Professional Documents
Culture Documents
IT Governance & Law Assessment
IT Governance & Law Assessment
IT Governance & Law Assessment
Abstract
Keywords: Cloud Computing, SaaS CRM, On-Premise CRM and Total Cost Of
Ownership
Introduction
Smart Stock Brokers Inc. is a registered investment broker firm that provides stock
brokerage services to customers in the UK online. The company has 25 employees
and serves more than 2000 customers. As the CIO of this company, I am responsible
for the IT system which supports the online brokerage services of the firm. Currently
the system provides secure links for our customers to be able to log on to our online
brokerage application, and then to various stock trading exchanges in London.
Being a financial institution, Smart Stock Brokers Inc. requires an accurate and up-
to-date knowledge of its customers; hence we have our Know Your Customer (KYC)
details in a file server in the network. This has recently been identified as a critical
security risk because only three employees need to access this data. This data
however, needs to integrate into our business systems to reduce operational system
errors.
In this assessment, I am tasked with the responsibility of conducting a study with the
aim of producing a recommendation for the new CRM system to be acquired. This
new CRM can be installed in the cloud as in SaaS CRM, or installed locally in one of
the company servers as in the case of On-Premise CRM. This report will critically
compare the two options, and at the end of this paper a recommendation will be made
between the two options.
- Recording and accessing of customers profiles: This includes the personal and
investment objectives of customers.
- The CRM system can provide access to detailed customer cash and stock
positions, account summaries, portfolios and trading performance.
- It can provide easy support for storage and accessibility of KYC data. This
ensures the company is in compliance with regulatory requirements.
- Provides users with rich and easy to use user interface. The CRM can
integrate with other existing systems in the company to provide users with
means of reaching out to customers through telephony, email, or SMS when
the need arises.
- Provides a mechanism for alerts to be sent to system support team incase
customers experience problems with the portal when doing their trades.
2
- The CRM can use historical data to show loyal customers who can be given
special promotional packages, etc.
There are a number of benefits a company will get in opting for a SaaS CRM than
On-Premise CRM. A SaaS CRM is usually a web-based application that is hosted by
a cloud service provider. This is purchased on monthly subscription basis, which is
available whenever when needed. The CRM configuration and maintenance is
included in the subscription, which means the SaaS provider is responsible for its
upkeep.
In some cases the CRM vendor will be responsible for configuring and managing the
CRM software, and another company provides cloud hosting services for the CRM.
In most cases however, the CRM software vendor and the SaaS provider are the
same. This is usually the most desirable option as you have only a single company to
deal with. Companies like salesforce.com offers a CRM application that can run on
the saleforce.com cloud called Force.com. The other cloud option is to have a CRM
application like Sage which can be hosted and managed by companies like Amazon.
In this paper, I will be evaluating a SaaS CRM that is hosted and managed by a single
company like salesforce.com, and On-Premise CRM that can be installed locally in
the company LAN as in the case of SageACT! Pro.
On-Premise CRM
On-Premise CRM is the traditional way of having a CRM. In this case, the CRM is
installed in the company network and managed by the local IT staff. This option
allows for more control of the CRM like managing system security, SLAs and
regulatory compliance. On-Premise CRM also makes integration with other business
processes easy as the decisions are all internally made. Chances of data loss due to
connectivity problems are also less, as the systems and data are all within the
boundaries of the company network.
3
However with the On-Premise CRM, there is a relatively large cash outlay as it
requires capital to develop, implement and manage the system. It requires software
development or purchasing, buying of necessary IT hardware to run the application
and takes time to train staff to use the system. This initial investment can take up to
74% of the TCO. However, maintenance fees are minimal once the CRM is up and
running but big upgrades can be expensive at times.
On-Premise CRM is usually cheaper for large companies with a large number of
employees, as SaaS subscription is usually at a per-user per month basis. The more
users for the CRM a company have the more expensive the expenses in the
subscription. This is however not a case for Smart Stock Brokers Inc. as we have a
fairly small number of employees using the CRM system.
SaaS CRM
Saas CRMs are most suited for small companies like Smart Stock Brokers Inc. as the
initial cash outlay and expertise needed in the development and maintenance of On-
4
Premise CRM can be expensive at the onset. Large companies that want to reduce
costs on CRM can also opt for this type of CRM.
Apart from the mentioned benefits above, SaaS CRM includes a number of
advantages over On-Premise CRM. Some of which are outlined below:
- Capital cost elimination: This is possible because Smart Stock Brokers Inc.
employees will access the CRM through a web browser which does not
require the purchasing of additional infrastructure like server hardware,
Operating System, space facility, etc. In essence it is a matter of plugging and
playing.
- Faster Deployment: When compared to On-Premise, SaaS CRM deployment
takes about one-third of the time required to deploy as it does not require the
prior acquisition, installation and testing of infrastructure. The CRM is
accessible anytime, anywhere from any internet-capable device
- Improved Customer Service: System usage and maintenance is greatly
enhanced as the SaaS vendor is responsible for hosting, managing,
maintaining and updating the CRM system. CRM upgrades are usually
completed without disruption to normal business services. Problems related to
the CRM are reported to the SaaS provider who will troubleshoot and fix the
problem. This allows our local IT staff to concentrate on other important IT
activities.
- Increased Flexibility: SaaS CRM is a lot more flexible than On-Premise CRM
because functionalities can be increased or reduced as company needs change.
Because it only requires an internet connection and a compatible browser to
access the CRM, mobile users can access the CRM anytime anywhere.
- Easy forecast of expenditure: It is easier to forecast long term costs of SaaS
CRM than On-Premise CRM as the bulk of the cost is derived from the
monthly subscriptions. Also due to the fact that SaaS CRM requires a much
less cost outlay than On-Premise CRM, Smart Stock Brokers Inc. can always
modify the CRM or change service providers to better suit its needs.
The following two tables Fig 1 and 2 compare the TCO of the two CRM options over
a period of five years. Smart Stock Brokers Inc. has 25 users who will need access to
5
the CRM to do their official duties. This is a five year TCO forecast for two CRM
products Sage ACT! Pro (On-Premise) and SalesForce.com (SaaS) respectively.
5 Year
Cost Category Year 1 Year 2 Year 3 Year 4 Year 5
TCO
Software
with 25 user 4,305.11 4,305.11 4,305.11 4,305.11 4,305.11 2,1525.55
Licenses
Server
5,500 - - - - 5,500
(Online)
Server
5,500 - - - - 5,500
(Backup)
Annual
Hardware 7,000 7,000 ,7000 7,000 7,000 35,000
Maintenance
Operating
4,500 - - - - 4,500
System
Database
5,600 5,600 5,600 5,600 5,600 28,000
System
Firewall 3,500 3,500 3,500 3,500 3,500 17,500
Antivirus 1,500 1,500 1,500 1,500 1,500 7,500
Software
6,000 6,000 ,6000 6,000 6,000 30,000
Support
Installation
and
3,560 - - - - 3,560
Configuratio
n
Training
4,550 - - - - 4,550
Costs
On-Premise
51,515.11 27,905.11 27,905.11 27,905.11 27,905.11 163,135.55
Total
Fig 1
Sales Cloud Pro CRM license per user per month = 42.54
6
License for 25 users per month = 25 x 42.54= 1063.50
License for 25 users per year = 1063.50 x 12 = 12,762
License Per
12,762 12,762 12,762 12,762 12,762 63,810
User Per Month
Looking at the above TCO comparison, the SaaS CRM option gives a TCO value of
63,810 over a five year period. This is far less than the TCO for the On-Premise
CRM which is 163,135.55.
BS 7799
Part 1 of BS 7799 contains the best practices for Information Security Management
which was revised and adopted in 2000 by ISO as ISO/IEC 17799 (Information
Technology- Code of Practice for Information Security Management). The ISO/IEC
17799 standard was then revised and adopted as IEC/ISO 27002 in 2007.
Part 3 of BS 7799 was published in 2005, and covers risk analysis and management.
This also aligns with ISO/IEC 27001.
The combination of the ISO 27000 family of standards (ISO 27001 and ISO 27002 in
particular) will provide the necessary specifications and guidance in managing
information security in a wide range of companies including Smart Stock Brokers
7
Inc. These two standards provides a framework in managing risks related to all
aspects of information security ranging from internal threats ( fraud, employees, etc.)
to external threats (viruses, hackers, etc.).
ISO 27001
Clause 1- Scope
Clause 4- ISMS ( This is divided into 4.1- General Requirements, 4.2- Establishing
and Managing ISMS, 4.3- Documentation Requirements)
While an organization must meet the requirements stipulated in ISO 27001, the size
and complexity of the ISMS does depend on a number of factors including:
8
- Organization business processes.
Annex A of ISO 27001 lists a set of control objectives and controls which come from
ISO/IEC 27002. Not all control objectives and controls in Annex A are mandatory to
be met by an organization, provided an organization is able to give a genuine
explanations for those that couldn`t be met. In other words, an organization can omit
certain control objectives and controls if the risk they address can be ignored without
jeopardizing its legal and security requirements.
ISO 27001 uses the Plan-Do-Check-Act (PDCA) model which helps organizations to
develop and maintain an ISMS that complies with it.
Plan- This is covered in Clause (Section 4), and it deals with planning the
organization`s security requirements.
Check- This is covered in Sections 6 and 7 and it entails the monitoring, measuring,
auditing and reviewing the ISMS.
Act- Covered in Section 8 and it deals with the corrective and preventive actions that
should be taken to continuously improve the ISMS.
ISO 27002
While ISO 27001 guides organizations on how to develop and maintain an up-to-date
ISM, it does not exactly go into details of what makes up an ISM. ISO 27002 (named
Information technology - Security techniques - Code of practice for
information security management) serves as a code of practice for information
security management that includes all the different components that makes up an
ISMS as per the requirements of ISO 27001. The security components or practices
that are presented in ISO 27002 are not all necessary in the development of an ISM
that complies with ISO 27001. In other words, ISO 27001 requires an organization to
use only the security practices in ISO 27002 that addresses the company`s security
risks and legal requirements.
9
ISO 27002 contains a set of control objectives and control best practices covering the
following 11 domains (areas) of information security management:
In summary, ISO 27001 is a mechanism that aids organizations like Smart Stock
Brokers Inc. to develop and maintain an ISMS. It defines a set of requirements that
must be met by an organization before its ISMS is ISO 27001 certified. ISO 27001
explains how to create an up-to-date ISM that satisfies its requirements, but it fall
short of showing the bits and pieces that makes up the ISMS itself. These bits and
pieces are contained in the ISO 27002 standard. Hence, these two standards work
together and can help Smart Stock Brokers Inc. to evaluate all the areas of risk and
compliance by developing an ISMS that satisfies the requirements of the Turnbull and
Combined Code reports and other legislations like the Data Protection ACT (1998).
The ISMS is vital to its existence and competitiveness.
10
Benefits of an Information Security Management to Smart Stock Brokers Inc.
There are many benefits that Smart Stock Brokers Inc. can derive from adopting an
ISMS that is ISO 27001 certified, some of which are outlined below:
Company directors can proof that they are complying with the guidelines of
the Turnbull report.
Smart Stock Brokers Inc. as a company will be able to proof that it has taken
the required actions to comply with laws like the Data Protection Act 1998.
An ISO 27001 certified ISMS will enable Smart Stock Brokers Inc. to better
protect itself from dangers like computer misuse, cybercrime and cyberwar
impacts.
Smart Stock Brokers Inc. will be able to improve its reputation vis--vis staff,
customers and third parties, which will have direct financial impacts.
The company will be able to invest in the right security technologies and
solutions in a cost-effective manner, thus improving its ROI in information
security mechanisms.
Task 3: Key risks and compliance issues associated with SaaS CRM
Although there are many benefits that comes with opting for a SaaS CRM, there are
however some security related concerns that are prominent and tend to slow its wide
adoption by businesses. Security risks in the form of access control, data security and
service reliability are major concerns for companies. The following are some of the
major risks and compliance issues that are raised by SaaS CRM:
11
means a company might not know the physical location of its data. Because of
this distributed nature of SaaS it is very difficult to trace unauthorized activity,
however most cloud providers uses some form of encryption to secure data as
it is being transmitted.
Reliable Data and Service Access: The ability to access data and services
anytime needed is something that is paramount to customers, but
unfortunately this in most cases cannot be guaranteed by SaaS CRM
providers, and it is not included in the SLAs. Accessing SaaS CRM
application might be hampered by different issues like network problems
which can be caused by intermediate parties like ISPs which the cloud
providers will not be willing to be liable for. The issue of data loss in not also
covered by SLAs from SaaS CRM providers.
Loss of Governance: With SaaS CRM, customers usually handover complete
control of system management issues to cloud providers which includes
sensitive issues like security. This does not mostly hold the cloud provider
liable in case of security breaches.
Lock-In: At the present moment, cloud computing is not fully standardized
with regards to tools, procedures, interfaces or data formats. This makes
moving from one SaaS CRM provider to another difficult which can force a
customer to maintain a SaaS provider even though the services offered are not
satisfactory.
Compliance Risks: Migrating to the cloud may put the legal compliance of a
customer in jeopardy especially when the cloud provider is unable to provide
compliance evidence or does not allow the customer to audit it compliance to
various legal requirements. In some rare case, going for a SaaS CRM might
mean that certain legal compliance requirements cannot be satisfied.
Data Protection: SaaS CRM introduces a lot of data protection risks for both
cloud customers and cloud providers. Some cloud providers may disclose
their data handling procedures and practices to customers with appropriate
certifications if required. In certain case however, the customer is not given
the opportunity to properly check the data handling processes and practices of
the cloud provider to ensure that customer data is legally handled as specified
in legal bindings like the Data Protection Act (1998). This becomes all too
complex when customer data traverses between multiple cloud providers.
Insecure or Incomplete Data Deletion: Requests made with regards to the
deletion of customer data may not be fully implemented in certain cases, as
data might not be completely wiped out like in other operating systems. In
12
some cases, data is not deleted when needed in a timely manner as data copies
might be stored in other locations or the storage disk to be destroyed is shared
by other customers. This threat is greater in cases where the computer
hardware is shared by multiple customers.
Malicious Insider: Malicious insider threats like that of disgruntled staff are
less likely to occur but poses the biggest risks as their damages are greater in
magnitude. Staff members like system administrators in cloud service
providers are of extremely high risks as they usually have a wide range of
access to the systems.
The above mentioned are major security risks and concerns that needs to be well
considered by a customer when planning to move to a SaaS CRM solution.
This report presented a study that compares two CRM options for Smart Stock
Brokers Inc. These CRM options are On-Premise CRM and Software-as-a-Service
(SaaS) CRM. The report started by outlining some of the benefits of a CRM system
to the company, and critically evaluated the two CRM options by looking at the
strengths and Weaknesses of both models including a five-year TCO comparison of
the two. The paper justified the usage of BS 7799/ISO 27000 standard of series for
risk evaluation and compliance with reference to the Turnbull and Combined Code
reports. The risks and compliance issues raised by SaaS CRM are also discussed.
The paper has shown that On-Premise CRM like Sage ACT!Pro 2013 accords Smart
Stock Brokers Inc. the independence of locally managing the entire CRM system
with in the company`s network. It allows for a great deal of control over the CRM
system as it is hosted and managed local behind the company`s firewall. On-Premise
CRM however requires a heavy capital outlay to develop as a number of resources
have to be purchased to host and manage the CRM. Since the CRM is hosted and
managed locally, it also serves as additional burden to the IT staff. Looking at the
five-year TCO comparison 163,135.55 in this case, SaaS CRM offers a much less
amount.
SaaS CRM like that of salesforce.com on the other hand, brings a number of benefits
to Smart Stock Brokers Inc. in number of ways. In this case, the CRM is hosted,
managed and maintained by the SaaS vendor. There is the flexibility of accessing the
13
CRM from anywhere with internet connection which is a great benefit. When
compared to On-Premise CRM the overall five-year TCO value (63,810) and the
initial capital investment to have the system up and running is a fraction of that of its
On-Premise counterpart. Maintenance costs in the form of monthly subscription
accounts for about 65% of its TCO.
Despite its numerous benefits, SaaS CRM comes with a number of risks that have to
be carefully considered. The paper has shown that SaaS CRM comes with a number
of risks that needs to be considered as total control over the CRM is relinquished to
the cloud provider. The company hands over complete control of the CRM system to
the SaaS provider which calls for thorough evaluation of the SLAs, contract terms
and security mechanisms. It is prudent for Smart Stock Brokers Inc. to know how
data is stored, accessed and protected by the SaaS vendor to make sure that company
data is only accessible to the authorized users. The terms of the SaaS CRM contract
should cover all the necessary security issues like data recovery, data access audit
trail and favourable contract termination conditions.
My view as the CIO of Smart Stock Brokers Inc. is that, with a proper ISM developed
and maintained using the recommendations in ISO 27001 and ISO 27002; these risks
will be properly managed. Thus the CRM option that I will recommend is that of the
SaaS CRM as it has numerous benefits to the company. I have the belief that with
good internal control mechanism in the of a certified ISO 27001 ISMS, SaaS CRM
benefits outweighs the risks involved.
14
[1] infoworld.com (2013). Cloud Computing Deep Dive.[Online]. Available from -
http://akamai.infoworld.com/sites/infoworld.com/files/pdf/infoworld_cloudcomputing_premi
um.pdf. [Accessed: 15/03/2013]
[2] techsoup.org (2013). Cloud Basics for Nonprofits and Libraries. [Online]. Available from
- http://www.techsoup.org/support/articles-and-how-tos/cloud-basics-for-nonprofits-and-
libraries. [Accessed: 15/03/2013]
[3] crmintegrator.com (2013). Choosing the Right CRM Approach: SaaS vs. On-premise.
[Online]. Available from - http://www.crmintegrator.com/saas-on-premise-crm. [Accessed:
15/03/2013]
[4] conisar.org (2013). Cloud Computing: Should I Stay or Should I Cloud?. [Online].
Available from - http://proc.conisar.org/2012/pdf/2210.pdf. [Accessed: 15/03/2013]
[8] crmforecast.com (2013). On-Demand & On-Premise Total Cost of Ownership. [Online].
Available from - http://www.crmforecast.com/tco.htm. [Accessed: 025/03/2013]
[9] leadmaster.com (2013). CRM Landmark A safe harbour for independent CRM
information and analysis. [Online]. Available from - http://www.leadmaster.com/LeadMaster-
Library/Quick-Reference/SAAS-TCO.pdf. [Accessed: 25/03/2013]
[10] insideclouds.com (2013). The Risks and Rewards of Software as a Service (SaaS) A
SaaS Adoption Management Decision Framework . [Online]. Available from -
http://www.insideclouds.com/saas.php. [Accessed: 27/00/2013]
[11] 27000.org (2013). An Introduction To ISO 27001 (ISO27001). [Online]. Available from -
http://www.27000.org/iso-27001.htm. [Accessed: 15/04/2013]
15
[12] 27000.org (2013). Introduction To ISO 27002 (ISO27002). [Online]. Available from -
http://www.27000.org/iso-27002.htm. [Accessed: 15/04/2013]
[13] enisa.europa.eu (2013). Cloud Computing Benefits, risks and recommendations for
information security . [Online]. Available from - http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport.
[Accessed: 15/04/2013]
[15] praxiom.com (2013). ISO IEC 27001 vs ISO IEC 27002. [Online]. Available from -
http://www.praxiom.com/iso-27001-27002.htm. [Accessed: 17/04/2013]
[17] crmintegrator.com (2013). SaaS CRM vs. on-premise CRM: which is the right choice for
your business?. [Online]. Available from - http://www.crmintegrator.com/files/en/saas-on-
premise-crm-OSF-white-paper.pdf. [Accessed: 18/04/2013]
[18] conisar.org (2013). Cloud Computing: Should I Stay or Should I Cloud?. [Online].
Available from - proc.conisar.org/2012/pdf/2210.pdf. [Accessed: 18/04/2013]
[20] opennet.com (2013). Get the world's #1 sales application. [Online]. Available from -
http://www.salesforce.com/crm/editions-pricing.jsp. [Accessed: 19/04/2013]
16
[24] facebook.com (2013). About UK Corporate Governance Code. [Online]. Available from
- http://www.facebook.com/pages/UK-Corporate-Governance-Code/139874482718805?
rf=132739396763430. [Accessed: 25/02/2013]
[25] Calder, A & Watkis, S. (2008), ITGOVERNANCE A Managers Guide to Data Security
and ISO27001/ISO 27002. [Online]UK &USA: Kogan Page Limited. [Accessed: 15-04-
2013]
17