Your SlideShare is downloading. ×
Microsoft Dynamics CRM Online Securityand Service Continuity GuideMicrosoft CorporationPublished July 2012AbstractThis ser...
This document is provided "as-is". Information and views expressed in this document, includingURL and other Internet Web s...
ContentsMicrosoft Dynamics CRM Online Security and Service Continuity Guide....................................... 4 Appli...
Microsoft Dynamics CRM Online Securityand Service Continuity GuidePublished: July 2012Applies To   Microsoft Dynamics CR...
Microsoft Dynamics CRM Online SecurityThe security architecture of Microsoft Dynamics CRM Online has been designed using k...
   Redundant power supplies, including two separate power feeds into each data center,     battery backup, and diesel ge...
Feature                                           Description     Customizable security roles                       Govern...
   Intrusion detection systems to provide continuous monitoring of all access to the          Microsoft Dynamics CRM Onl...
   Content inspection             Hardened servers             Sessions better protected by SSL/TLS          Note   ...
   Access to the Microsoft Dynamics CRM Online service production environment is          restricted to operations perso...
Threshold                                        Description    CPU utilization                                  When CPU ...
Incident ClassificationService outages may be caused by hardware or software failure in the Microsoft data center, afaulty...
The Service Health DashboardCustomers using the Microsoft online services portal to manage their Microsoft Dynamics CRMOnl...
Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Onlineservice policies help to maint...
BSI auditing professionals are bound by professional ethics to provide an unbiased, third-partyanalysis of Microsoft Dynam...
information (PHI), and imposes requirements on covered entities to sign business associate     agreements with their vendo...
transmission of PAN data to the online environment. To integrate transaction information,    customers may choose to use a...
Upcoming SlideShare
Loading in...5
×

Microsoft Dynamics CRM Online Security and Service Continutity

731

Published on

This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
731
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Microsoft Dynamics CRM Online Security and Service Continutity"

  1. 1. Microsoft Dynamics CRM Online Securityand Service Continuity GuideMicrosoft CorporationPublished July 2012AbstractThis service description describes the security, continuity, and compliance policies and controlsfor the Microsoft Dynamics CRM Online service offering. The document is intended to provideMicrosoft Dynamics CRM Online customers with an overview of how the Microsoft DynamicsCRM Online service is designed to provide a high degree of security, continuity, andcompliance—service goals that are derived from the Microsoft Risk Management program.
  2. 2. This document is provided "as-is". Information and views expressed in this document, includingURL and other Internet Web site references, may change without notice. You bear the risk ofusing it.Some examples depicted herein are provided for illustration only and are fictitious. No realassociation or connection is intended or should be inferred.This document does not provide you with any legal rights to any intellectual property in anyMicrosoft product. You may copy and use this document for your internal, reference purposes.© 2012 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Excel, Hyper-V, Internet Explorer, Microsoft Dynamics, MicrosoftDynamics logo, MSDN, Outlook, Notepad, SharePoint, Silverlight, Visual C++, Windows,Windows Azure, Windows Live, Windows PowerShell, Windows Server, and Windows Vista aretrademarks of the Microsoft group of companies.All other trademarks are property of their respective owners.
  3. 3. ContentsMicrosoft Dynamics CRM Online Security and Service Continuity Guide....................................... 4 Applies To .................................................................................................................................... 4 Introduction ................................................................................................................................... 4 Microsoft Dynamics CRM Online Security ................................................................................... 5 Securing the Microsoft Dynamics CRM Service ....................................................................... 5 Physical Security....................................................................................................................... 5 Logical Security......................................................................................................................... 6 Delivering Reliable Service ....................................................................................................... 9 Microsoft Dynamics CRM Online Service Continuity ................................................................. 11 Service Continuity Management ............................................................................................. 11 Incident Classification .......................................................................................................... 12 Catastrophic Outages and Declarations of Disaster ........................................................... 12 The Service Health Dashboard ........................................................................................ 13 Microsoft Dynamics CRM Online Compliance ........................................................................... 14 Support for Leading Industry Certifications ............................................................................ 15 Appendix A: Additional Resources ............................................................................................. 17 Microsoft Dynamics CRM Online ............................................................................................ 17 Security and Operations ......................................................................................................... 17 Feedback .................................................................................................................................... 17
  4. 4. Microsoft Dynamics CRM Online Securityand Service Continuity GuidePublished: July 2012Applies To Microsoft Dynamics CRM OnlineIn this White Paper Introduction Microsoft Dynamics CRM Online Security Microsoft Dynamics CRM Online Service Continuity Microsoft Dynamics CRM Online Compliance Appendix A: Additional ResourcesIntroductionThis section introduces the purpose and scope of the information provided in this paper.PurposeMicrosoft Dynamics CRM Online delivers the power of cloud productivity to businesses of allsizes, helping customers save time and money and free up valued resources. Microsoftunderstands that when customers allow an external service provider to store and manage theirdata, key considerations include security, data protection, privacy, and data ownership. Microsofttakes these concerns seriously and has applied its years of cloud and on-premises experiencewith security and privacy to the Microsoft Dynamics CRM Online service.ScopeThis service description describes the security, continuity, and compliance policies and controlsfor the Microsoft Dynamics CRM Online service offering. The document is intended to provideMicrosoft Dynamics CRM Online customers with an overview of how the Microsoft DynamicsCRM Online service is designed to provide a high degree of security, continuity, andcompliance—service goals that are derived from the Microsoft Risk Management program.DownloadThis paper can be downloaded from the Microsoft Download Center: Microsoft Dynamics CRMOnline Security and Service Continuity Guide. 4
  5. 5. Microsoft Dynamics CRM Online SecurityThe security architecture of Microsoft Dynamics CRM Online has been designed using keyprinciples of the Microsoft Trustworthy Computing initiative. To ensure that customer data ishighly safeguarded from risks and threats, Microsoft applies a common set of security policies tothe Microsoft Dynamics CRM Online service through the Microsoft security program. TheMicrosoft Dynamics CRM Online service operates in compliance with these security policies andrelevant industry standards. Microsoft is committed to continually improving and evolving theMicrosoft Dynamics CRM Online service to ensure that customers are highly protected fromcurrent and future threats.This section describes how Microsoft protects customers’ business data and delivers theMicrosoft Dynamics CRM Online service securely and reliably.Securing the Microsoft Dynamics CRM ServiceMicrosoft helps comprehensively secure the Microsoft Dynamics CRM Online service by applyingthe Trustworthy Computing approach, which ensures that the security of the Microsoft DynamicsCRM Online service is vigilantly maintained, regularly enhanced, and routinely verified throughtesting. Note For more information about Trustworthy Computing, see the page Foundations of Trustworthy Computing.The Trustworthy Computing approach provides protection at multiple levels: Physical layers at data centers: Physical controls, video surveillance, access control. Logical layers: Data isolation, hosted applications security, infrastructure service, network level, identity and access management, federated identity and single sign-on.Physical SecurityMicrosoft ensures that the environment in which the Microsoft Dynamics CRM Online customer’sdata is stored is physically secured by controlling accessibility through multiple security checks.These physical security checks are applied at multiple levels in the Microsoft data centers, andthe Microsoft Dynamics CRM Online service is delivered through carrier-class data centers thatensure consistent delivery according to the service-level agreement (SLA).These data centers include the following industry-standard features: Secure physical access for authorized personnel only: Access is restricted by job function so that only essential personnel receive authorization to manage customers’ applications and service. Physical access authorization utilizes multiple authentication and security processes: badge and smartcard, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication for physical access to the data center environment. 5
  6. 6.  Redundant power supplies, including two separate power feeds into each data center, battery backup, and diesel generators (with alternative fuel delivery contracts in place). Climate control to ensure that equipment runs at optimal temperature and humidity. Natural disaster control, including seismically braced racks where required and fire prevention and extinguishing systems. Physical monitoring, including motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms. Worldwide Microsoft data center locations: The Microsoft Dynamics CRM Online service is deployed in Microsoft data centers that are located around the world, and offer geographically local hosting with global availability. Secure network design and operations: The networks within the Microsoft data centers are designed to create multiple separate network segments within each data center. This segmentation helps to provide physical separation of critical, back-end servers and storage devices from the public-facing interfaces. Exceptional hardware: The underlying hardware used in Microsoft data centers is specifically designed to operate as efficiently, effectively, and securely as possible. The hardware helps Microsoft eliminate unnecessary costs, save power and space consumption, and pass on these savings to Microsoft Dynamics CRM Online customers.Logical SecurityLogical security in Microsoft Dynamics CRM Online is just as important as physical security. InMicrosoft Dynamics CRM Online, the following key features provide logical security. Data isolation: Data storage and processing is logically segregated among customers. The multitenant security architecture ensures that customer data stored in shared Microsoft Dynamics CRM Online data centers is not accessible by or compromised to any other organization. Each tenant is provisioned their own database, which ensures isolation from other customer data. In addition, tenants are isolated from each other based on security boundaries which are enforced logically through the Microsoft Dynamics CRM Online middle tier. Hosted applications security: Microsoft ensures that applications hosted by Microsoft data centers are highly protected by robust security features and security measures that control access, which are described in the following table. 6
  7. 7. Feature Description Customizable security roles Govern user access and the actions they can perform. Business data auditing Allow organizations to maintain an audit trail that demonstrates accountability from beginning to end. Field-level security Control the permission of users and teams to read, create, or write in a data field. Role-based forms Control the visibility of data for a specific record type. Note For guidelines and best practices associated with setting up these features in Microsoft Dynamics CRM Online, see the Microsoft Dynamics CRM Online Enterprise Planning Guide. Security Development Lifecycle: Microsoft applies Security Development Lifecycle, a software security assurance process, to design, develop, and implement the Microsoft Dynamics CRM Online service. Security Development Lifecycle helps to ensure that the service is highly secured—even at the foundation level. Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps Microsoft to identify:  Potential threats while running a service.  Exposed aspects of the service that are open to attack. If potential threats are identified at Design, Development, or Implementation phases, Microsoft can minimize the probability of attacks by restricting service or eliminating unnecessary functions. After eliminating unnecessary functions, Microsoft reduces these potential threats in the Verification phase by fully testing the controls in the Design phase. Secured Microsoft Dynamics CRM Online service infrastructure: Infrastructure-level security measures include:  Extensive server monitoring support integrated with the overall Microsoft System Center Operations Manager monitoring architecture.  Secure remote access via Microsoft Windows Server Remote Desktop Service.  Multi-tier administration, using a three-tier administration model that isolates administrative tasks and controls access based on user role and the level of authorized administrative access.  Environmental security scanning to monitor for vulnerabilities and incorrect configuration. 7
  8. 8.  Intrusion detection systems to provide continuous monitoring of all access to the Microsoft Dynamics CRM Online service. Sophisticated correlation engines analyze this data to immediately alert staff of any “suspicious” connection attempts.  Security standards for operating systems to help protect the Microsoft Dynamics CRM Online service from attack by malicious users or malicious code, including disabling nonessential services, securing file shares to require authorization, and implementing the Data Execution Prevention (DEP) feature. DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running.  Systems management and access control using Active Directory. Active Directory manages networks and component servers that run the Microsoft Dynamics CRM Online service. Applications that provide the online service are designed to operate efficiently and effectively within the Active Directory environment.  Central management of security policies. The Microsoft staff manages and enforces security policies centrally from secured servers that are dedicated to controlling and monitoring network-wide systems. A delegated management model enables administrators to have only the access they need to perform specific tasks, reducing the potential for error and allowing access to systems and functions strictly on an as-needed basis.  New servers can be quickly and safely configured, and template-based server hardening ensures that new capacity is brought online with security measures already in place. Network-level security measures: These measures include features related to providing a highly secured connection over the Internet:  Customer access to service provided over the Internet originates from users’ Internet- enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS) /Secure Sockets Layer (SSL), which effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and data center.  A redundant network provides full failover capability and helps ensure 99.9 percent network availability.  All remote connections by Microsoft operations personnel must be made via Remote Desktop Service and two-factor authentication. Identity and access management: Access to the systems hosting the Microsoft Dynamics CRM Online service is controlled through the following methods:  Staff-level access control: Data center staff’s access to the IT systems that store customer data is strictly controlled. Access control follows the separation of duties principle and granting least privilege.  Proactive host security: Microsoft Dynamics CRM Online security is enhanced by proactively securing the host system.  Server hardening by disabling unnecessary service  Logging and auditing  Restricted access to service: 8
  9. 9.  Content inspection  Hardened servers  Sessions better protected by SSL/TLS Note Mobile device access depends on wireless capability or mobile network availability. Federated identity and single sign-on: With on-premises Active Directory, administrators can use single sign-on for Microsoft Dynamics CRM Online service authentication. To achieve this, administrators can configure on-premises Active Directory Federation Services—a Windows Server 2008 service—to federate with the Office 365 services federation gateway. After Active Directory Federation Services is configured, all Microsoft Dynamics CRM Online users whose identities are based on the federated domain can use their existing corporate logon to automatically authenticate to Microsoft Dynamics CRM Online. Note For more information about federated identity and single sign-on, see the Office 365 Identity Service Description, which is one of the Office 365 for Enterprise Service Descriptions.Delivering Reliable ServiceTo ensure the reliability of the Microsoft Dynamics CRM Online service, Microsoft focuses oneffective deployment, administration, and maintenance. Operations management and service deployment: Operations is a key component of the Microsoft Dynamics CRM Online service and is central to overall security and availability. Operations management practices for Microsoft Dynamics CRM Online (for example, change management, incident and problem management) are based upon industry-standard principles of the Information Technology Infrastructure Library (ITIL). Microsoft has added the Microsoft Operations Framework (MOF)—a standardized implementation of ITIL recommendations—which provides an integrated set of best practices, principles, and activities that help organizations achieve reliability for their IT solutions and service. Microsoft Dynamics CRM Online maintains a dedicated security organization that is focused on constant security vigilance, with a staff that follows the principles defined in MOF. The security team adheres to the following functions defined by ITIL and applies them to the operation of the Microsoft Dynamics CRM Online service:  Change management  Incident management  Problem management In addition, the Microsoft Dynamics CRM Online service requires distinct hosted service development, deployment, and operations staff to adhere to the principle of segregation of duty. This includes controlling access to the source code, build servers, and production environment. For example: 9
  10. 10.  Access to the Microsoft Dynamics CRM Online service production environment is restricted to operations personnel. Development and test teams may be granted temporary access to help troubleshoot issues.  Access to the Microsoft Dynamics CRM Online service source code control is restricted to development personnel; operations personnel cannot change source code. Monitoring and risk reduction: Microsoft makes significant investments in developing tools and services for monitoring Microsoft Dynamics CRM Online and its environment.  Microsoft System Center Operations Manager: Servers within the Microsoft Dynamics CRM Online service environment are configured to maximize the reporting of security events from the operating system and applications. The Microsoft Dynamics CRM Online service operations team uses the latest technology and optimized processes to harvest, correlate, and analyze information as it is received. System Center Operations Manager is an end-to-end service management environment that integrates with platform and service hardware and software to provide continuous health monitoring. System Center Operations Manager management packs provide internal transaction monitoring, capabilities for looking at service threshold models, and CPU utilization analysis that is tailored to the Microsoft Dynamics CRM Online service applications. In addition, custom management packs are layered above the Microsoft Dynamics CRM Online platform to provide operations staff with very specific information that helps identify trends and predict behavior that may require proactive intervention.  Integrated infrastructure and web performance monitoring: System Center Operations Manager data is combined with feeds from additional specialized tools and service to capture, aggregate, and analyze the network that operates Microsoft Dynamics CRM Online service as well as the behavior of key sites on the Internet. For example, if connectivity begins to degrade, staff can identify whether the problem is internal to the Microsoft Dynamics CRM Online service or caused by conditions on the Internet that may represent a risk to Microsoft Dynamics CRM Online customers.  Hardware and software subsystems monitoring: Proactive monitoring continuously measures the performance of key subsystems of the Microsoft Dynamics CRM Online service platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event. Some specific thresholds are described in the following table. 10
  11. 11. Threshold Description CPU utilization When CPU utilization reaches 80 percent, a non-critical alert displays, and at 90 percent, a critical alert displays. Service utilization Various service components, including service licenses; capacity for email; and Microsoft SharePoint Online, are all monitored. Storage utilization When storage reserves are reduced to 15 percent, a non-critical alert displays, and at 7 percent, a critical alert displays. Network latency When network latency reaches 100 milliseconds, a non-critical alert displays, and at 300 milliseconds, a critical alert displays.Microsoft Dynamics CRM Online ServiceContinuityService continuity management focuses on the ability to restore service for Microsoft DynamicsCRM Online customers in a predetermined timeframe during a critical service outage. Achievingrestored service requires preparation, planning, technical implementation, exercises that simulateoutages, and execution at the time of an incident.This section describes the common approach to service continuity management that is taken byMicrosoft Dynamics CRM Online. It also explains how Microsoft Dynamics CRM Online ensuresdata availability and service reliability to customers. This section also explains how servicecontinuity capabilities developed by Microsoft are integrated into the design of the MicrosoftDynamics CRM Online service.Service Continuity ManagementMicrosoft Dynamics CRM Online is delivered by highly resilient systems that help to ensure highlevels of service. Microsoft Dynamics CRM Online capitalizes on the experience that Microsofthas in hosting services as well as close ties to Microsoft product groups and support service tocreate a service that meets the high standards that customers demand.Part of the Microsoft Dynamics CRM Online system design, service continuity provisions enableMicrosoft Dynamics CRM Online to recover quickly from unexpected events such as hardware orapplication failure, data corruption, or other incidents that affect users. These service continuitysolutions also apply during catastrophic outages (for example, natural disasters or a fire within aMicrosoft data center that renders the entire data center inoperable). 11
  12. 12. Incident ClassificationService outages may be caused by hardware or software failure in the Microsoft data center, afaulty network connection between the customer and Microsoft, or a major data center challengesuch as fire, flood, or regional catastrophe. Most service outage incidents can be addressedusing Microsoft technology and process solutions and are resolved within a short time. However,some incidents are more serious and can lead to long-term outages.To classify outage incidents, as minor, critical, and catastrophic events based on their impact tocustomers, Microsoft Dynamics CRM Online uses the Service Interruption Scale, which is shownin the following graphic:Catastrophic Outages and Declarations of DisasterMicrosoft Dynamics CRM Online analyzes each incident that affects service availability todetermine scope and possible solutions. Outages that cause customer work to stop may beconsidered catastrophic outages. In addition, outages that are classified as a critical orcatastrophic event based on the Service Interruption Scale may be declared disasters. Important Declaration of a disaster does not automatically result in failover of a customer’s redundant secondary site. 12
  13. 13. The Service Health DashboardCustomers using the Microsoft online services portal to manage their Microsoft Dynamics CRMOnline deployments are notified of service interruptions and via the Service health dashboard,which is shown in the following graphic:When an outage is declared a disaster, regular customer notifications are provided through theService health dashboard (for customers managing their Microsoft Dynamics CRM Onlinesubscription through the Microsoft online services portal) until a solution is found.Responsibilities during a Service OutageDuring a system outage, Microsoft’s responsibilities include: Providing contact information in the form of a single email group alias and phone number so that the customer can engage appropriate personnel at the time of an event to review current status of the outage, disaster declaration criteria, and approval or disapproval of failing over to the secondary site. Incorporating feedback from the customer to decide whether to fail over to the customer’s secondary site.Ensuring Data AvailabilityMicrosoft ensures customer data is available whenever it is needed, with the help of the followingfeatures of Microsoft Dynamics CRM Online service.Data Storage and RedundancyCustomers’ data is stored in a redundant environment with robust backup, restore, and failovercapabilities to enable availability, business continuity, and rapid recovery. Multiple levels of dataredundancy are implemented, ranging from redundant disks to guard against local disk failure tocontinuous, full data replication to a geographically diverse data center. As an additionalsafeguard, Microsoft performs daily back-ups to a secure, offsite location.Data Monitoring and Maintenance 13
  14. 14. Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Onlineservice policies help to maintain data performance levels. Monitoring databases: Databases are regularly checked for blocked processes and long- running queries. Preventative maintenance: Maintenance includes refreshing indexes, reviewing error logs, and monitoring storage capacity levels.Dedicated SupportThe Microsoft Dynamics CRM Online development and operations teams are complemented by adedicated Microsoft Dynamics CRM Online support organization, which plays an important role inproviding customers with business continuity. Support staff has a deep knowledge of the serviceand its associated applications as well as direct access to Microsoft experts in architecture,development, and testing.The support organization closely aligns with operations and product development, offers fastresolution times, and provides a channel for customers’ voices to be heard. Feedback fromcustomers provides input to the planning, development, and operations processes. Online issue tracking: Customers need to know that their issues are being addressed, and they need to be able to track timely resolution. For customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments, the portal serves as a single web-based interface for support. Customers can use the portal to add and monitor service requests and receive feedback from Microsoft support teams. Warning Customers not using the Microsoft online services portal can track and follow their issues via the CRM Resource Center link for support access. Self-help, backed by continuous staff support: Microsoft Dynamics CRM Online offers a wide range of self-help resources and tools that can help customers to resolve service- related issues without requiring Microsoft support. Before customers enter service requests, they can access knowledge base articles and FAQs that provide immediate help with the most common problems. These resources are continually updated with the latest information, which helps avoid delays by providing solutions to known issues. However, when an issue arises that needs the help of a support professional staff members are available through online communication to cover most situations and by telephone for mission critical needs.Microsoft Dynamics CRM Online ComplianceMicrosoft has designed security, data protection, reliability, and privacy of the Microsoft DynamicsCRM Online service around high industry standards. Microsoft Dynamics CRM Online and theinfrastructure on which it relies (Microsoft Global Foundation Services) employ securityframeworks based on the International Standards Organization (ISO/IEC 27001:2005) family ofstandards and are ISO 27001 certified by independent auditors. Our ISO 27001 certificationsenable customers to evaluate how Microsoft meets or exceeds the standards and implementationguidance against which we are certified. 14
  15. 15. BSI auditing professionals are bound by professional ethics to provide an unbiased, third-partyanalysis of Microsoft Dynamics CRM Online compliance. To make this evaluation, they observeroutine operations, interview relevant personnel, and review documentation in each of the areascovered in the Statement of Applicability (SOA). ISO 27001 defines how to implement, monitor,maintain, and continually improve the Information Security Management System (ISMS). Inaddition, both the service and the infrastructure undergo yearly SAS 70 (or successor SSAE16)assessments.The Microsoft Online Service Information Security Policy, applicable to Microsoft Dynamics CRMOnline, aligns with International Organization for Standards ISO 27002 augmented withrequirements specific to online service. The ISO 27001 certification which Microsoft has receivedis supplemented by ISO 27002, which provides a suggested set of suitable controls.Microsoft Dynamics CRM Online customers can review the ISO standard and published Microsoftservice documentation to determine whether their security requirements are satisfied. MicrosoftDynamics CRM Online features enhanced security for most types of data and jurisdictions. Warning For more information about how Microsoft Dynamics CRM Online fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, see the white paper Standard Response to Request for Information – Security and Privacy.However, customers must evaluate sensitive data, or data that must be held to a certain level ofsecurity or under applicable regulations, for use through the service offering. In some instances,the data may require a specific security requirement that Microsoft does not provide.Support for Leading Industry CertificationsMicrosoft was first certified for Safe Harbor in 2001, and the LCA Regulatory Affairs teamrecertifies compliance with the Safe Harbor Principles every 12 months.In addition to EU Member States, members of the European Economic Area (Iceland, Norway,and Liechtenstein) also recognize Safe Harbor members as providing adequate privacyprotection to justify trans-border transfers from their countries to the U.S. Switzerland has anearly identical agreement (Swiss-U.S. Safe Harbor) with the U.S. Department of Commerce tolegitimize transfers from Switzerland to the U.S., to which Microsoft has also certified.Several other countries, such as Canada and Argentina, have passed comprehensive privacylaws and the EU has cleared them for data transfer from the EU to those countries. EU Model Clauses*. In addition to EU Safe Harbor, Microsoft Dynamics CRM Online is willing to sign the standard contractual clauses created by the European Union (called the “EU Model Clauses”), which address international transfer of data. HIPAA-Business Associate Agreement*. Microsoft Dynamics CRM Online is also willing to sign requirements for the HIPAA-Business Associate Agreement with all customers. HIPAA is a U.S. law that applies to healthcare entities such as doctor’s offices, which the law calls “covered entities.” HIPAA governs the use, disclosure and safeguarding of protected health 15
  16. 16. information (PHI), and imposes requirements on covered entities to sign business associate agreements with their vendors that use and disclose PHI. Data Processing Agreement*. Microsoft offers customers a comprehensive standard Data Processing Agreement that addresses privacy, security and handling of Customer Data. Our standard Data Processing Agreement enables customers to comply with their local regulations.*Applicable to Microsoft Dynamics CRM Online customers who manage their Online Servicesthrough the Microsoft online services portal. Important For additional detail about Microsoft Dynamics CRM Online support for leading industry certifications, see the Microsoft Dynamics CRM Online Service Trust Center.The Gramm Leach Bliley Act (GLBA) sets minimum security and privacy requirements forfinancial institutions in the United States. Software/ service cannot claim to be “GLBA compliant”because GLBA compliance also requires procedures and policies. Two of the principalregulations under GLBA that affect Microsoft Dynamics CRM Online cloud service are:1. Financial Privacy Rule: Governs the collection and disclosure of customers’ personal financial information by financial institutions.2. Safeguards Rule: Requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit carddata are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cardsto pay for the service with confidence. An independent third party audits and determines whetherthe commerce platform that supports Microsoft Dynamics CRM Online has satisfactorily met thePayment Card Industry Data Security Standard (PCI DSS) version 1.2.The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, orstoring PCI-governed data. PCI-DSS is an industry standard designed to protect and maintainsensitive data during transmission and storage throughout the data life cycle. At a minimum,organizations that support transactions via credit and debit cards are required to have a degree ofcompliance to the PCI standard.There is confusion in the marketplace around the impact of PCI DSS; many customers state thatall data within their organizations requires PCI certification and compliance, and that the onlineservice must also demonstrate compliance. While Microsoft does need to be compliant for thePrimary Account Number (PAN) data it processes, and it is, customers should not use theMicrosoft Dynamics CRM Online service to transmit or store PAN data for their own use. Note PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent the 16
  17. 17. transmission of PAN data to the online environment. To integrate transaction information, customers may choose to use a PCI validated payment gateway service, which stores and processes the PAN data.Appendix A: Additional ResourcesFor additional information related to Microsoft Dynamics CRM Online security and servicecontinuity, see the following resources.Microsoft Dynamics CRM OnlineMicrosoft Dynamics CRM Online Product Fact SheetMicrosoft Dynamics CRM Online Service AgreementMicrosoft Dynamics CRM Online Service Level AgreementSupport for Dynamics CRM OnlineMicrosoft Dynamics CRM Online Resource CenterMicrosoft Dynamics CRM Online Service DescriptionMicrosoft Dynamics CRM Online Enterprise Planning GuideSecurity and OperationsMicrosoft® System Center Operations Manager 2007System Center Operations Manager 2007 R2 SDKThe Security Model of Microsoft Dynamics CRMMicrosoft Trustworthy Computing Security Development LifecycleMicrosoft Safety and Security CenterFeedbackWe appreciate hearing from you. To send your feedback, click the following link and type yourcomments in the message body. Note The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback.Send feedback (http://go.microsoft.com/fwlink/?LinkID=247619) 17

×