SlideShare a Scribd company logo

Microsoft Dynamics CRM Online Security and Service Continutity

Nerea
Nerea

This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.

TechnologyBusiness
1 of 17
Download to read offline
Microsoft Dynamics CRM Online Security and Service Continuity Guide Microsoft Corporation Published July 2012 Abstract This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Hyper-V, Internet Explorer, Microsoft Dynamics, Microsoft Dynamics logo, MSDN, Outlook, Notepad, SharePoint, Silverlight, Visual C++, Windows, Windows Azure, Windows Live, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents Microsoft Dynamics CRM Online Security and Service Continuity Guide....................................... 4 Applies To .................................................................................................................................... 4 Introduction ................................................................................................................................... 4 Microsoft Dynamics CRM Online Security ................................................................................... 5 Securing the Microsoft Dynamics CRM Service ....................................................................... 5 Physical Security....................................................................................................................... 5 Logical Security......................................................................................................................... 6 Delivering Reliable Service ....................................................................................................... 9 Microsoft Dynamics CRM Online Service Continuity ................................................................. 11 Service Continuity Management ............................................................................................. 11 Incident Classification .......................................................................................................... 12 Catastrophic Outages and Declarations of Disaster ........................................................... 12 The Service Health Dashboard ........................................................................................ 13 Microsoft Dynamics CRM Online Compliance ........................................................................... 14 Support for Leading Industry Certifications ............................................................................ 15 Appendix A: Additional Resources ............................................................................................. 17 Microsoft Dynamics CRM Online ............................................................................................ 17 Security and Operations ......................................................................................................... 17 Feedback .................................................................................................................................... 17
Microsoft Dynamics CRM Online Security and Service Continuity Guide Published: July 2012 Applies To  Microsoft Dynamics CRM Online In this White Paper  Introduction  Microsoft Dynamics CRM Online Security  Microsoft Dynamics CRM Online Service Continuity  Microsoft Dynamics CRM Online Compliance  Appendix A: Additional Resources Introduction This section introduces the purpose and scope of the information provided in this paper. Purpose Microsoft Dynamics CRM Online delivers the power of cloud productivity to businesses of all sizes, helping customers save time and money and free up valued resources. Microsoft understands that when customers allow an external service provider to store and manage their data, key considerations include security, data protection, privacy, and data ownership. Microsoft takes these concerns seriously and has applied its years of cloud and on-premises experience with security and privacy to the Microsoft Dynamics CRM Online service. Scope This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program. Download This paper can be downloaded from the Microsoft Download Center: Microsoft Dynamics CRM Online Security and Service Continuity Guide. 4
Microsoft Dynamics CRM Online Security The security architecture of Microsoft Dynamics CRM Online has been designed using key principles of the Microsoft Trustworthy Computing initiative. To ensure that customer data is highly safeguarded from risks and threats, Microsoft applies a common set of security policies to the Microsoft Dynamics CRM Online service through the Microsoft security program. The Microsoft Dynamics CRM Online service operates in compliance with these security policies and relevant industry standards. Microsoft is committed to continually improving and evolving the Microsoft Dynamics CRM Online service to ensure that customers are highly protected from current and future threats. This section describes how Microsoft protects customers’ business data and delivers the Microsoft Dynamics CRM Online service securely and reliably. Securing the Microsoft Dynamics CRM Service Microsoft helps comprehensively secure the Microsoft Dynamics CRM Online service by applying the Trustworthy Computing approach, which ensures that the security of the Microsoft Dynamics CRM Online service is vigilantly maintained, regularly enhanced, and routinely verified through testing. Note For more information about Trustworthy Computing, see the page Foundations of Trustworthy Computing. The Trustworthy Computing approach provides protection at multiple levels:  Physical layers at data centers: Physical controls, video surveillance, access control.  Logical layers: Data isolation, hosted applications security, infrastructure service, network level, identity and access management, federated identity and single sign-on. Physical Security Microsoft ensures that the environment in which the Microsoft Dynamics CRM Online customer’s data is stored is physically secured by controlling accessibility through multiple security checks. These physical security checks are applied at multiple levels in the Microsoft data centers, and the Microsoft Dynamics CRM Online service is delivered through carrier-class data centers that ensure consistent delivery according to the service-level agreement (SLA). These data centers include the following industry-standard features:  Secure physical access for authorized personnel only: Access is restricted by job function so that only essential personnel receive authorization to manage customers’ applications and service. Physical access authorization utilizes multiple authentication and security processes: badge and smartcard, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication for physical access to the data center environment. 5
 Redundant power supplies, including two separate power feeds into each data center, battery backup, and diesel generators (with alternative fuel delivery contracts in place).  Climate control to ensure that equipment runs at optimal temperature and humidity.  Natural disaster control, including seismically braced racks where required and fire prevention and extinguishing systems.  Physical monitoring, including motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.  Worldwide Microsoft data center locations: The Microsoft Dynamics CRM Online service is deployed in Microsoft data centers that are located around the world, and offer geographically local hosting with global availability.  Secure network design and operations: The networks within the Microsoft data centers are designed to create multiple separate network segments within each data center. This segmentation helps to provide physical separation of critical, back-end servers and storage devices from the public-facing interfaces.  Exceptional hardware: The underlying hardware used in Microsoft data centers is specifically designed to operate as efficiently, effectively, and securely as possible. The hardware helps Microsoft eliminate unnecessary costs, save power and space consumption, and pass on these savings to Microsoft Dynamics CRM Online customers. Logical Security Logical security in Microsoft Dynamics CRM Online is just as important as physical security. In Microsoft Dynamics CRM Online, the following key features provide logical security.  Data isolation: Data storage and processing is logically segregated among customers. The multitenant security architecture ensures that customer data stored in shared Microsoft Dynamics CRM Online data centers is not accessible by or compromised to any other organization. Each tenant is provisioned their own database, which ensures isolation from other customer data. In addition, tenants are isolated from each other based on security boundaries which are enforced logically through the Microsoft Dynamics CRM Online middle tier.  Hosted applications security: Microsoft ensures that applications hosted by Microsoft data centers are highly protected by robust security features and security measures that control access, which are described in the following table. 6
Feature Description Customizable security roles Govern user access and the actions they can perform. Business data auditing Allow organizations to maintain an audit trail that demonstrates accountability from beginning to end. Field-level security Control the permission of users and teams to read, create, or write in a data field. Role-based forms Control the visibility of data for a specific record type. Note For guidelines and best practices associated with setting up these features in Microsoft Dynamics CRM Online, see the Microsoft Dynamics CRM Online Enterprise Planning Guide.  Security Development Lifecycle: Microsoft applies Security Development Lifecycle, a software security assurance process, to design, develop, and implement the Microsoft Dynamics CRM Online service. Security Development Lifecycle helps to ensure that the service is highly secured—even at the foundation level. Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps Microsoft to identify:  Potential threats while running a service.  Exposed aspects of the service that are open to attack. If potential threats are identified at Design, Development, or Implementation phases, Microsoft can minimize the probability of attacks by restricting service or eliminating unnecessary functions. After eliminating unnecessary functions, Microsoft reduces these potential threats in the Verification phase by fully testing the controls in the Design phase.  Secured Microsoft Dynamics CRM Online service infrastructure: Infrastructure-level security measures include:  Extensive server monitoring support integrated with the overall Microsoft System Center Operations Manager monitoring architecture.  Secure remote access via Microsoft Windows Server Remote Desktop Service.  Multi-tier administration, using a three-tier administration model that isolates administrative tasks and controls access based on user role and the level of authorized administrative access.  Environmental security scanning to monitor for vulnerabilities and incorrect configuration. 7
 Intrusion detection systems to provide continuous monitoring of all access to the Microsoft Dynamics CRM Online service. Sophisticated correlation engines analyze this data to immediately alert staff of any “suspicious” connection attempts.  Security standards for operating systems to help protect the Microsoft Dynamics CRM Online service from attack by malicious users or malicious code, including disabling nonessential services, securing file shares to require authorization, and implementing the Data Execution Prevention (DEP) feature. DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running.  Systems management and access control using Active Directory. Active Directory manages networks and component servers that run the Microsoft Dynamics CRM Online service. Applications that provide the online service are designed to operate efficiently and effectively within the Active Directory environment.  Central management of security policies. The Microsoft staff manages and enforces security policies centrally from secured servers that are dedicated to controlling and monitoring network-wide systems. A delegated management model enables administrators to have only the access they need to perform specific tasks, reducing the potential for error and allowing access to systems and functions strictly on an as-needed basis.  New servers can be quickly and safely configured, and template-based server hardening ensures that new capacity is brought online with security measures already in place.  Network-level security measures: These measures include features related to providing a highly secured connection over the Internet:  Customer access to service provided over the Internet originates from users’ Internet- enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS) /Secure Sockets Layer (SSL), which effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and data center.  A redundant network provides full failover capability and helps ensure 99.9 percent network availability.  All remote connections by Microsoft operations personnel must be made via Remote Desktop Service and two-factor authentication.  Identity and access management: Access to the systems hosting the Microsoft Dynamics CRM Online service is controlled through the following methods:  Staff-level access control: Data center staff’s access to the IT systems that store customer data is strictly controlled. Access control follows the separation of duties principle and granting least privilege.  Proactive host security: Microsoft Dynamics CRM Online security is enhanced by proactively securing the host system.  Server hardening by disabling unnecessary service  Logging and auditing  Restricted access to service: 8
 Content inspection  Hardened servers  Sessions better protected by SSL/TLS Note Mobile device access depends on wireless capability or mobile network availability.  Federated identity and single sign-on: With on-premises Active Directory, administrators can use single sign-on for Microsoft Dynamics CRM Online service authentication. To achieve this, administrators can configure on-premises Active Directory Federation Services—a Windows Server 2008 service—to federate with the Office 365 services federation gateway. After Active Directory Federation Services is configured, all Microsoft Dynamics CRM Online users whose identities are based on the federated domain can use their existing corporate logon to automatically authenticate to Microsoft Dynamics CRM Online. Note For more information about federated identity and single sign-on, see the Office 365 Identity Service Description, which is one of the Office 365 for Enterprise Service Descriptions. Delivering Reliable Service To ensure the reliability of the Microsoft Dynamics CRM Online service, Microsoft focuses on effective deployment, administration, and maintenance.  Operations management and service deployment: Operations is a key component of the Microsoft Dynamics CRM Online service and is central to overall security and availability. Operations management practices for Microsoft Dynamics CRM Online (for example, change management, incident and problem management) are based upon industry-standard principles of the Information Technology Infrastructure Library (ITIL). Microsoft has added the Microsoft Operations Framework (MOF)—a standardized implementation of ITIL recommendations—which provides an integrated set of best practices, principles, and activities that help organizations achieve reliability for their IT solutions and service.  Microsoft Dynamics CRM Online maintains a dedicated security organization that is focused on constant security vigilance, with a staff that follows the principles defined in MOF. The security team adheres to the following functions defined by ITIL and applies them to the operation of the Microsoft Dynamics CRM Online service:  Change management  Incident management  Problem management In addition, the Microsoft Dynamics CRM Online service requires distinct hosted service development, deployment, and operations staff to adhere to the principle of segregation of duty. This includes controlling access to the source code, build servers, and production environment. For example: 9
 Access to the Microsoft Dynamics CRM Online service production environment is restricted to operations personnel. Development and test teams may be granted temporary access to help troubleshoot issues.  Access to the Microsoft Dynamics CRM Online service source code control is restricted to development personnel; operations personnel cannot change source code.  Monitoring and risk reduction: Microsoft makes significant investments in developing tools and services for monitoring Microsoft Dynamics CRM Online and its environment.  Microsoft System Center Operations Manager: Servers within the Microsoft Dynamics CRM Online service environment are configured to maximize the reporting of security events from the operating system and applications. The Microsoft Dynamics CRM Online service operations team uses the latest technology and optimized processes to harvest, correlate, and analyze information as it is received. System Center Operations Manager is an end-to-end service management environment that integrates with platform and service hardware and software to provide continuous health monitoring. System Center Operations Manager management packs provide internal transaction monitoring, capabilities for looking at service threshold models, and CPU utilization analysis that is tailored to the Microsoft Dynamics CRM Online service applications. In addition, custom management packs are layered above the Microsoft Dynamics CRM Online platform to provide operations staff with very specific information that helps identify trends and predict behavior that may require proactive intervention.  Integrated infrastructure and web performance monitoring: System Center Operations Manager data is combined with feeds from additional specialized tools and service to capture, aggregate, and analyze the network that operates Microsoft Dynamics CRM Online service as well as the behavior of key sites on the Internet. For example, if connectivity begins to degrade, staff can identify whether the problem is internal to the Microsoft Dynamics CRM Online service or caused by conditions on the Internet that may represent a risk to Microsoft Dynamics CRM Online customers.  Hardware and software subsystems monitoring: Proactive monitoring continuously measures the performance of key subsystems of the Microsoft Dynamics CRM Online service platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event. Some specific thresholds are described in the following table. 10
Threshold Description CPU utilization When CPU utilization reaches 80 percent, a non-critical alert displays, and at 90 percent, a critical alert displays. Service utilization Various service components, including service licenses; capacity for email; and Microsoft SharePoint Online, are all monitored. Storage utilization When storage reserves are reduced to 15 percent, a non-critical alert displays, and at 7 percent, a critical alert displays. Network latency When network latency reaches 100 milliseconds, a non-critical alert displays, and at 300 milliseconds, a critical alert displays. Microsoft Dynamics CRM Online Service Continuity Service continuity management focuses on the ability to restore service for Microsoft Dynamics CRM Online customers in a predetermined timeframe during a critical service outage. Achieving restored service requires preparation, planning, technical implementation, exercises that simulate outages, and execution at the time of an incident. This section describes the common approach to service continuity management that is taken by Microsoft Dynamics CRM Online. It also explains how Microsoft Dynamics CRM Online ensures data availability and service reliability to customers. This section also explains how service continuity capabilities developed by Microsoft are integrated into the design of the Microsoft Dynamics CRM Online service. Service Continuity Management Microsoft Dynamics CRM Online is delivered by highly resilient systems that help to ensure high levels of service. Microsoft Dynamics CRM Online capitalizes on the experience that Microsoft has in hosting services as well as close ties to Microsoft product groups and support service to create a service that meets the high standards that customers demand. Part of the Microsoft Dynamics CRM Online system design, service continuity provisions enable Microsoft Dynamics CRM Online to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or a fire within a Microsoft data center that renders the entire data center inoperable). 11
Incident Classification Service outages may be caused by hardware or software failure in the Microsoft data center, a faulty network connection between the customer and Microsoft, or a major data center challenge such as fire, flood, or regional catastrophe. Most service outage incidents can be addressed using Microsoft technology and process solutions and are resolved within a short time. However, some incidents are more serious and can lead to long-term outages. To classify outage incidents, as minor, critical, and catastrophic events based on their impact to customers, Microsoft Dynamics CRM Online uses the Service Interruption Scale, which is shown in the following graphic: Catastrophic Outages and Declarations of Disaster Microsoft Dynamics CRM Online analyzes each incident that affects service availability to determine scope and possible solutions. Outages that cause customer work to stop may be considered catastrophic outages. In addition, outages that are classified as a critical or catastrophic event based on the Service Interruption Scale may be declared disasters. Important Declaration of a disaster does not automatically result in failover of a customer’s redundant secondary site. 12
The Service Health Dashboard Customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments are notified of service interruptions and via the Service health dashboard, which is shown in the following graphic: When an outage is declared a disaster, regular customer notifications are provided through the Service health dashboard (for customers managing their Microsoft Dynamics CRM Online subscription through the Microsoft online services portal) until a solution is found. Responsibilities during a Service Outage During a system outage, Microsoft’s responsibilities include:  Providing contact information in the form of a single email group alias and phone number so that the customer can engage appropriate personnel at the time of an event to review current status of the outage, disaster declaration criteria, and approval or disapproval of failing over to the secondary site.  Incorporating feedback from the customer to decide whether to fail over to the customer’s secondary site. Ensuring Data Availability Microsoft ensures customer data is available whenever it is needed, with the help of the following features of Microsoft Dynamics CRM Online service. Data Storage and Redundancy Customers’ data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center. As an additional safeguard, Microsoft performs daily back-ups to a secure, offsite location. Data Monitoring and Maintenance 13
Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Online service policies help to maintain data performance levels.  Monitoring databases: Databases are regularly checked for blocked processes and long- running queries.  Preventative maintenance: Maintenance includes refreshing indexes, reviewing error logs, and monitoring storage capacity levels. Dedicated Support The Microsoft Dynamics CRM Online development and operations teams are complemented by a dedicated Microsoft Dynamics CRM Online support organization, which plays an important role in providing customers with business continuity. Support staff has a deep knowledge of the service and its associated applications as well as direct access to Microsoft experts in architecture, development, and testing. The support organization closely aligns with operations and product development, offers fast resolution times, and provides a channel for customers’ voices to be heard. Feedback from customers provides input to the planning, development, and operations processes.  Online issue tracking: Customers need to know that their issues are being addressed, and they need to be able to track timely resolution. For customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments, the portal serves as a single web-based interface for support. Customers can use the portal to add and monitor service requests and receive feedback from Microsoft support teams. Warning Customers not using the Microsoft online services portal can track and follow their issues via the CRM Resource Center link for support access.  Self-help, backed by continuous staff support: Microsoft Dynamics CRM Online offers a wide range of self-help resources and tools that can help customers to resolve service- related issues without requiring Microsoft support. Before customers enter service requests, they can access knowledge base articles and FAQs that provide immediate help with the most common problems. These resources are continually updated with the latest information, which helps avoid delays by providing solutions to known issues. However, when an issue arises that needs the help of a support professional staff members are available through online communication to cover most situations and by telephone for mission critical needs. Microsoft Dynamics CRM Online Compliance Microsoft has designed security, data protection, reliability, and privacy of the Microsoft Dynamics CRM Online service around high industry standards. Microsoft Dynamics CRM Online and the infrastructure on which it relies (Microsoft Global Foundation Services) employ security frameworks based on the International Standards Organization (ISO/IEC 27001:2005) family of standards and are ISO 27001 certified by independent auditors. Our ISO 27001 certifications enable customers to evaluate how Microsoft meets or exceeds the standards and implementation guidance against which we are certified. 14
BSI auditing professionals are bound by professional ethics to provide an unbiased, third-party analysis of Microsoft Dynamics CRM Online compliance. To make this evaluation, they observe routine operations, interview relevant personnel, and review documentation in each of the areas covered in the Statement of Applicability (SOA). ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS). In addition, both the service and the infrastructure undergo yearly SAS 70 (or successor SSAE16) assessments. The Microsoft Online Service Information Security Policy, applicable to Microsoft Dynamics CRM Online, aligns with International Organization for Standards ISO 27002 augmented with requirements specific to online service. The ISO 27001 certification which Microsoft has received is supplemented by ISO 27002, which provides a suggested set of suitable controls. Microsoft Dynamics CRM Online customers can review the ISO standard and published Microsoft service documentation to determine whether their security requirements are satisfied. Microsoft Dynamics CRM Online features enhanced security for most types of data and jurisdictions. Warning For more information about how Microsoft Dynamics CRM Online fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, see the white paper Standard Response to Request for Information – Security and Privacy. However, customers must evaluate sensitive data, or data that must be held to a certain level of security or under applicable regulations, for use through the service offering. In some instances, the data may require a specific security requirement that Microsoft does not provide. Support for Leading Industry Certifications Microsoft was first certified for Safe Harbor in 2001, and the LCA Regulatory Affairs team recertifies compliance with the Safe Harbor Principles every 12 months. In addition to EU Member States, members of the European Economic Area (Iceland, Norway, and Liechtenstein) also recognize Safe Harbor members as providing adequate privacy protection to justify trans-border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (Swiss-U.S. Safe Harbor) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified. Several other countries, such as Canada and Argentina, have passed comprehensive privacy laws and the EU has cleared them for data transfer from the EU to those countries.  EU Model Clauses*. In addition to EU Safe Harbor, Microsoft Dynamics CRM Online is willing to sign the standard contractual clauses created by the European Union (called the “EU Model Clauses”), which address international transfer of data.  HIPAA-Business Associate Agreement*. Microsoft Dynamics CRM Online is also willing to sign requirements for the HIPAA-Business Associate Agreement with all customers. HIPAA is a U.S. law that applies to healthcare entities such as doctor’s offices, which the law calls “covered entities.” HIPAA governs the use, disclosure and safeguarding of protected health 15
information (PHI), and imposes requirements on covered entities to sign business associate agreements with their vendors that use and disclose PHI.  Data Processing Agreement*. Microsoft offers customers a comprehensive standard Data Processing Agreement that addresses privacy, security and handling of Customer Data. Our standard Data Processing Agreement enables customers to comply with their local regulations. *Applicable to Microsoft Dynamics CRM Online customers who manage their Online Services through the Microsoft online services portal. Important For additional detail about Microsoft Dynamics CRM Online support for leading industry certifications, see the Microsoft Dynamics CRM Online Service Trust Center. The Gramm Leach Bliley Act (GLBA) sets minimum security and privacy requirements for financial institutions in the United States. Software/ service cannot claim to be “GLBA compliant” because GLBA compliance also requires procedures and policies. Two of the principal regulations under GLBA that affect Microsoft Dynamics CRM Online cloud service are: 1. Financial Privacy Rule: Governs the collection and disclosure of customers’ personal financial information by financial institutions. 2. Safeguards Rule: Requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions. Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards to pay for the service with confidence. An independent third party audits and determines whether the commerce platform that supports Microsoft Dynamics CRM Online has satisfactorily met the Payment Card Industry Data Security Standard (PCI DSS) version 1.2. The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions via credit and debit cards are required to have a degree of compliance to the PCI standard. There is confusion in the marketplace around the impact of PCI DSS; many customers state that all data within their organizations requires PCI certification and compliance, and that the online service must also demonstrate compliance. While Microsoft does need to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Microsoft Dynamics CRM Online service to transmit or store PAN data for their own use. Note PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent the 16
transmission of PAN data to the online environment. To integrate transaction information, customers may choose to use a PCI validated payment gateway service, which stores and processes the PAN data. Appendix A: Additional Resources For additional information related to Microsoft Dynamics CRM Online security and service continuity, see the following resources. Microsoft Dynamics CRM Online Microsoft Dynamics CRM Online Product Fact Sheet Microsoft Dynamics CRM Online Service Agreement Microsoft Dynamics CRM Online Service Level Agreement Support for Dynamics CRM Online Microsoft Dynamics CRM Online Resource Center Microsoft Dynamics CRM Online Service Description Microsoft Dynamics CRM Online Enterprise Planning Guide Security and Operations Microsoft® System Center Operations Manager 2007 System Center Operations Manager 2007 R2 SDK The Security Model of Microsoft Dynamics CRM Microsoft Trustworthy Computing Security Development Lifecycle Microsoft Safety and Security Center Feedback We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body. Note The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback. Send feedback (http://go.microsoft.com/fwlink/?LinkID=247619) 17

Recommended

Dynamics CRM Security Overview
Dynamics CRM Security OverviewDynamics CRM Security Overview
Dynamics CRM Security OverviewSteve Harf
 
Dynamics CRM Harsha PPT
Dynamics CRM Harsha PPTDynamics CRM Harsha PPT
Dynamics CRM Harsha PPTHarsha T
 
Customer Impact
Customer ImpactCustomer Impact
Customer ImpactNerea
 
Experience with Microsoft Dynamics CRM
Experience with Microsoft Dynamics CRMExperience with Microsoft Dynamics CRM
Experience with Microsoft Dynamics CRMNerea
 
The Connected Entreprise
The Connected EntrepriseThe Connected Entreprise
The Connected EntrepriseNerea
 
Citizen interaction and case management
Citizen interaction and case managementCitizen interaction and case management
Citizen interaction and case managementNerea
 
SharePoint 2010 Features
SharePoint 2010 FeaturesSharePoint 2010 Features
SharePoint 2010 FeaturesNerea
 
SharePoint 2012 tips & tricks
SharePoint 2012 tips & tricksSharePoint 2012 tips & tricks
SharePoint 2012 tips & tricksNerea
 

Recommended

Dynamics CRM Security Overview
Dynamics CRM Security OverviewDynamics CRM Security Overview
Dynamics CRM Security OverviewSteve Harf
 
Dynamics CRM Harsha PPT
Dynamics CRM Harsha PPTDynamics CRM Harsha PPT
Dynamics CRM Harsha PPTHarsha T
 
Customer Impact
Customer ImpactCustomer Impact
Customer ImpactNerea
 
Experience with Microsoft Dynamics CRM
Experience with Microsoft Dynamics CRMExperience with Microsoft Dynamics CRM
Experience with Microsoft Dynamics CRMNerea
 
The Connected Entreprise
The Connected EntrepriseThe Connected Entreprise
The Connected EntrepriseNerea
 
Citizen interaction and case management
Citizen interaction and case managementCitizen interaction and case management
Citizen interaction and case managementNerea
 
SharePoint 2010 Features
SharePoint 2010 FeaturesSharePoint 2010 Features
SharePoint 2010 FeaturesNerea
 
SharePoint 2012 tips & tricks
SharePoint 2012 tips & tricksSharePoint 2012 tips & tricks
SharePoint 2012 tips & tricksNerea
 
2010 Client and Server Integration
2010 Client and Server Integration2010 Client and Server Integration
2010 Client and Server IntegrationNerea
 
Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010Nerea
 
SharePoint 2010 evaluation Guide
SharePoint 2010 evaluation GuideSharePoint 2010 evaluation Guide
SharePoint 2010 evaluation GuideNerea
 
SharePoint Social Computing study
SharePoint Social Computing studySharePoint Social Computing study
SharePoint Social Computing studyNerea
 
Privacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlinePrivacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlineNerea
 
The Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud TransparencyThe Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud TransparencyNerea
 
Campaign Commander
Campaign CommanderCampaign Commander
Campaign CommanderNerea
 
TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)Nerea
 
Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011Nerea
 
Microsoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPadMicrosoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPadNerea
 
Social CRM
Social CRMSocial CRM
Social CRMNerea
 
Microsoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the lifeMicrosoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the lifeNerea
 
20 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 201120 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 2011Nerea
 
Microsoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCareMicrosoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCareNerea
 
Microsoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - ManufacturingMicrosoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - ManufacturingNerea
 
Microsoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local GovernmentMicrosoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local GovernmentNerea
 
Microsoft Dynamics CRM-Government
Microsoft Dynamics CRM-GovernmentMicrosoft Dynamics CRM-Government
Microsoft Dynamics CRM-GovernmentNerea
 
Microsoft Dynamics CRM for Education
Microsoft Dynamics CRM for EducationMicrosoft Dynamics CRM for Education
Microsoft Dynamics CRM for EducationNerea
 
Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!Nerea
 
Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011 Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011 Nerea
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

More Related Content

More from Nerea

2010 Client and Server Integration
2010 Client and Server Integration2010 Client and Server Integration
2010 Client and Server IntegrationNerea
 
Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010Nerea
 
SharePoint 2010 evaluation Guide
SharePoint 2010 evaluation GuideSharePoint 2010 evaluation Guide
SharePoint 2010 evaluation GuideNerea
 
SharePoint Social Computing study
SharePoint Social Computing studySharePoint Social Computing study
SharePoint Social Computing studyNerea
 
Privacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlinePrivacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlineNerea
 
The Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud TransparencyThe Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud TransparencyNerea
 
Campaign Commander
Campaign CommanderCampaign Commander
Campaign CommanderNerea
 
TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)Nerea
 
Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011Nerea
 
Microsoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPadMicrosoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPadNerea
 
Social CRM
Social CRMSocial CRM
Social CRMNerea
 
Microsoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the lifeMicrosoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the lifeNerea
 
20 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 201120 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 2011Nerea
 
Microsoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCareMicrosoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCareNerea
 
Microsoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - ManufacturingMicrosoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - ManufacturingNerea
 
Microsoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local GovernmentMicrosoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local GovernmentNerea
 
Microsoft Dynamics CRM-Government
Microsoft Dynamics CRM-GovernmentMicrosoft Dynamics CRM-Government
Microsoft Dynamics CRM-GovernmentNerea
 
Microsoft Dynamics CRM for Education
Microsoft Dynamics CRM for EducationMicrosoft Dynamics CRM for Education
Microsoft Dynamics CRM for EducationNerea
 
Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!Nerea
 
Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011 Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011 Nerea
 

More from Nerea (20)

2010 Client and Server Integration
2010 Client and Server Integration2010 Client and Server Integration
2010 Client and Server Integration
 
Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010Office 2010 and SharePoint 2010
Office 2010 and SharePoint 2010
 
SharePoint 2010 evaluation Guide
SharePoint 2010 evaluation GuideSharePoint 2010 evaluation Guide
SharePoint 2010 evaluation Guide
 
SharePoint Social Computing study
SharePoint Social Computing studySharePoint Social Computing study
SharePoint Social Computing study
 
Privacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM OnlinePrivacy in the Public Cloud: Microsoft Dynamics CRM Online
Privacy in the Public Cloud: Microsoft Dynamics CRM Online
 
The Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud TransparencyThe Microsoft approach to Cloud Transparency
The Microsoft approach to Cloud Transparency
 
Campaign Commander
Campaign CommanderCampaign Commander
Campaign Commander
 
TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)TARGIT BI Suite (fact sheet)
TARGIT BI Suite (fact sheet)
 
Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011Event management in Microsoft Dynamics CRM 2011
Event management in Microsoft Dynamics CRM 2011
 
Microsoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPadMicrosoft Dynamics CRM dashboards on iPad
Microsoft Dynamics CRM dashboards on iPad
 
Social CRM
Social CRMSocial CRM
Social CRM
 
Microsoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the lifeMicrosoft dynamics crm 2011 a day in the life
Microsoft dynamics crm 2011 a day in the life
 
20 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 201120 reasons to upgrade to microsoft dynamics crm 2011
20 reasons to upgrade to microsoft dynamics crm 2011
 
Microsoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCareMicrosoft Dynamics CRM HealthCare
Microsoft Dynamics CRM HealthCare
 
Microsoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - ManufacturingMicrosoft Dynamics CRM - Manufacturing
Microsoft Dynamics CRM - Manufacturing
 
Microsoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local GovernmentMicrosoft Dynamics CRM - State Local Government
Microsoft Dynamics CRM - State Local Government
 
Microsoft Dynamics CRM-Government
Microsoft Dynamics CRM-GovernmentMicrosoft Dynamics CRM-Government
Microsoft Dynamics CRM-Government
 
Microsoft Dynamics CRM for Education
Microsoft Dynamics CRM for EducationMicrosoft Dynamics CRM for Education
Microsoft Dynamics CRM for Education
 
Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!Microsoft Dynamics CRM for Education!
Microsoft Dynamics CRM for Education!
 
Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011 Total Economic Impact of Microsoft Dynamics CRM 2011
Total Economic Impact of Microsoft Dynamics CRM 2011
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Microsoft Dynamics CRM Online Security and Service Continutity

  • 1. Microsoft Dynamics CRM Online Security and Service Continuity Guide Microsoft Corporation Published July 2012 Abstract This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.
  • 2. This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Hyper-V, Internet Explorer, Microsoft Dynamics, Microsoft Dynamics logo, MSDN, Outlook, Notepad, SharePoint, Silverlight, Visual C++, Windows, Windows Azure, Windows Live, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
  • 3. Contents Microsoft Dynamics CRM Online Security and Service Continuity Guide....................................... 4 Applies To .................................................................................................................................... 4 Introduction ................................................................................................................................... 4 Microsoft Dynamics CRM Online Security ................................................................................... 5 Securing the Microsoft Dynamics CRM Service ....................................................................... 5 Physical Security....................................................................................................................... 5 Logical Security......................................................................................................................... 6 Delivering Reliable Service ....................................................................................................... 9 Microsoft Dynamics CRM Online Service Continuity ................................................................. 11 Service Continuity Management ............................................................................................. 11 Incident Classification .......................................................................................................... 12 Catastrophic Outages and Declarations of Disaster ........................................................... 12 The Service Health Dashboard ........................................................................................ 13 Microsoft Dynamics CRM Online Compliance ........................................................................... 14 Support for Leading Industry Certifications ............................................................................ 15 Appendix A: Additional Resources ............................................................................................. 17 Microsoft Dynamics CRM Online ............................................................................................ 17 Security and Operations ......................................................................................................... 17 Feedback .................................................................................................................................... 17
  • 4. Microsoft Dynamics CRM Online Security and Service Continuity Guide Published: July 2012 Applies To  Microsoft Dynamics CRM Online In this White Paper  Introduction  Microsoft Dynamics CRM Online Security  Microsoft Dynamics CRM Online Service Continuity  Microsoft Dynamics CRM Online Compliance  Appendix A: Additional Resources Introduction This section introduces the purpose and scope of the information provided in this paper. Purpose Microsoft Dynamics CRM Online delivers the power of cloud productivity to businesses of all sizes, helping customers save time and money and free up valued resources. Microsoft understands that when customers allow an external service provider to store and manage their data, key considerations include security, data protection, privacy, and data ownership. Microsoft takes these concerns seriously and has applied its years of cloud and on-premises experience with security and privacy to the Microsoft Dynamics CRM Online service. Scope This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program. Download This paper can be downloaded from the Microsoft Download Center: Microsoft Dynamics CRM Online Security and Service Continuity Guide. 4
  • 5. Microsoft Dynamics CRM Online Security The security architecture of Microsoft Dynamics CRM Online has been designed using key principles of the Microsoft Trustworthy Computing initiative. To ensure that customer data is highly safeguarded from risks and threats, Microsoft applies a common set of security policies to the Microsoft Dynamics CRM Online service through the Microsoft security program. The Microsoft Dynamics CRM Online service operates in compliance with these security policies and relevant industry standards. Microsoft is committed to continually improving and evolving the Microsoft Dynamics CRM Online service to ensure that customers are highly protected from current and future threats. This section describes how Microsoft protects customers’ business data and delivers the Microsoft Dynamics CRM Online service securely and reliably. Securing the Microsoft Dynamics CRM Service Microsoft helps comprehensively secure the Microsoft Dynamics CRM Online service by applying the Trustworthy Computing approach, which ensures that the security of the Microsoft Dynamics CRM Online service is vigilantly maintained, regularly enhanced, and routinely verified through testing. Note For more information about Trustworthy Computing, see the page Foundations of Trustworthy Computing. The Trustworthy Computing approach provides protection at multiple levels:  Physical layers at data centers: Physical controls, video surveillance, access control.  Logical layers: Data isolation, hosted applications security, infrastructure service, network level, identity and access management, federated identity and single sign-on. Physical Security Microsoft ensures that the environment in which the Microsoft Dynamics CRM Online customer’s data is stored is physically secured by controlling accessibility through multiple security checks. These physical security checks are applied at multiple levels in the Microsoft data centers, and the Microsoft Dynamics CRM Online service is delivered through carrier-class data centers that ensure consistent delivery according to the service-level agreement (SLA). These data centers include the following industry-standard features:  Secure physical access for authorized personnel only: Access is restricted by job function so that only essential personnel receive authorization to manage customers’ applications and service. Physical access authorization utilizes multiple authentication and security processes: badge and smartcard, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication for physical access to the data center environment. 5
  • 6.  Redundant power supplies, including two separate power feeds into each data center, battery backup, and diesel generators (with alternative fuel delivery contracts in place).  Climate control to ensure that equipment runs at optimal temperature and humidity.  Natural disaster control, including seismically braced racks where required and fire prevention and extinguishing systems.  Physical monitoring, including motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.  Worldwide Microsoft data center locations: The Microsoft Dynamics CRM Online service is deployed in Microsoft data centers that are located around the world, and offer geographically local hosting with global availability.  Secure network design and operations: The networks within the Microsoft data centers are designed to create multiple separate network segments within each data center. This segmentation helps to provide physical separation of critical, back-end servers and storage devices from the public-facing interfaces.  Exceptional hardware: The underlying hardware used in Microsoft data centers is specifically designed to operate as efficiently, effectively, and securely as possible. The hardware helps Microsoft eliminate unnecessary costs, save power and space consumption, and pass on these savings to Microsoft Dynamics CRM Online customers. Logical Security Logical security in Microsoft Dynamics CRM Online is just as important as physical security. In Microsoft Dynamics CRM Online, the following key features provide logical security.  Data isolation: Data storage and processing is logically segregated among customers. The multitenant security architecture ensures that customer data stored in shared Microsoft Dynamics CRM Online data centers is not accessible by or compromised to any other organization. Each tenant is provisioned their own database, which ensures isolation from other customer data. In addition, tenants are isolated from each other based on security boundaries which are enforced logically through the Microsoft Dynamics CRM Online middle tier.  Hosted applications security: Microsoft ensures that applications hosted by Microsoft data centers are highly protected by robust security features and security measures that control access, which are described in the following table. 6
  • 7. Feature Description Customizable security roles Govern user access and the actions they can perform. Business data auditing Allow organizations to maintain an audit trail that demonstrates accountability from beginning to end. Field-level security Control the permission of users and teams to read, create, or write in a data field. Role-based forms Control the visibility of data for a specific record type. Note For guidelines and best practices associated with setting up these features in Microsoft Dynamics CRM Online, see the Microsoft Dynamics CRM Online Enterprise Planning Guide.  Security Development Lifecycle: Microsoft applies Security Development Lifecycle, a software security assurance process, to design, develop, and implement the Microsoft Dynamics CRM Online service. Security Development Lifecycle helps to ensure that the service is highly secured—even at the foundation level. Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat Modeling, the Security Development Lifecycle helps Microsoft to identify:  Potential threats while running a service.  Exposed aspects of the service that are open to attack. If potential threats are identified at Design, Development, or Implementation phases, Microsoft can minimize the probability of attacks by restricting service or eliminating unnecessary functions. After eliminating unnecessary functions, Microsoft reduces these potential threats in the Verification phase by fully testing the controls in the Design phase.  Secured Microsoft Dynamics CRM Online service infrastructure: Infrastructure-level security measures include:  Extensive server monitoring support integrated with the overall Microsoft System Center Operations Manager monitoring architecture.  Secure remote access via Microsoft Windows Server Remote Desktop Service.  Multi-tier administration, using a three-tier administration model that isolates administrative tasks and controls access based on user role and the level of authorized administrative access.  Environmental security scanning to monitor for vulnerabilities and incorrect configuration. 7
  • 8.  Intrusion detection systems to provide continuous monitoring of all access to the Microsoft Dynamics CRM Online service. Sophisticated correlation engines analyze this data to immediately alert staff of any “suspicious” connection attempts.  Security standards for operating systems to help protect the Microsoft Dynamics CRM Online service from attack by malicious users or malicious code, including disabling nonessential services, securing file shares to require authorization, and implementing the Data Execution Prevention (DEP) feature. DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running.  Systems management and access control using Active Directory. Active Directory manages networks and component servers that run the Microsoft Dynamics CRM Online service. Applications that provide the online service are designed to operate efficiently and effectively within the Active Directory environment.  Central management of security policies. The Microsoft staff manages and enforces security policies centrally from secured servers that are dedicated to controlling and monitoring network-wide systems. A delegated management model enables administrators to have only the access they need to perform specific tasks, reducing the potential for error and allowing access to systems and functions strictly on an as-needed basis.  New servers can be quickly and safely configured, and template-based server hardening ensures that new capacity is brought online with security measures already in place.  Network-level security measures: These measures include features related to providing a highly secured connection over the Internet:  Customer access to service provided over the Internet originates from users’ Internet- enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS) /Secure Sockets Layer (SSL), which effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and data center.  A redundant network provides full failover capability and helps ensure 99.9 percent network availability.  All remote connections by Microsoft operations personnel must be made via Remote Desktop Service and two-factor authentication.  Identity and access management: Access to the systems hosting the Microsoft Dynamics CRM Online service is controlled through the following methods:  Staff-level access control: Data center staff’s access to the IT systems that store customer data is strictly controlled. Access control follows the separation of duties principle and granting least privilege.  Proactive host security: Microsoft Dynamics CRM Online security is enhanced by proactively securing the host system.  Server hardening by disabling unnecessary service  Logging and auditing  Restricted access to service: 8
  • 9.  Content inspection  Hardened servers  Sessions better protected by SSL/TLS Note Mobile device access depends on wireless capability or mobile network availability.  Federated identity and single sign-on: With on-premises Active Directory, administrators can use single sign-on for Microsoft Dynamics CRM Online service authentication. To achieve this, administrators can configure on-premises Active Directory Federation Services—a Windows Server 2008 service—to federate with the Office 365 services federation gateway. After Active Directory Federation Services is configured, all Microsoft Dynamics CRM Online users whose identities are based on the federated domain can use their existing corporate logon to automatically authenticate to Microsoft Dynamics CRM Online. Note For more information about federated identity and single sign-on, see the Office 365 Identity Service Description, which is one of the Office 365 for Enterprise Service Descriptions. Delivering Reliable Service To ensure the reliability of the Microsoft Dynamics CRM Online service, Microsoft focuses on effective deployment, administration, and maintenance.  Operations management and service deployment: Operations is a key component of the Microsoft Dynamics CRM Online service and is central to overall security and availability. Operations management practices for Microsoft Dynamics CRM Online (for example, change management, incident and problem management) are based upon industry-standard principles of the Information Technology Infrastructure Library (ITIL). Microsoft has added the Microsoft Operations Framework (MOF)—a standardized implementation of ITIL recommendations—which provides an integrated set of best practices, principles, and activities that help organizations achieve reliability for their IT solutions and service.  Microsoft Dynamics CRM Online maintains a dedicated security organization that is focused on constant security vigilance, with a staff that follows the principles defined in MOF. The security team adheres to the following functions defined by ITIL and applies them to the operation of the Microsoft Dynamics CRM Online service:  Change management  Incident management  Problem management In addition, the Microsoft Dynamics CRM Online service requires distinct hosted service development, deployment, and operations staff to adhere to the principle of segregation of duty. This includes controlling access to the source code, build servers, and production environment. For example: 9
  • 10.  Access to the Microsoft Dynamics CRM Online service production environment is restricted to operations personnel. Development and test teams may be granted temporary access to help troubleshoot issues.  Access to the Microsoft Dynamics CRM Online service source code control is restricted to development personnel; operations personnel cannot change source code.  Monitoring and risk reduction: Microsoft makes significant investments in developing tools and services for monitoring Microsoft Dynamics CRM Online and its environment.  Microsoft System Center Operations Manager: Servers within the Microsoft Dynamics CRM Online service environment are configured to maximize the reporting of security events from the operating system and applications. The Microsoft Dynamics CRM Online service operations team uses the latest technology and optimized processes to harvest, correlate, and analyze information as it is received. System Center Operations Manager is an end-to-end service management environment that integrates with platform and service hardware and software to provide continuous health monitoring. System Center Operations Manager management packs provide internal transaction monitoring, capabilities for looking at service threshold models, and CPU utilization analysis that is tailored to the Microsoft Dynamics CRM Online service applications. In addition, custom management packs are layered above the Microsoft Dynamics CRM Online platform to provide operations staff with very specific information that helps identify trends and predict behavior that may require proactive intervention.  Integrated infrastructure and web performance monitoring: System Center Operations Manager data is combined with feeds from additional specialized tools and service to capture, aggregate, and analyze the network that operates Microsoft Dynamics CRM Online service as well as the behavior of key sites on the Internet. For example, if connectivity begins to degrade, staff can identify whether the problem is internal to the Microsoft Dynamics CRM Online service or caused by conditions on the Internet that may represent a risk to Microsoft Dynamics CRM Online customers.  Hardware and software subsystems monitoring: Proactive monitoring continuously measures the performance of key subsystems of the Microsoft Dynamics CRM Online service platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event. Some specific thresholds are described in the following table. 10
  • 11. Threshold Description CPU utilization When CPU utilization reaches 80 percent, a non-critical alert displays, and at 90 percent, a critical alert displays. Service utilization Various service components, including service licenses; capacity for email; and Microsoft SharePoint Online, are all monitored. Storage utilization When storage reserves are reduced to 15 percent, a non-critical alert displays, and at 7 percent, a critical alert displays. Network latency When network latency reaches 100 milliseconds, a non-critical alert displays, and at 300 milliseconds, a critical alert displays. Microsoft Dynamics CRM Online Service Continuity Service continuity management focuses on the ability to restore service for Microsoft Dynamics CRM Online customers in a predetermined timeframe during a critical service outage. Achieving restored service requires preparation, planning, technical implementation, exercises that simulate outages, and execution at the time of an incident. This section describes the common approach to service continuity management that is taken by Microsoft Dynamics CRM Online. It also explains how Microsoft Dynamics CRM Online ensures data availability and service reliability to customers. This section also explains how service continuity capabilities developed by Microsoft are integrated into the design of the Microsoft Dynamics CRM Online service. Service Continuity Management Microsoft Dynamics CRM Online is delivered by highly resilient systems that help to ensure high levels of service. Microsoft Dynamics CRM Online capitalizes on the experience that Microsoft has in hosting services as well as close ties to Microsoft product groups and support service to create a service that meets the high standards that customers demand. Part of the Microsoft Dynamics CRM Online system design, service continuity provisions enable Microsoft Dynamics CRM Online to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or a fire within a Microsoft data center that renders the entire data center inoperable). 11
  • 12. Incident Classification Service outages may be caused by hardware or software failure in the Microsoft data center, a faulty network connection between the customer and Microsoft, or a major data center challenge such as fire, flood, or regional catastrophe. Most service outage incidents can be addressed using Microsoft technology and process solutions and are resolved within a short time. However, some incidents are more serious and can lead to long-term outages. To classify outage incidents, as minor, critical, and catastrophic events based on their impact to customers, Microsoft Dynamics CRM Online uses the Service Interruption Scale, which is shown in the following graphic: Catastrophic Outages and Declarations of Disaster Microsoft Dynamics CRM Online analyzes each incident that affects service availability to determine scope and possible solutions. Outages that cause customer work to stop may be considered catastrophic outages. In addition, outages that are classified as a critical or catastrophic event based on the Service Interruption Scale may be declared disasters. Important Declaration of a disaster does not automatically result in failover of a customer’s redundant secondary site. 12
  • 13. The Service Health Dashboard Customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments are notified of service interruptions and via the Service health dashboard, which is shown in the following graphic: When an outage is declared a disaster, regular customer notifications are provided through the Service health dashboard (for customers managing their Microsoft Dynamics CRM Online subscription through the Microsoft online services portal) until a solution is found. Responsibilities during a Service Outage During a system outage, Microsoft’s responsibilities include:  Providing contact information in the form of a single email group alias and phone number so that the customer can engage appropriate personnel at the time of an event to review current status of the outage, disaster declaration criteria, and approval or disapproval of failing over to the secondary site.  Incorporating feedback from the customer to decide whether to fail over to the customer’s secondary site. Ensuring Data Availability Microsoft ensures customer data is available whenever it is needed, with the help of the following features of Microsoft Dynamics CRM Online service. Data Storage and Redundancy Customers’ data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center. As an additional safeguard, Microsoft performs daily back-ups to a secure, offsite location. Data Monitoring and Maintenance 13
  • 14. Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Online service policies help to maintain data performance levels.  Monitoring databases: Databases are regularly checked for blocked processes and long- running queries.  Preventative maintenance: Maintenance includes refreshing indexes, reviewing error logs, and monitoring storage capacity levels. Dedicated Support The Microsoft Dynamics CRM Online development and operations teams are complemented by a dedicated Microsoft Dynamics CRM Online support organization, which plays an important role in providing customers with business continuity. Support staff has a deep knowledge of the service and its associated applications as well as direct access to Microsoft experts in architecture, development, and testing. The support organization closely aligns with operations and product development, offers fast resolution times, and provides a channel for customers’ voices to be heard. Feedback from customers provides input to the planning, development, and operations processes.  Online issue tracking: Customers need to know that their issues are being addressed, and they need to be able to track timely resolution. For customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM Online deployments, the portal serves as a single web-based interface for support. Customers can use the portal to add and monitor service requests and receive feedback from Microsoft support teams. Warning Customers not using the Microsoft online services portal can track and follow their issues via the CRM Resource Center link for support access.  Self-help, backed by continuous staff support: Microsoft Dynamics CRM Online offers a wide range of self-help resources and tools that can help customers to resolve service- related issues without requiring Microsoft support. Before customers enter service requests, they can access knowledge base articles and FAQs that provide immediate help with the most common problems. These resources are continually updated with the latest information, which helps avoid delays by providing solutions to known issues. However, when an issue arises that needs the help of a support professional staff members are available through online communication to cover most situations and by telephone for mission critical needs. Microsoft Dynamics CRM Online Compliance Microsoft has designed security, data protection, reliability, and privacy of the Microsoft Dynamics CRM Online service around high industry standards. Microsoft Dynamics CRM Online and the infrastructure on which it relies (Microsoft Global Foundation Services) employ security frameworks based on the International Standards Organization (ISO/IEC 27001:2005) family of standards and are ISO 27001 certified by independent auditors. Our ISO 27001 certifications enable customers to evaluate how Microsoft meets or exceeds the standards and implementation guidance against which we are certified. 14
  • 15. BSI auditing professionals are bound by professional ethics to provide an unbiased, third-party analysis of Microsoft Dynamics CRM Online compliance. To make this evaluation, they observe routine operations, interview relevant personnel, and review documentation in each of the areas covered in the Statement of Applicability (SOA). ISO 27001 defines how to implement, monitor, maintain, and continually improve the Information Security Management System (ISMS). In addition, both the service and the infrastructure undergo yearly SAS 70 (or successor SSAE16) assessments. The Microsoft Online Service Information Security Policy, applicable to Microsoft Dynamics CRM Online, aligns with International Organization for Standards ISO 27002 augmented with requirements specific to online service. The ISO 27001 certification which Microsoft has received is supplemented by ISO 27002, which provides a suggested set of suitable controls. Microsoft Dynamics CRM Online customers can review the ISO standard and published Microsoft service documentation to determine whether their security requirements are satisfied. Microsoft Dynamics CRM Online features enhanced security for most types of data and jurisdictions. Warning For more information about how Microsoft Dynamics CRM Online fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, see the white paper Standard Response to Request for Information – Security and Privacy. However, customers must evaluate sensitive data, or data that must be held to a certain level of security or under applicable regulations, for use through the service offering. In some instances, the data may require a specific security requirement that Microsoft does not provide. Support for Leading Industry Certifications Microsoft was first certified for Safe Harbor in 2001, and the LCA Regulatory Affairs team recertifies compliance with the Safe Harbor Principles every 12 months. In addition to EU Member States, members of the European Economic Area (Iceland, Norway, and Liechtenstein) also recognize Safe Harbor members as providing adequate privacy protection to justify trans-border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (Swiss-U.S. Safe Harbor) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified. Several other countries, such as Canada and Argentina, have passed comprehensive privacy laws and the EU has cleared them for data transfer from the EU to those countries.  EU Model Clauses*. In addition to EU Safe Harbor, Microsoft Dynamics CRM Online is willing to sign the standard contractual clauses created by the European Union (called the “EU Model Clauses”), which address international transfer of data.  HIPAA-Business Associate Agreement*. Microsoft Dynamics CRM Online is also willing to sign requirements for the HIPAA-Business Associate Agreement with all customers. HIPAA is a U.S. law that applies to healthcare entities such as doctor’s offices, which the law calls “covered entities.” HIPAA governs the use, disclosure and safeguarding of protected health 15
  • 16. information (PHI), and imposes requirements on covered entities to sign business associate agreements with their vendors that use and disclose PHI.  Data Processing Agreement*. Microsoft offers customers a comprehensive standard Data Processing Agreement that addresses privacy, security and handling of Customer Data. Our standard Data Processing Agreement enables customers to comply with their local regulations. *Applicable to Microsoft Dynamics CRM Online customers who manage their Online Services through the Microsoft online services portal. Important For additional detail about Microsoft Dynamics CRM Online support for leading industry certifications, see the Microsoft Dynamics CRM Online Service Trust Center. The Gramm Leach Bliley Act (GLBA) sets minimum security and privacy requirements for financial institutions in the United States. Software/ service cannot claim to be “GLBA compliant” because GLBA compliance also requires procedures and policies. Two of the principal regulations under GLBA that affect Microsoft Dynamics CRM Online cloud service are: 1. Financial Privacy Rule: Governs the collection and disclosure of customers’ personal financial information by financial institutions. 2. Safeguards Rule: Requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions. Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards to pay for the service with confidence. An independent third party audits and determines whether the commerce platform that supports Microsoft Dynamics CRM Online has satisfactorily met the Payment Card Industry Data Security Standard (PCI DSS) version 1.2. The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions via credit and debit cards are required to have a degree of compliance to the PCI standard. There is confusion in the marketplace around the impact of PCI DSS; many customers state that all data within their organizations requires PCI certification and compliance, and that the online service must also demonstrate compliance. While Microsoft does need to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Microsoft Dynamics CRM Online service to transmit or store PAN data for their own use. Note PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent the 16
  • 17. transmission of PAN data to the online environment. To integrate transaction information, customers may choose to use a PCI validated payment gateway service, which stores and processes the PAN data. Appendix A: Additional Resources For additional information related to Microsoft Dynamics CRM Online security and service continuity, see the following resources. Microsoft Dynamics CRM Online Microsoft Dynamics CRM Online Product Fact Sheet Microsoft Dynamics CRM Online Service Agreement Microsoft Dynamics CRM Online Service Level Agreement Support for Dynamics CRM Online Microsoft Dynamics CRM Online Resource Center Microsoft Dynamics CRM Online Service Description Microsoft Dynamics CRM Online Enterprise Planning Guide Security and Operations Microsoft® System Center Operations Manager 2007 System Center Operations Manager 2007 R2 SDK The Security Model of Microsoft Dynamics CRM Microsoft Trustworthy Computing Security Development Lifecycle Microsoft Safety and Security Center Feedback We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body. Note The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback. Send feedback (http://go.microsoft.com/fwlink/?LinkID=247619) 17