IT Governance & Law Assessment

Student Full Name: Pa Ali Nyang

Student ID: 100282417
University Email:
P.Nyang1@unimail.derby.ac.uk

Abstract

Software-as-a-Service (SaaS) CRM continues to attract the attention of businesses of

all models because of the benefits it comes with. The freedom of having your whole
CRM system hosted and managed by another company, coupled with the flexibility of
accessing the CRM application from anywhere with internet connection at low cost;
makes it irresistible to many companies. This paper presents a study for Smart Stock
Brokers Inc. (an Investment Broker firm in the UK) to choose between On-Premise
CRM and SaaS CRM as CRM for its new CRM project. The paper compares the two
CRM options by looking at their strengths and weaknesses, five-year total cost of
ownership (TCO) and the risks that are associated with SaaS CRM. The goal of this
paper is to thoroughly compare and contrast On-Premise and SaaS CRM solutions,
and finally recommends one of them as the CRM of choice for Smart Stock Brokers
Inc.

Keywords: Cloud Computing, SaaS CRM, On-Premise CRM and Total Cost Of
Ownership

Introduction

Smart Stock Brokers Inc. is a registered investment broker firm that provides stock
brokerage services to customers in the UK online. The company has 25 employees
and serves more than 2000 customers. As the CIO of this company, I am responsible
for the IT system which supports the online brokerage services of the firm. Currently
the system provides secure links for our customers to be able to log on to our online
brokerage application, and then to various stock trading exchanges in London.

Being a financial institution, Smart Stock Brokers Inc. requires an accurate and up-
to-date knowledge of its customers; hence we have our Know Your Customer (KYC)
details in a file server in the network. This has recently been identified as a critical
security risk because only three employees need to access this data. This data
however, needs to integrate into our business systems to reduce operational system
errors.

In this assessment, I am tasked with the responsibility of conducting a study with the
aim of producing a recommendation for the new CRM system to be acquired. This
new CRM can be installed in the cloud as in SaaS CRM, or installed locally in one of
the company servers as in the case of On-Premise CRM. This report will critically
compare the two options, and at the end of this paper a recommendation will be made
between the two options.

Task 1: Benefits of CRM, On-Premise and SaaS Comparison

Purpose of a CRM System to Smart Stock Brokers Inc.

A CRM system has a number of important functions it can provide to a stock

brokerage establishment like Smart Stock Brokers Inc. Some of the most important
functions of a CRM system to this company are outlined below:

- Recording and accessing of customers profiles: This includes the personal and
investment objectives of customers.
- The CRM system can provide access to detailed customer cash and stock
positions, account summaries, portfolios and trading performance.
- It can provide easy support for storage and accessibility of KYC data. This
ensures the company is in compliance with regulatory requirements.
- Provides users with rich and easy to use user interface. The CRM can
integrate with other existing systems in the company to provide users with
means of reaching out to customers through telephony, email, or SMS when
the need arises.
- Provides a mechanism for alerts to be sent to system support team incase
customers experience problems with the portal when doing their trades.

2
 - The CRM can use historical data to show loyal customers who can be given
special promotional packages, etc.

CRM in the Cloud

Recent developments in IT has seen the possibility of hosting IT applications and

services in the internet known as cloud computing. In this case, a company subscribes
to another company providing cloud hosting services to host its applications and/or
services at a fee. Almost all the internal applications running behind company
firewalls can now be hosted in clouds, including CRM applications.

There are a number of benefits a company will get in opting for a SaaS CRM than
On-Premise CRM. A SaaS CRM is usually a web-based application that is hosted by
a cloud service provider. This is purchased on monthly subscription basis, which is
available whenever when needed. The CRM configuration and maintenance is
included in the subscription, which means the SaaS provider is responsible for its
upkeep.

In some cases the CRM vendor will be responsible for configuring and managing the
CRM software, and another company provides cloud hosting services for the CRM.
In most cases however, the CRM software vendor and the SaaS provider are the
same. This is usually the most desirable option as you have only a single company to
deal with. Companies like salesforce.com offers a CRM application that can run on
the saleforce.com cloud called Force.com. The other cloud option is to have a CRM
application like Sage which can be hosted and managed by companies like Amazon.

In this paper, I will be evaluating a SaaS CRM that is hosted and managed by a single
company like salesforce.com, and On-Premise CRM that can be installed locally in
the company LAN as in the case of SageACT! Pro.

On-Premise CRM

On-Premise CRM is the traditional way of having a CRM. In this case, the CRM is
installed in the company network and managed by the local IT staff. This option
allows for more control of the CRM like managing system security, SLAs and
regulatory compliance. On-Premise CRM also makes integration with other business
processes easy as the decisions are all internally made. Chances of data loss due to
connectivity problems are also less, as the systems and data are all within the
boundaries of the company network.

3
However with the On-Premise CRM, there is a relatively large cash outlay as it
requires capital to develop, implement and manage the system. It requires software
development or purchasing, buying of necessary IT hardware to run the application
and takes time to train staff to use the system. This initial investment can take up to
74% of the TCO. However, maintenance fees are minimal once the CRM is up and
running but big upgrades can be expensive at times.

On-Premise CRM is usually cheaper for large companies with a large number of
employees, as SaaS subscription is usually at a per-user per month basis. The more
users for the CRM a company have the more expensive the expenses in the
subscription. This is however not a case for Smart Stock Brokers Inc. as we have a
fairly small number of employees using the CRM system.

SaaS CRM

Saas CRM offers immediate financial benefits as it requires no purchasing of highly

customized and expensive CRM application, hardware, space facility and IT staff to
manage and maintain the system (Laudon & Laudon). Initial cash outlay for a SaaS
CRM is relatively modest when compared to On-Premise CRM. This initial
investment only accounts for 35% of the TCO and includes consulting, training and
implementation. The payments incurred in the monthly subscription accounts about
65% of the TCO, which comprises the bulk of the cost. This means that less cash
outlay is needed, requires less labour and a lower financial risk to have the CRM up
and running. When compared to On-Premise CRM, the initial cost outlay is a lot
cheaper. Most of the time deployment is easy as the SaaS provider is responsible for
providing support services. This is usually included in the Service Level Agreement
signed with the SaaS provider.

SaaS is paid on a per-user per-month subscription which makes it simple, predictable

and provides good control over expenditures as over-budget expenditures can be
eliminated. Accessing the SaaS CRM is simple and flexible since the only thing
needed is internet connection and a compatible browser. This makes it easy for
mobile and remote users in accessing the CRM. In this case, Smart Stock Brokers
Inc. employees can be permitted to work from home. Also since the CRM is hosted,
managed and maintained by the SaaS provider; the IT staff of the company can
concentrate on other IT activities.

Saas CRMs are most suited for small companies like Smart Stock Brokers Inc. as the
initial cash outlay and expertise needed in the development and maintenance of On-

4
Premise CRM can be expensive at the onset. Large companies that want to reduce
costs on CRM can also opt for this type of CRM.

SaaS CRM vs. ON-Premise CRM

Apart from the mentioned benefits above, SaaS CRM includes a number of
advantages over On-Premise CRM. Some of which are outlined below:

- Capital cost elimination: This is possible because Smart Stock Brokers Inc.
employees will access the CRM through a web browser which does not
require the purchasing of additional infrastructure like server hardware,
Operating System, space facility, etc. In essence it is a matter of plugging and
playing.
- Faster Deployment: When compared to On-Premise, SaaS CRM deployment
takes about one-third of the time required to deploy as it does not require the
prior acquisition, installation and testing of infrastructure. The CRM is
accessible anytime, anywhere from any internet-capable device
- Improved Customer Service: System usage and maintenance is greatly
enhanced as the SaaS vendor is responsible for hosting, managing,
maintaining and updating the CRM system. CRM upgrades are usually
completed without disruption to normal business services. Problems related to
the CRM are reported to the SaaS provider who will troubleshoot and fix the
problem. This allows our local IT staff to concentrate on other important IT
activities.
- Increased Flexibility: SaaS CRM is a lot more flexible than On-Premise CRM
because functionalities can be increased or reduced as company needs change.
Because it only requires an internet connection and a compatible browser to
access the CRM, mobile users can access the CRM anytime anywhere.
- Easy forecast of expenditure: It is easier to forecast long term costs of SaaS
CRM than On-Premise CRM as the bulk of the cost is derived from the
monthly subscriptions. Also due to the fact that SaaS CRM requires a much
less cost outlay than On-Premise CRM, Smart Stock Brokers Inc. can always
modify the CRM or change service providers to better suit its needs.

Total Cost Of Ownership Comparison

The following two tables Fig 1 and 2 compare the TCO of the two CRM options over
a period of five years. Smart Stock Brokers Inc. has 25 users who will need access to

5
the CRM to do their official duties. This is a five year TCO forecast for two CRM
products Sage ACT! Pro (On-Premise) and SalesForce.com (SaaS) respectively.

Sage ACT! Pro 2013 On-Premise CRM Costs Facts:

5 Year
Cost Category Year 1 Year 2 Year 3 Year 4 Year 5
TCO
Software
with 25 user 4,305.11 4,305.11 4,305.11 4,305.11 4,305.11 2,1525.55
Licenses
Server
5,500 - - - - 5,500
(Online)
Server
5,500 - - - - 5,500
(Backup)
Annual
Hardware 7,000 7,000 ,7000 7,000 7,000 35,000
Maintenance
Operating
4,500 - - - - 4,500
System
Database
5,600 5,600 5,600 5,600 5,600 28,000
System
Firewall 3,500 3,500 3,500 3,500 3,500 17,500
Antivirus 1,500 1,500 1,500 1,500 1,500 7,500
Software
6,000 6,000 ,6000 6,000 6,000 30,000
Support
Installation
and
3,560 - - - - 3,560
Configuratio
n
Training
4,550 - - - - 4,550
Costs
On-Premise
51,515.11 27,905.11 27,905.11 27,905.11 27,905.11 163,135.55
Total
Fig 1

Salesforce.com SaaS CRM Costs Facts:

Sales Cloud Pro CRM license per user per month = 42.54

6
License for 25 users per month = 25 x 42.54= 1063.50
License for 25 users per year = 1063.50 x 12 = 12,762

Cost Category Year 1 Year 2 Year 3 Year 4 Year 5 5 Year TCO

License Per
12,762 12,762 12,762 12,762 12,762 63,810
User Per Month

SaaS CRM TOTAL 12,762 12,762 12,762 12,762 12,762 63,810

Fig 2

Looking at the above TCO comparison, the SaaS CRM option gives a TCO value of
63,810 over a five year period. This is far less than the TCO for the On-Premise
CRM which is 163,135.55.

Task 2: Justification for Using BS 7799 /ISO 27K Standard Series

BS 7799

BS 7799 is a security standard developed by the UK Government and it is divided

into 3 three parts:

Part 1 of BS 7799 contains the best practices for Information Security Management
which was revised and adopted in 2000 by ISO as ISO/IEC 17799 (Information
Technology- Code of Practice for Information Security Management). The ISO/IEC
17799 standard was then revised and adopted as IEC/ISO 27002 in 2007.

Part 2 of BS 7799 was published in 1999 as BS 7799 Part 2 named Management

Systems-Specification with Guidance for use. It focuses on how to implement an
Information Security Management System (ISMS), which later became ISO/IEC
27001.

Part 3 of BS 7799 was published in 2005, and covers risk analysis and management.
This also aligns with ISO/IEC 27001.

The combination of the ISO 27000 family of standards (ISO 27001 and ISO 27002 in
particular) will provide the necessary specifications and guidance in managing
information security in a wide range of companies including Smart Stock Brokers

7
Inc. These two standards provides a framework in managing risks related to all
aspects of information security ranging from internal threats ( fraud, employees, etc.)
to external threats (viruses, hackers, etc.).

ISO 27001

ISO 27001 (named Information technology Security techniques

Information security management systems Requirements) serves as a
specification document or guideline to help a wide range of organizations including
Smart Stock Brokers Inc. to develop and maintain ISMS. It defines a set of
information security requirements that are divided in to eight clauses. ISO 27001 is
used as a certification guideline wherein an organization will develop an ISMS that
satisfies both its information security needs, and the requirements outlined in ISO
27001. Once an organization develops an ISMS that meets its requirements using the
guidelines in ISO 27001, the organization can then apply for ISO 27001 certification
for its ISMS. According to the ISO 27001 standard, a company wishing to be ISO
certified needs to satisfy the requirements outlines in clauses 4, 5, 6, 7, and 8 of the
standard. The eight clauses included in the ISO 27001 standard are:

Clause 1- Scope

Clause 2- Reference to ISO 17799

Clause 3- Terms and Definitions

Clause 4- ISMS ( This is divided into 4.1- General Requirements, 4.2- Establishing
and Managing ISMS, 4.3- Documentation Requirements)

Clause 5- Management Responsibility

Clause 6- Internal ISMS Audits

Clause 7- Management Review of the ISMS

Clause 8- ISMS Improvement

While an organization must meet the requirements stipulated in ISO 27001, the size
and complexity of the ISMS does depend on a number of factors including:

- The size and structure of the organization

- Organization needs and objectives
- Security requirements of the organization

8
 - Organization business processes.

Annex A of ISO 27001 lists a set of control objectives and controls which come from
ISO/IEC 27002. Not all control objectives and controls in Annex A are mandatory to
be met by an organization, provided an organization is able to give a genuine
explanations for those that couldn`t be met. In other words, an organization can omit
certain control objectives and controls if the risk they address can be ignored without
jeopardizing its legal and security requirements.

ISO 27001 uses the Plan-Do-Check-Act (PDCA) model which helps organizations to
develop and maintain an ISMS that complies with it.

Plan- This is covered in Clause (Section 4), and it deals with planning the
organization`s security requirements.

Do- Covered in Section 5 of the standard, and it refers to implementing, operating

and maintain the ISMS.

Check- This is covered in Sections 6 and 7 and it entails the monitoring, measuring,
auditing and reviewing the ISMS.

Act- Covered in Section 8 and it deals with the corrective and preventive actions that
should be taken to continuously improve the ISMS.

By carefully following the requirements of Sections 4 to 8 using the PDCA approach,

an organization like Smart Stock Brokers Inc. will be able to simply develop and
maintain an ISMS that complies with the ISO 27001 standard.

ISO 27002

While ISO 27001 guides organizations on how to develop and maintain an up-to-date
ISM, it does not exactly go into details of what makes up an ISM. ISO 27002 (named
Information technology - Security techniques - Code of practice for
information security management) serves as a code of practice for information
security management that includes all the different components that makes up an
ISMS as per the requirements of ISO 27001. The security components or practices
that are presented in ISO 27002 are not all necessary in the development of an ISM
that complies with ISO 27001. In other words, ISO 27001 requires an organization to
use only the security practices in ISO 27002 that addresses the company`s security
risks and legal requirements.

9
ISO 27002 contains a set of control objectives and control best practices covering the
following 11 domains (areas) of information security management:

1. Security Policy: Establish a comprehensive information security policy

2. Organization of Information Security: Establish an internal security for the
organization controlling the use of company information by third-parties.
3. Asset Management: Establishing ownership for company`s assets by using
information classification systems.
4. Human Resources security: Emphasizing staff security before, during and at
termination of employment.
5. Physical and Environmental Security: Physically protecting environments
where company assets are located.
6. Communications and Operations Management: Implementing proper
communication and operational procedures that covers all forms of
communications within and outside the company.
7. Access Control: Use various security mechanisms to control access to
company resources.
8. Information Systems Acquisition, Development and Maintenance: Use
security mechanisms to protect organization`s systems, tools, data and
services.
9. Information security Incident Management: Use security mechanisms to
protect organization`s systems, tools, data and services.
10. Business Continuity Management: Implement business continuity
mechanisms to ensure company operations when there are problems like
natural disasters.
11. Compliance: Provides a mechanism to comply with legal requirements,
performs compliance reviews and system audits. Legal requirements like the
Combined Code, Turnbull reports are to be considered here.

In summary, ISO 27001 is a mechanism that aids organizations like Smart Stock
Brokers Inc. to develop and maintain an ISMS. It defines a set of requirements that
must be met by an organization before its ISMS is ISO 27001 certified. ISO 27001
explains how to create an up-to-date ISM that satisfies its requirements, but it fall
short of showing the bits and pieces that makes up the ISMS itself. These bits and
pieces are contained in the ISO 27002 standard. Hence, these two standards work
together and can help Smart Stock Brokers Inc. to evaluate all the areas of risk and
compliance by developing an ISMS that satisfies the requirements of the Turnbull and
Combined Code reports and other legislations like the Data Protection ACT (1998).
The ISMS is vital to its existence and competitiveness.

10
Benefits of an Information Security Management to Smart Stock Brokers Inc.

There are many benefits that Smart Stock Brokers Inc. can derive from adopting an
ISMS that is ISO 27001 certified, some of which are outlined below:

Company directors can proof that they are complying with the guidelines of
the Turnbull report.
Smart Stock Brokers Inc. as a company will be able to proof that it has taken
the required actions to comply with laws like the Data Protection Act 1998.
An ISO 27001 certified ISMS will enable Smart Stock Brokers Inc. to better
protect itself from dangers like computer misuse, cybercrime and cyberwar
impacts.
Smart Stock Brokers Inc. will be able to improve its reputation vis--vis staff,
customers and third parties, which will have direct financial impacts.
The company will be able to invest in the right security technologies and
solutions in a cost-effective manner, thus improving its ROI in information
security mechanisms.

Task 3: Key risks and compliance issues associated with SaaS CRM

Software-as-a-service (SaaS) is rapidly evolving as the software platform choice for a

wide range of organizations that seeks to reduce IT investments while benefiting from
the inherent flexibility, fast deployment, ready access, and scalability of the SaaS
model. Saas is part of the cloud computing concepts in the acquisition of computer
software, hardware and services.

Although there are many benefits that comes with opting for a SaaS CRM, there are
however some security related concerns that are prominent and tend to slow its wide
adoption by businesses. Security risks in the form of access control, data security and
service reliability are major concerns for companies. The following are some of the
major risks and compliance issues that are raised by SaaS CRM:

Distributed Nature in Cloud Computing: The distributed nature of the cloud

computing grids serves as a major source of concern for cloud services. In
Saas, applications and services are stored in virtual cloud libraries in remote
data center that serves multiple cloud customers. Using technologies like load
balancing, clustering, etc. cloud service providers distribute work load among
the data centers across the world to efficiently handle customer requests.
Cloud service providers see this approach as more cost-effective, which

11
 means a company might not know the physical location of its data. Because of
this distributed nature of SaaS it is very difficult to trace unauthorized activity,
however most cloud providers uses some form of encryption to secure data as
it is being transmitted.
Reliable Data and Service Access: The ability to access data and services
anytime needed is something that is paramount to customers, but
unfortunately this in most cases cannot be guaranteed by SaaS CRM
providers, and it is not included in the SLAs. Accessing SaaS CRM
application might be hampered by different issues like network problems
which can be caused by intermediate parties like ISPs which the cloud
providers will not be willing to be liable for. The issue of data loss in not also
covered by SLAs from SaaS CRM providers.
Loss of Governance: With SaaS CRM, customers usually handover complete
control of system management issues to cloud providers which includes
sensitive issues like security. This does not mostly hold the cloud provider
liable in case of security breaches.
Lock-In: At the present moment, cloud computing is not fully standardized
with regards to tools, procedures, interfaces or data formats. This makes
moving from one SaaS CRM provider to another difficult which can force a
customer to maintain a SaaS provider even though the services offered are not
satisfactory.
Compliance Risks: Migrating to the cloud may put the legal compliance of a
customer in jeopardy especially when the cloud provider is unable to provide
compliance evidence or does not allow the customer to audit it compliance to
various legal requirements. In some rare case, going for a SaaS CRM might
mean that certain legal compliance requirements cannot be satisfied.
Data Protection: SaaS CRM introduces a lot of data protection risks for both
cloud customers and cloud providers. Some cloud providers may disclose
their data handling procedures and practices to customers with appropriate
certifications if required. In certain case however, the customer is not given
the opportunity to properly check the data handling processes and practices of
the cloud provider to ensure that customer data is legally handled as specified
in legal bindings like the Data Protection Act (1998). This becomes all too
complex when customer data traverses between multiple cloud providers.
Insecure or Incomplete Data Deletion: Requests made with regards to the
deletion of customer data may not be fully implemented in certain cases, as
data might not be completely wiped out like in other operating systems. In

12
 some cases, data is not deleted when needed in a timely manner as data copies
might be stored in other locations or the storage disk to be destroyed is shared
by other customers. This threat is greater in cases where the computer
hardware is shared by multiple customers.
Malicious Insider: Malicious insider threats like that of disgruntled staff are
less likely to occur but poses the biggest risks as their damages are greater in
magnitude. Staff members like system administrators in cloud service
providers are of extremely high risks as they usually have a wide range of
access to the systems.

The above mentioned are major security risks and concerns that needs to be well
considered by a customer when planning to move to a SaaS CRM solution.

Task 4: Conclusion and Recommendation

This report presented a study that compares two CRM options for Smart Stock
Brokers Inc. These CRM options are On-Premise CRM and Software-as-a-Service
(SaaS) CRM. The report started by outlining some of the benefits of a CRM system
to the company, and critically evaluated the two CRM options by looking at the
strengths and Weaknesses of both models including a five-year TCO comparison of
the two. The paper justified the usage of BS 7799/ISO 27000 standard of series for
risk evaluation and compliance with reference to the Turnbull and Combined Code
reports. The risks and compliance issues raised by SaaS CRM are also discussed.

The paper has shown that On-Premise CRM like Sage ACT!Pro 2013 accords Smart
Stock Brokers Inc. the independence of locally managing the entire CRM system
with in the company`s network. It allows for a great deal of control over the CRM
system as it is hosted and managed local behind the company`s firewall. On-Premise
CRM however requires a heavy capital outlay to develop as a number of resources
have to be purchased to host and manage the CRM. Since the CRM is hosted and
managed locally, it also serves as additional burden to the IT staff. Looking at the
five-year TCO comparison 163,135.55 in this case, SaaS CRM offers a much less
amount.

SaaS CRM like that of salesforce.com on the other hand, brings a number of benefits
to Smart Stock Brokers Inc. in number of ways. In this case, the CRM is hosted,
managed and maintained by the SaaS vendor. There is the flexibility of accessing the

13
CRM from anywhere with internet connection which is a great benefit. When
compared to On-Premise CRM the overall five-year TCO value (63,810) and the
initial capital investment to have the system up and running is a fraction of that of its
On-Premise counterpart. Maintenance costs in the form of monthly subscription
accounts for about 65% of its TCO.

Despite its numerous benefits, SaaS CRM comes with a number of risks that have to
be carefully considered. The paper has shown that SaaS CRM comes with a number
of risks that needs to be considered as total control over the CRM is relinquished to
the cloud provider. The company hands over complete control of the CRM system to
the SaaS provider which calls for thorough evaluation of the SLAs, contract terms
and security mechanisms. It is prudent for Smart Stock Brokers Inc. to know how
data is stored, accessed and protected by the SaaS vendor to make sure that company
data is only accessible to the authorized users. The terms of the SaaS CRM contract
should cover all the necessary security issues like data recovery, data access audit
trail and favourable contract termination conditions.

My view as the CIO of Smart Stock Brokers Inc. is that, with a proper ISM developed
and maintained using the recommendations in ISO 27001 and ISO 27002; these risks
will be properly managed. Thus the CRM option that I will recommend is that of the
SaaS CRM as it has numerous benefits to the company. I have the belief that with
good internal control mechanism in the of a certified ISO 27001 ISMS, SaaS CRM
benefits outweighs the risks involved.

References & Bibliography

14
[1] infoworld.com (2013). Cloud Computing Deep Dive.[Online]. Available from -
http://akamai.infoworld.com/sites/infoworld.com/files/pdf/infoworld_cloudcomputing_premi
um.pdf. [Accessed: 15/03/2013]

[2] techsoup.org (2013). Cloud Basics for Nonprofits and Libraries. [Online]. Available from
- http://www.techsoup.org/support/articles-and-how-tos/cloud-basics-for-nonprofits-and-
libraries. [Accessed: 15/03/2013]

[3] crmintegrator.com (2013). Choosing the Right CRM Approach: SaaS vs. On-premise.
[Online]. Available from - http://www.crmintegrator.com/saas-on-premise-crm. [Accessed:
15/03/2013]

[4] conisar.org (2013). Cloud Computing: Should I Stay or Should I Cloud?. [Online].
Available from - http://proc.conisar.org/2012/pdf/2210.pdf. [Accessed: 15/03/2013]

[5] wikipedia.org (2013). Know your customer. [Online]. Available from -

http://en.wikipedia.org/wiki/Know_your_customer. [Accessed: 16/03/2013]

[6] frc.org.uk (2013). FINANCIAL REPORTING COUNCIL INTERNAL CONTROL

REVISED GUIDANCE FOR DIRECTORS ON THE COMBINED CODE OCTOBER 2005 .
[Online]. Available from - https://www.frc.org.uk/FRC/media/Documents/Revised-Turnbull-
Guidance-October-2005.pdf. [Accessed: 16/03/2013]

[7] books.google.gm/ (2013). CRM in Financial Services: A Practical Guide to Making

Customer Relationship .... [Online]. Available from - http://books.google.gm/books?
id=r1YJ8pMioCUC&pg=PA325&lpg=PA325&dq=justify+the+use+of+the+Bs7799%2Brisk
%2Bcompliance
%2Bcrm&source=bl&ots=CnC4MojVTT&sig=U9XmS9gxF0GoNelDzdrBI8pF0oY&hl=en
&sa=X&ei=NTtsUer8BIiohAe2tYHoCg&ved=0CCsQ6AEwAA#v=onepage&q=justify
%20the%20use%20of%20the%20Bs7799%2Brisk%2Bcompliance%2Bcrm&f=false.
[Accessed: 17/03/2013]

[8] crmforecast.com (2013). On-Demand & On-Premise Total Cost of Ownership. [Online].
Available from - http://www.crmforecast.com/tco.htm. [Accessed: 025/03/2013]

[9] leadmaster.com (2013). CRM Landmark A safe harbour for independent CRM
information and analysis. [Online]. Available from - http://www.leadmaster.com/LeadMaster-
Library/Quick-Reference/SAAS-TCO.pdf. [Accessed: 25/03/2013]

[10] insideclouds.com (2013). The Risks and Rewards of Software as a Service (SaaS) A
SaaS Adoption Management Decision Framework . [Online]. Available from -
http://www.insideclouds.com/saas.php. [Accessed: 27/00/2013]

[11] 27000.org (2013). An Introduction To ISO 27001 (ISO27001). [Online]. Available from -
http://www.27000.org/iso-27001.htm. [Accessed: 15/04/2013]

15
[12] 27000.org (2013). Introduction To ISO 27002 (ISO27002). [Online]. Available from -
http://www.27000.org/iso-27002.htm. [Accessed: 15/04/2013]

[13] enisa.europa.eu (2013). Cloud Computing Benefits, risks and recommendations for
information security . [Online]. Available from - http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport.
[Accessed: 15/04/2013]

[14] iso27001security.com (2013). ISO/IEC 27002:2005 Information technology Security

techniques Code of practice for information security management. [Online]. Available
from - http://www.iso27001security.com/html/27002.html. [Accessed: 17/04/2013]

[15] praxiom.com (2013). ISO IEC 27001 vs ISO IEC 27002. [Online]. Available from -
http://www.praxiom.com/iso-27001-27002.htm. [Accessed: 17/04/2013]

[16] umuc.edu (2013). A Risk Assessment Framework for Evaluating Software-as-a-Service

(SaaS) Cloud Services Before Adoption. [Online]. Available from -
http://contentdm.umuc.edu/cdm/singleitem/collection/p15434coll2/id/4/rec/14. [Accessed:
17/04/2013]

[17] crmintegrator.com (2013). SaaS CRM vs. on-premise CRM: which is the right choice for
your business?. [Online]. Available from - http://www.crmintegrator.com/files/en/saas-on-
premise-crm-OSF-white-paper.pdf. [Accessed: 18/04/2013]

[18] conisar.org (2013). Cloud Computing: Should I Stay or Should I Cloud?. [Online].
Available from - proc.conisar.org/2012/pdf/2210.pdf. [Accessed: 18/04/2013]

[19] opennet.com (2013). SageACT!. [Online]. Available from -

http://sage.act.com/ACT12096_PPC_TP_step3_No?cc=C-4324-
0001&trial=download&contact=N. [Accessed: 19/04/2013]

[20] opennet.com (2013). Get the world's #1 sales application. [Online]. Available from -
http://www.salesforce.com/crm/editions-pricing.jsp. [Accessed: 19/04/2013]

[21] wikipedia.org (2013). BS 7799. [Online]. Available from -

http://en.wikipedia.org/wiki/BS_7799. [Accessed: 20/04/2013]

[22] owasp.org (2013). Enabling Compliance Requirements using ISMS Framework

(ISO27001). [Online]. Available from -
https://www.owasp.org/images/c/ca/ISO27001_OWASPLA_Shankar_10212009.pdf.
[Accessed: 20/04/2013]
[23] facebook.com (2013). About Turnbull Report. [Online]. Available from -
http://www.facebook.com/pages/Turnbull-Report/135977733100117#. [Accessed:
25/02/2013]

16
[24] facebook.com (2013). About UK Corporate Governance Code. [Online]. Available from
- http://www.facebook.com/pages/UK-Corporate-Governance-Code/139874482718805?
rf=132739396763430. [Accessed: 25/02/2013]

[25] Calder, A & Watkis, S. (2008), ITGOVERNANCE A Managers Guide to Data Security
and ISO27001/ISO 27002. [Online]UK &USA: Kogan Page Limited. [Accessed: 15-04-
2013]

17