objectives are designed to support the established ICs as shown at the bottom of figure 1. Security objectives are complimentary to controls, but are focused more on protecting information assets such as hardware, software, communication and people. Data that require protection include customer contact data, financial data, transactional data and any PII. The organization must implement a security solution to the information assets of the organization that protects against the inherent risk of achieving the five IT security objectives of information integrity, confidentiality, system availability, user authentication and nonrepudiation. The solution should assist the organization in complying with external regulations, improve the overall efficiency and effectiveness of the system, and protect against system risks. A security framework can be used to create a proficient security solution.30
ISO 27002 is a widely used model for designing security solutions and is the recommended model to be used with the CRITICS framework. This standard defines 133 overall controls under 11 headings and is designed to address the need for protection of information assets and operation maintenance in best practices as well as compliance requirements.31 ISO 27002 provides a framework for designing policies and procedures, assigning responsibilities and roles, establishing mechanisms for physical security, documenting communications and operations, access control, preparations for disaster recovery planning (DRP) and business continuity planning (BCP), and full compliance with legal requirements. Managers who implement ISO 27002 must assess the risk factors that apply to their organization’s CRM system and determine the specific controls that are necessary. There are nine steps to a comprehensive entitywide security solution, each of which can be applied to a CRM system:
Properly demonstrated compliance follows the requirements of external organizations, thereby avoiding legal ramifications or fines. To support the relevant components of the ISO 27002 framework, an organization must implement specific security components to complete these nine steps.32
CRM IT security has specific security components that are essential to reducing the risks of a CRM system (figure 1). These specific security components that secure a CRM system must be comprehensive and integrated (figure 1). The five IT security objectives—information integrity, confidentiality, system availability, user authentication and nonrepudiation—should be addressed by implementing specific security solutions. These solutions may include encryption, firewalls, intrusion detection systems (IDSs), passwords, smart cards, biometric authentication, DMZs, remote access and periodic penetration tests of the components.
Encryption ensures the protection of consumer data from unauthorized parties during share or transfer, and its use fulfills confidentiality, nonrepudiation, information integrity, and user authentication security objectives. Firewalls create barriers that prevent unauthorized users from accessing the company’s intranet and internal parts of the CRM system and fulfill user authentication and information integrity objectives. IDSs monitor for unauthorized access to the CRM system, fulfilling user authentication and guaranteeing system availability by identifying system attacks. Passwords, smart cards and biometric authentication use knowledge-based, possession-based and biological traits, respectively, to authenticate approved user identity. Their use fulfills confidentiality of submitted CRM data, user authentication to hardware and applications of the CRM system, and nonrepudiation of data submission and manipulation. DMZs allow external interaction with the company’s intranet without exposing the internal network to Internet threats. Creating a common ground between the intranet and Internet provides the company and outside parties, which, for CRM systems, are the customers, the ability to communicate within a secure environment. Use of a DMZ protects a company’s CRM system from hacking, achieving information integrity while providing system availability. Remote access provides employees CRM system access from outside the company’s physical premises through a virtual private network (VPN) while maintaining authentication. Periodic penetration tests should be used to determine the overall effectiveness of the security solution by identifying weaknesses within the security components, helping to guarantee obtainment of the five security objectives, while minimizing vulnerability. These specific security components make up the lowest level of the CRITICS framework for realizing the benefits of CRM.33
Use of the CRITICS framework helps enterprises realize the benefits of a CRM system. Determination of CRM system risk factors, including business risk, regulatory and compliance risk, and IT-specific risk, establishes the need for organizational governance, which is driven by top management’s tone and is implemented using a governance-level framework such as COSO.34 Governance drives the creation of and is supported by the ICs of the organization, which include various specific controls found in an IT governance-level framework such as COBIT. Effective ICs require IT security solutions that incorporate specific security protocols from an IT management-level standard such as ISO 27002.35 Comprehensive implementation is illustrated in the CRITICS framework.
1 Buttle, Francis; Customer Relationship Management: Concepts and Tools, Elsevier Butterworth-Heinemann, The Netherlands, 20042 Aldhizer George R.; James D. Cashell; “Customer Relationship Management Risks and Controls,” Internal Auditor, vol. 61, 2006, p. 52–583 Op cit, Buttle4 Op cit, Aldhizer5 Llamas-Alonso, Maria Rosa; Ana Isabel Jimenez-Zarco; Maria Pilar Martinez-Ruiz; John Dawson; “Designing a Predictive Performance Measurement and Control System to Maximize Customer Relationship Management Success,” Journal of Marketing Channels, vol. 16, issue 1, 20096 Op cit, Buttle7 Reponen, Tapio; Information Technology Enabled Global Customer Service, Idea Group Publishing, USA, 20038 Iyer, Gopalkrishnan; David Bejou; “Customer Relationship Management in Electronic Markets,” Customer Relationship Management in Electronic Markets, Best Business Books, USA, 20039 Op cit, Llamas-Alonso10 Grewal, Dhruv; Joan Lindsey-Mullikin; Jeanne Munger; “Loyalty in E-tailing: A Conceptual Framework,” Customer Relationship Management in Electronic Markets, Best Business Books, USA, 200311 Op cit, Iyer12 Morgan, Jim; “Customer Information Management (CIM): The Key to Successful CRM in Financial Services,” Journal of Performance Management, vol. 22, no. 3, 200913 Wolf, Christopher; “China Publishes Draft Privacy Guidelines,” Chronicle of Data Protection, 8 December 2011, www.hldataprotection.com/14 US Securities and Exchange Commission (SEC), “Final Rule: Privacy of Consumer Financial Information (Regulation S-P),” USA, 18 November 2003, www.sec.gov/rules/final/34-42974.htm15 Direct Marketing Association (DMA), “Frequently Asked Questions: The Privacy Provisions of the Health Insurance Portability and Accountability Act (HIPAA),” DMA Corporate Responsibility Resource Center, August 2002, www.dmaresponsibility.org/HIPPA16 PCI Security Standards Council, Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 2.0, USA, 2010, www.pcisecuritystandards.org/documents/pci_dss_v2.pdf17 Op cit, SEC18 Op cit, DMA19 Op cit, PCI Security Standards Council20 Op cit, Aldhizer21 Op cit, Grewal22 Op cit, Aldhizer23 Op cit, Llamas-Alonso24 Protiviti, “The COSO Internal Control—Integrated Framework,” Guide to the Sarbanes-Oxley Act, 14 September 200925 Ibid.26 Prewitt Thu, Edward; “CRM Gains Ground as Management Tool,” CIO.com, 1 September 2005, www.cio.com/article/10503/CRM_Gains_Ground_as_Management_Tool27 ISACA, “Internal Control,” Glossary, www.isaca.org/Pages/Glossary.aspx28 Op cit, Aldhizer29 PricewaterhouseCoopers LLP, Risks of Customer Relationship Management: A Security, Control and Audit Approach, Information Systems Audit and Control Foundation, USA, 200330 Piccoli, Gabriele; Richard T. Watson; “Profit From Customer Data by Identifying Strategic Opportunities and Adopting the ‘Born Digital’ Approach,” MIS Quarterly Executive, vol. 7.3, 2008, p. 113-22 31 Op cit, PricewaterhouseCoopers LLP32 Cefaratti, Meghann A.; Lin Hui; Linda Wallace; “The Information Security Control Environment,” Internal Auditor, April 201133 Op cit, Aldhizer34 Op cit, Protiviti35 Op cit, Cefaratti
Robbie Sauerberg is a digital sales planner at Wired in New York (New York, USA). Previously, he was a strategic planning intern for Hewlett-Packard at its Cupertino campus in Silicon Valley (California, USA) and an intern in integrated marketing for Wired.
Weston Smith is a senior undergraduate student at Miami University (Oxford, Ohio, USA) with a focus in accountancy and a minor in management information systems. He is the vice president of finance for Miami University’s ISACA student organization. After graduation he will enter PwC’s State and Local Tax Consulting practice in New York City, as he prepares for the Certified Public Accountant (CPA) exam.
Jonathan Tudor, CCNA, is a senior in the Farmer School of Business at Miami University (Oxford, Ohio, USA). Tudor is the president of Miami University’s ISACA student organization and is the chief information officer and webmaster for Miami Business Consulting.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.