Microsoft Dynamics CRM Online security and...
18
Microsoft Dynamics CRM Online security and service continuity guide Microsoft Corporation Published: July 2012 Updated: September 2013 Abstract This service description describes the security, continuity, and compliance policies and controls for the Microsoft Dynamics CRM Online service offering. The document is intended to provide Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics CRM Online service is designed to provide a high degree of security, continuity, and compliance—service goals that are derived from the Microsoft Risk Management program.
-
Upload
truongduong -
Category
Documents
-
view
226 -
download
0
Transcript of Microsoft Dynamics CRM Online security and...
Microsoft Dynamics CRM Online security and service continuity guide
Microsoft Corporation
Published: July 2012
Updated: September 2013
Abstract
This service description describes the security, continuity, and compliance policies and controls
for the Microsoft Dynamics CRM Online service offering. The document is intended to provide
Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics
CRM Online service is designed to provide a high degree of security, continuity, and
compliance—service goals that are derived from the Microsoft Risk Management program.
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2013 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Hyper-V, Internet Explorer, Microsoft Dynamics, Microsoft
Dynamics logo, MSDN, Outlook, Notepad, SharePoint, Silverlight, Visual C++, Windows,
Windows Azure, Windows Live, Windows PowerShell, Windows Server, and Windows Vista are
trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Microsoft Dynamics CRM Online security and service continuity guide ......................................... 4
Applies To .................................................................................................................................... 4
Microsoft Dynamics CRM Online security .................................................................................... 5
Securing the Microsoft Dynamics CRM Online service ............................................................ 5
Physical security ....................................................................................................................... 5
Logical security ......................................................................................................................... 6
Delivering reliable service ......................................................................................................... 9
Microsoft Dynamics CRM Online service continuity .................................................................. 10
Service continuity management .............................................................................................. 11
Incident classification........................................................................................................... 11
Catastrophic outages and declarations of disaster ............................................................. 12
The Service health dashboard ......................................................................................... 12
Microsoft Dynamics CRM Online compliance ............................................................................ 14
Support for leading industry certifications ............................................................................... 15
Appendix A: Additional resources .............................................................................................. 17
Microsoft Dynamics CRM Online ............................................................................................ 17
Security and operations .......................................................................................................... 17
Appendix B: Accessibility for Microsoft Dynamics CRM ............................................................ 17
Feedback .................................................................................................................................... 18
4
Microsoft Dynamics CRM Online security and service continuity guide
Published: July 2012 Updated: September 2013
This service description describes the security, continuity, and compliance policies and controls
for the Microsoft Dynamics CRM Online service offering. The document is intended to provide
Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics
CRM Online service is designed to provide a high degree of security, continuity, and
compliance—service goals that are derived from the Microsoft Risk Management program.
Applies To Microsoft Dynamics CRM Online
In this white paper
Introduction
Microsoft Dynamics CRM Online security
Microsoft Dynamics CRM Online service continuity
Microsoft Dynamics CRM Online compliance
Appendix A: Additional resources
Appendix B: Accessibility for Microsoft Dynamics CRM
Feedback
This section introduces the purpose and scope of the information provided in this paper.
Purpose
Microsoft Dynamics CRM Online delivers the power of cloud productivity to businesses of all
sizes, helping customers save time and money and free up valued resources. Microsoft
understands that when customers allow an external service provider to store and manage their
data, key considerations include security, data protection, privacy, and data ownership. Microsoft
takes these concerns seriously and has applied its years of cloud and on-premises experience
with security and privacy to the Microsoft Dynamics CRM Online service.
Scope
This service description describes the security, continuity, and compliance policies and controls
for the Microsoft Dynamics CRM Online service offering. The document is intended to provide
Microsoft Dynamics CRM Online customers with an overview of how the Microsoft Dynamics
CRM Online service is designed to provide a high degree of security, continuity, and
compliance—service goals that are derived from the Microsoft Risk Management program.
Download
5
This paper can be downloaded from the Microsoft Download Center: Microsoft Dynamics CRM
Online security and service continuity guide.
Microsoft Dynamics CRM Online security The security architecture of Microsoft Dynamics CRM Online has been designed using key
principles of the Microsoft Trustworthy Computing initiative. To ensure that customer data is
highly safeguarded from risks and threats, Microsoft applies a common set of security policies to
the Microsoft Dynamics CRM Online service through the Microsoft security program. The
Microsoft Dynamics CRM Online service operates in compliance with these security policies and
relevant industry standards. Microsoft is committed to continually improving and evolving the
Microsoft Dynamics CRM Online service to ensure that customers are highly protected from
current and future threats.
This section describes how Microsoft protects customers’ business data and delivers the
Microsoft Dynamics CRM Online service securely and reliably.
Securing the Microsoft Dynamics CRM Online service
Microsoft helps comprehensively secure the Microsoft Dynamics CRM Online service by applying
the Trustworthy Computing approach, which ensures that the security of the Microsoft Dynamics
CRM Online service is vigilantly maintained, regularly enhanced, and routinely verified through
testing.
For more information, see the page Foundations of Trustworthy Computing.
The Trustworthy Computing approach provides protection at multiple levels:
Physical layers at data centers: Physical controls, video surveillance, and access control.
Logical layers: Data isolation, hosted applications security, infrastructure service, network
level, identity and access management, federated identity and single sign-on.
Physical security
Microsoft ensures that the environment in which the Microsoft Dynamics CRM Online customer’s
data is stored is physically secured by controlling accessibility through multiple security checks.
These physical security checks are applied at multiple levels in the Microsoft data centers, and
the Microsoft Dynamics CRM Online service is delivered through carrier-class data centers that
ensure consistent delivery according to the service-level agreement (SLA).
These data centers include the following industry-standard features:
Secure physical access for authorized personnel only: Access is restricted by job
function so that only essential personnel receive authorization to manage customers’
applications and service. Physical access authorization utilizes multiple authentication and
security processes: badge and smartcard, biometric scanners, on-premises security officers,
Note
6
continuous video surveillance, and two-factor authentication for physical access to the data
center environment.
Redundant power supplies, including two separate power feeds into each data center,
battery backup, and diesel generators (with alternative fuel delivery contracts in place).
Climate control to ensure that equipment runs at optimal temperature and humidity.
Natural disaster control, including seismically braced racks where required and fire
prevention and extinguishing systems.
Physical monitoring, including motion sensors, 24-hour secured access, video camera
surveillance, and security breach alarms.
Worldwide Microsoft data center locations: The Microsoft Dynamics CRM Online service
is deployed in Microsoft data centers that are located around the world, and offer
geographically local hosting with global availability.
Secure network design and operations: The networks within the Microsoft data centers are
designed to create multiple separate network segments within each data center. This
segmentation helps to provide physical separation of critical, back-end servers and storage
devices from the public-facing interfaces.
Exceptional hardware: The underlying hardware used in Microsoft data centers is
specifically designed to operate as efficiently, effectively, and securely as possible. The
hardware helps Microsoft eliminate unnecessary costs, save power and space consumption,
and pass on these savings to Microsoft Dynamics CRM Online customers.
Logical security
Logical security in Microsoft Dynamics CRM Online is just as important as physical security. In
Microsoft Dynamics CRM Online, the following key features provide logical security.
Data isolation: Data storage and processing is logically segregated among customers. The
multitenant security architecture ensures that customer data stored in shared Microsoft
Dynamics CRM Online data centers is not accessible by or compromised to any other
organization. Each tenant is provisioned their own database, which ensures isolation from
other customer data. In addition, tenants are isolated from each other based on security
boundaries which are enforced logically through the Microsoft Dynamics CRM Online middle
tier.
Hosted applications security: Microsoft ensures that applications hosted by Microsoft data
centers are highly protected by robust security features and security measures that control
access, which are described in the following table.
7
Feature Description
Customizable security roles Govern user access and the actions they
can perform.
Business data auditing Allow organizations to maintain an audit trail
that demonstrates accountability from
beginning to end.
Field-level security Control the permission of users and teams
to read, create, or write in a data field.
Role-based forms Control the visibility of data for a specific
record type.
For guidelines and best practices associated with setting up these features in
Microsoft Dynamics CRM Online, see the Microsoft Dynamics CRM Online security
and compliance planning guide.
Security Development Lifecycle: Microsoft applies Security Development Lifecycle, a
software security assurance process, to design, develop, and implement the Microsoft
Dynamics CRM Online service. Security Development Lifecycle helps to ensure that the
service is highly secured—even at the foundation level.
Through controls like Establish Design Requirements, Analyze Attack Surface, and Threat
Modeling, the Security Development Lifecycle helps Microsoft to identify:
Potential threats while running a service.
Exposed aspects of the service that are open to attack.
If potential threats are identified at Design, Development, or Implementation phases,
Microsoft can minimize the probability of attacks by restricting service or eliminating
unnecessary functions. After eliminating unnecessary functions, Microsoft reduces these
potential threats in the Verification phase by fully testing the controls in the Design phase.
Secured Microsoft Dynamics CRM Online service infrastructure: Infrastructure-level
security measures include:
Extensive server monitoring support integrated with the overall Microsoft System Center
Operations Manager monitoring architecture.
Secure remote access via Microsoft Windows Server Remote Desktop Service.
Multi-tier administration, using a three-tier administration model that isolates
administrative tasks and controls access based on user role and the level of authorized
administrative access.
Environmental security scanning to monitor for vulnerabilities and incorrect configuration.
Intrusion detection systems to provide continuous monitoring of all access to the
Microsoft Dynamics CRM Online service. Sophisticated correlation engines analyze this
data to immediately alert staff of any “suspicious” connection attempts.
Note
8
Security standards for operating systems to help protect the Microsoft Dynamics CRM
Online service from attack by malicious users or malicious code, including disabling
nonessential services, securing file shares to require authorization, and implementing the
Data Execution Prevention (DEP) feature. DEP is a set of hardware and software
technologies that perform additional checks on memory to help prevent malicious code
from running.
Systems management and access control using Active Directory. Active Directory
manages networks and component servers that run the Microsoft Dynamics CRM Online
service. Applications that provide the online service are designed to operate efficiently
and effectively within the Active Directory environment.
Central management of security policies. The Microsoft staff manages and enforces
security policies centrally from secured servers that are dedicated to controlling and
monitoring network-wide systems. A delegated management model enables
administrators to have only the access they need to perform specific tasks, reducing the
potential for error and allowing access to systems and functions strictly on an as-needed
basis.
New servers can be quickly and safely configured, and template-based server hardening
ensures that new capacity is brought online with security measures already in place.
Network-level security measures: These measures include features related to providing a
highly secured connection over the Internet:
Customer access to service provided over the Internet originates from users’ Internet-
enabled locations and ends at a Microsoft data center. These connections established
between customers and Microsoft data centers are encrypted using industry-standard
Transport Layer Security (TLS) /Secure Sockets Layer (SSL), which effectively
establishes a highly secure browser-to-server connection to help provide data
confidentiality and integrity between the desktop and data center.
A redundant network provides full failover capability and helps ensure 99.9 percent
network availability.
All remote connections by Microsoft operations personnel must be made via Remote
Desktop Service and two-factor authentication.
Identity and access management: Access to the systems hosting the Microsoft Dynamics
CRM Online service is controlled through the following methods:
Staff-level access control: Data center staff’s access to the IT systems that store
customer data is strictly controlled. Access control follows the separation of duties
principle and granting least privilege.
Proactive host security: Microsoft Dynamics CRM Online security is enhanced by
proactively securing the host system.
Server hardening by disabling unnecessary service
Logging and auditing
Restricted access to service:
Content inspection
Hardened servers
Sessions better protected by SSL/TLS
9
Mobile device access depends on wireless capability or mobile network availability.
Federated identity and single sign-on: With on-premises Active Directory, administrators
can use single sign-on for Microsoft Dynamics CRM Online service authentication. To
achieve this, administrators can configure on-premises Active Directory Federation
Services—a Windows Server service—to federate with the Office 365 services federation
gateway. After Active Directory Federation Services is configured, all Microsoft Dynamics
CRM Online users whose identities are based on the federated domain can use their existing
corporate logon to automatically authenticate to Microsoft Dynamics CRM Online.
For more information, see the Office 365 Identity Service Description, which is one of the
Office 365 for Enterprise Service Descriptions.
Delivering reliable service
To ensure the reliability of the Microsoft Dynamics CRM Online service, Microsoft focuses on
effective deployment, administration, and maintenance.
Operations management and service deployment: Operations is a key component of the
Microsoft Dynamics CRM Online service and is central to overall security and availability.
Operations management practices for Microsoft Dynamics CRM Online (for example, change
management, incident and problem management) are based upon industry-standard
principles of the Information Technology Infrastructure Library (ITIL). Microsoft has added the
Microsoft Operations Framework (MOF)—a standardized implementation of ITIL
recommendations—which provides an integrated set of best practices, principles, and
activities that help organizations achieve reliability for their IT solutions and service.
Microsoft Dynamics CRM Online maintains a dedicated security organization that is focused
on constant security vigilance, with a staff that follows the principles defined in MOF. The
security team adheres to the following functions defined by ITIL and applies them to the
operation of the Microsoft Dynamics CRM Online service:
Change management
Incident management
Problem management
In addition, the Microsoft Dynamics CRM Online service requires distinct hosted service
development, deployment, and operations staff to adhere to the principle of segregation of
duty. This includes controlling access to the source code, build servers, and production
environment. For example:
Access to the Microsoft Dynamics CRM Online service production environment is
restricted to operations personnel. Development and test teams may be granted
temporary access to help troubleshoot issues.
Access to the Microsoft Dynamics CRM Online service source code control is restricted
to development personnel; operations personnel cannot change source code.
Note
Note
10
Monitoring and risk reduction: Microsoft makes significant investments in developing tools
and services for monitoring Microsoft Dynamics CRM Online and its environment.
Microsoft System Center Operations Manager: Servers within the Microsoft Dynamics
CRM Online service environment are configured to maximize the reporting of security
events from the operating system and applications. The Microsoft Dynamics CRM Online
service operations team uses the latest technology and optimized processes to harvest,
correlate, and analyze information as it is received. System Center Operations Manager
is an end-to-end service management environment that integrates with platform and
service hardware and software to provide continuous health monitoring. System Center
Operations Manager management packs provide internal transaction monitoring,
capabilities for looking at service threshold models, and CPU utilization analysis that is
tailored to the Microsoft Dynamics CRM Online service applications. In addition, custom
management packs are layered above the Microsoft Dynamics CRM Online platform to
provide operations staff with very specific information that helps identify trends and
predict behavior that may require proactive intervention.
Integrated infrastructure and web performance monitoring: System Center Operations
Manager data is combined with feeds from additional specialized tools and service to
capture, aggregate, and analyze the network that operates Microsoft Dynamics CRM
Online service as well as the behavior of key sites on the Internet. For example, if
connectivity begins to degrade, staff can identify whether the problem is internal to the
Microsoft Dynamics CRM Online service or caused by conditions on the Internet that may
represent a risk to Microsoft Dynamics CRM Online customers.
Hardware and software subsystems monitoring: Proactive monitoring continuously
measures the performance of key subsystems of the Microsoft Dynamics CRM Online
service platform against the established boundaries for acceptable service performance
and availability. When a threshold is reached or an irregular event occurs, the monitoring
system generates warnings so that operations staff can address the threshold or event.
Microsoft Dynamics CRM Online service continuity Service continuity management focuses on the ability to restore service for Microsoft Dynamics
CRM Online customers in a predetermined timeframe during a critical service outage. Achieving
restored service requires preparation, planning, technical implementation, exercises that simulate
outages, and execution at the time of an incident.
This section describes the common approach to service continuity management that is taken by
Microsoft Dynamics CRM Online. It also explains how Microsoft Dynamics CRM Online ensures
data availability and service reliability to customers. This section also explains how service
continuity capabilities developed by Microsoft are integrated into the design of the Microsoft
Dynamics CRM Online service.
11
Service continuity management
Microsoft Dynamics CRM Online is delivered by highly resilient systems that help to ensure high
levels of service. Microsoft Dynamics CRM Online capitalizes on the experience that Microsoft
has in hosting services as well as close ties to Microsoft product groups and support service to
create a service that meets the high standards that customers demand.
Part of the Microsoft Dynamics CRM Online system design, service continuity provisions enable
Microsoft Dynamics CRM Online to recover quickly from unexpected events such as hardware or
application failure, data corruption, or other incidents that affect users. These service continuity
solutions also apply during catastrophic outages (for example, natural disasters or a fire within a
Microsoft data center that renders the entire data center inoperable).
Incident classification
Service outages may be caused by hardware or software failure in the Microsoft data center, a
faulty network connection between the customer and Microsoft, or a major data center challenge
such as fire, flood, or regional catastrophe. Most service outage incidents can be addressed
using Microsoft technology and process solutions and are resolved within a short time. However,
some incidents are more serious and can lead to long-term outages.
To classify outage incidents, as minor, critical, and catastrophic events based on their impact to
customers, Microsoft Dynamics CRM Online uses the Service Interruption Scale, which is shown
in the following graphic:
12
Catastrophic outages and declarations of disaster
Microsoft Dynamics CRM Online analyzes each incident that affects service availability to
determine scope and possible solutions. Outages that cause customer work to stop may be
considered catastrophic outages. In addition, outages that are classified as a critical or
catastrophic event based on the Service Interruption Scale may be declared disasters.
Declaration of a disaster does not automatically result in failover of a customer’s
redundant secondary site.
The Service health dashboard
Customers using the Microsoft online services portal to manage their Microsoft Dynamics CRM
Online deployments are notified of service interruptions and via the Service health dashboard,
which is shown in the following graphic:
When an outage is declared a disaster, regular customer notifications are provided through the
Service health dashboard (for customers managing their Microsoft Dynamics CRM Online
subscription through the Microsoft online services portal) until a solution is found.
Responsibilities during a service outage
During a system outage, Microsoft’s responsibilities include:
Providing contact information in the form of a single email group alias and phone number so
that the customer can engage appropriate personnel at the time of an event to review current
status of the outage, disaster declaration criteria, and approval or disapproval of failing over
to the secondary site.
Incorporating feedback from the customer to decide whether to fail over to the customer’s
secondary site.
Ensuring data availability
Microsoft ensures customer data is available whenever it is needed, with the help of the following
features of Microsoft Dynamics CRM Online service.
Important
13
Data storage and redundancy
Customers’ data is stored in a redundant environment with robust backup, restore, and failover
capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data
redundancy are implemented, ranging from redundant disks to guard against local disk failure to
continuous, full data replication to a geographically diverse data center. As an additional
safeguard, Microsoft performs daily back-ups to a secure, offsite location.
Data monitoring and maintenance
Along with the safeguards in place against avoiding data loss, Microsoft Dynamics CRM Online
service policies help to maintain data performance levels.
Monitoring databases: Databases are regularly checked for blocked processes and long-
running queries.
Preventative maintenance: Maintenance includes refreshing indexes, reviewing error logs,
and monitoring storage capacity levels.
Dedicated support
The Microsoft Dynamics CRM Online development and operations teams are complemented by a
dedicated Microsoft Dynamics CRM Online support organization, which plays an important role in
providing customers with business continuity. Support staff has a deep knowledge of the service
and its associated applications as well as direct access to Microsoft experts in architecture,
development, and testing.
The support organization closely aligns with operations and product development, offers fast
resolution times, and provides a channel for customers’ voices to be heard. Feedback from
customers provides input to the planning, development, and operations processes.
Online issue tracking: Customers need to know that their issues are being addressed, and
they need to be able to track timely resolution. For customers using the Microsoft online
services portal to manage their Microsoft Dynamics CRM Online deployments, the portal
serves as a single web-based interface for support. Customers can use the portal to add and
monitor service requests and receive feedback from Microsoft support teams.
Customers not using the Microsoft online services portal can track and follow their
issues via the CRM Customer Center link for support access.
Self-help, backed by continuous staff support: Microsoft Dynamics CRM Online offers a
wide range of self-help resources and tools that can help customers to resolve service-
related issues without requiring Microsoft support. Before customers enter service requests,
they can access knowledge base articles and FAQs that provide immediate help with the
most common problems. These resources are continually updated with the latest information,
which helps avoid delays by providing solutions to known issues. However, when an issue
arises that needs the help of a support professional staff members are available through
online communication to cover most situations and by telephone for mission critical needs.
Warning
14
Microsoft Dynamics CRM Online compliance Microsoft has designed security, data protection, reliability, and privacy of the Microsoft Dynamics
CRM Online service around high industry standards. Microsoft Dynamics CRM Online and the
infrastructure on which it relies (Microsoft Global Foundation Services) employ security
frameworks based on the International Standards Organization (ISO/IEC 27001:2005) family of
standards and are ISO 27001 certified by independent auditors. Our ISO 27001 certifications
enable customers to evaluate how Microsoft meets or exceeds the standards and implementation
guidance against which we are certified.
BSI auditing professionals are bound by professional ethics to provide an unbiased, third-party
analysis of Microsoft Dynamics CRM Online compliance. To make this evaluation, they observe
routine operations, interview relevant personnel, and review documentation in each of the areas
covered in the Statement of Applicability (SOA). ISO 27001 defines how to implement, monitor,
maintain, and continually improve the Information Security Management System (ISMS). In
addition, both the service and the infrastructure undergo yearly audits resulting in SOC 1 type II
reports (SSAE16).
The Microsoft Online Service Information Security Policy, which is applicable to Microsoft
Dynamics CRM Online, aligns with International Organization for Standards ISO 27002
augmented with requirements that are specific to online services. The ISO 27001 certification
which Microsoft has received is supplemented by ISO 27002, which provides a suggested set of
suitable controls.
Microsoft Dynamics CRM Online customers can review the ISO standard and published Microsoft
service documentation to determine whether their security requirements are satisfied. Microsoft
Dynamics CRM Online features enhanced security for most types of data and jurisdictions.
For more information, see the white paper Standard Response to Request for Information
– Security and Privacy.
However, customers must evaluate sensitive data, or data that must be held to a certain level of
security or under applicable regulations, for use through the service offering. In some instances,
the data may require a specific security requirement that Microsoft does not provide.
Please note that the Microsoft Dynamics CRM Online ISO 27001 certified security framework
(“Security Framework”) does not expand to or cover online services or software provided by
Microsoft or other third parties that connect to Microsoft Dynamics CRM Online. Subject to your
direct control, Microsoft Dynamics CRM Online connects to other Microsoft software or services
and third party services whose privacy and security practices differ from those of Microsoft
Dynamics CRM Online. These additional services and software include but are not limited to
Microsoft Dynamics CRM Online for supported devices (i.e. tablets and smart-phones), Microsoft
Dynamics CRM Email Router Microsoft Dynamics CRM Resource Center, Microsoft Office,
Office365, Yammer Enterprise, Bing Maps, Skype, Outlook.com, Microsoft Dynamics CRM
Activity Feeds/Mobile Express, Marketing Pilot, and Microsoft Dynamics Marketing. Connecting
Microsoft Dynamics CRM Online to these online services will enable certain data to be shared
outside the scope of the Security Framework. Different use and privacy policies apply to data
Note
15
shared with and received by these software and online services. We encourage you to review
these other use and privacy policies.
Support for leading industry certifications
Microsoft was first certified for Safe Harbor in 2001, and the LCA Regulatory Affairs team
recertifies compliance with the Safe Harbor Principles every 12 months.
In addition to EU Member States, members of the European Economic Area (Iceland, Norway,
and Liechtenstein) also recognize Safe Harbor members as providing adequate privacy
protection to justify trans-border transfers from their countries to the U.S. Switzerland has a
nearly identical agreement (Swiss-U.S. Safe Harbor) with the U.S. Department of Commerce to
legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified.
Several other countries, such as Canada and Argentina, have passed comprehensive privacy
laws and the EU has cleared them for data transfer from the EU to those countries.
EU Model Clauses*. In addition to EU Safe Harbor, Microsoft Dynamics CRM Online is
willing to sign the standard contractual clauses created by the European Union (called the
“EU Model Clauses”), which address international transfer of data. The EU Model Clauses
are standardized contractual terms approved by the European Commission that allow for the
transfer of personal data out of the EU. They include additional security and notice
requirements that a service is willing to contractually commit to in order to support customers.
When included in service agreements with data processors, the Model Clauses assure
customers that appropriate steps have been taken to help safeguard personal data, even if
data is stored in a cloud-based service center located outside the European Economic Area.
Committing to operate under the Model Clauses creates additional operational requirements
for Microsoft, which Microsoft has met by building exacting processes to comply with these
requirements.
HIPAA/HITECH-Business Associate Agreement*. Microsoft Dynamics CRM Online is also
willing to sign requirements for the Health Insurance Portability and Accountability Act of
1996 (HIPPA)/Health Information Technology for Economic and Clinical Health Act (HITECH)
Business Associate Agreement with all customers. HIPAA/HITECH are U.S. laws that govern
the security and privacy of personally identifiable health information stored or processed
electronically. This information is referred to as electronic protected health information
(ePHI). HIPAA refers to healthcare providers, payors and clearing houses that use or
process ePHI as covered entities. Under HIPAA/HITECH, covered entities must implement
mandated physical, technical and administrative safeguards to protect ePHI. Certain service
providers that store or process ePHI on behalf of covered entities are called business
associates. Covered entities must ensure that their business associates implement similar
security and privacy safeguards. In most circumstances, for a covered healthcare company
to use a service such as Microsoft Dynamics CRM Online, in which ePHI could be stored or
processed, the service provider will be a business associate and must agree in writing to
implement required safeguards set out in HIPAA/HITECH. This written agreement is known
as a Business Associate Agreement (BAA).
Data Processing Agreement*. Article 17 of the EU Data Protection Directive (Directive
95/46/EC of the European Parliament) requires data controllers (typically customers loading
data onto an online service) to have a written agreement with data processors obligating the
16
data processor to follow the instructions of the data controller and to provide sufficient
security measures to protect the data being processed. These are called Data Processing
Agreements ("DPA"). Some EU member states require additional terms in DPAs beyond the
baseline requirements of the EU Data Protection Directive. Microsoft offers customers a
comprehensive standard Data Processing Agreement that addresses privacy, security and
handling of Customer Data. Our standard Data Processing Agreement enables customers to
comply with their local privacy regulatory requirements.
*Applicable to Microsoft Dynamics CRM Online customers who manage their Online Services
through the Microsoft online services environment.
For additional detail about Microsoft Dynamics CRM Online support for leading industry
certifications, see the Microsoft Dynamics CRM Online Service Trust Center.
The Gramm Leach Bliley Act (GLBA) sets minimum security and privacy requirements for
financial institutions in the United States. Software/ service cannot claim to be “GLBA compliant”
because GLBA compliance also requires procedures and policies. Two of the principal
regulations under GLBA that affect the Microsoft Dynamics CRM Online service are:
1. Financial Privacy Rule: Governs the collection and disclosure of customers’ personal
financial information by financial institutions.
2. Safeguards Rule: Requires all financial institutions to design, implement, and maintain
safeguards to protect customer information, whether they collect such information themselves
or receive it from other financial institutions.
Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card
data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards
to pay for the service with confidence. An independent third party audits and determines whether
the commerce platform that supports Microsoft Dynamics CRM Online has satisfactorily met the
Payment Card Industry Data Security Standard (PCI DSS) version 1.2.
The Microsoft Dynamics CRM Online service is not suitable for processing, transmitting, or
storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain
sensitive data during transmission and storage throughout the data life cycle. At a minimum,
organizations that support transactions via credit and debit cards are required to have a degree of
compliance to the PCI standard.
There is confusion in the marketplace around the impact of PCI DSS; many customers state that
all data within their organizations requires PCI certification and compliance, and that the online
service must also demonstrate compliance. While Microsoft does need to be compliant for the
Primary Account Number (PAN) data it processes, and it is, customers should not use the
Microsoft Dynamics CRM Online service to transmit or store PAN data for their own use.
PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored
within the online environment. To be compliant, the PAN data must be encrypted during
transmission and storage. In addition, reporting must demonstrate that this encryption
has successfully protected the PAN data. As a result, the service is not a suitable storage
Important
Note
17
medium for PAN data, and companies should apply customer-side policies to prevent the
transmission of PAN data to the online environment. To integrate transaction information,
customers may choose to use a PCI validated payment gateway service, which stores
and processes the PAN data.
With the Microsoft Dynamics CRM December 2012 Service Update, the Microsoft
Dynamics CRM Online service now operates in a FIPS 140-2 compliant manner.
Appendix A: Additional resources For additional information related to Microsoft Dynamics CRM Online security and service
continuity, see the following resources.
Microsoft Dynamics CRM Online
Microsoft Dynamics CRM Online Product Fact Sheet
Microsoft Dynamics CRM Online Service Agreement
Microsoft Dynamics CRM Online Service Level Agreement
Support for Dynamics CRM Online
Microsoft Dynamics CRM Online Customer Center
Microsoft Dynamics CRM Online Service Description
Microsoft Dynamics CRM Online security and service continuity guide
Microsoft Dynamics CRM Online security and compliance planning guide
Deployment and Administration Guide for Microsoft Dynamics CRM Online
Security and operations
Microsoft® System Center Operations Manager 2007
System Center Operations Manager 2007 R2 SDK
The Security Model of Microsoft Dynamics CRM
The Trustworthy Computing Security Development Lifecycle
Microsoft Safety & Security Center
Appendix B: Accessibility for Microsoft Dynamics CRM Administrators and users who have administrative responsibilities typically use the Settings area
of the Microsoft Dynamics CRM Web application to manage Microsoft Dynamics CRM. A mouse
and keyboard are the typical devices that administrators use to interact with the application.
Important
18
Users who don’t use a mouse can use a keyboard to navigate the user interface and complete
actions. The ability to use the keyboard in this way is a result of support for keyboard interactions
that a browser provides.
For more information, see the following Microsoft Dynamics CRM Web application accessibility
topics:
Keyboard shortcuts
Accessibility for people with disabilities
Administrators and users who have administrative responsibilities for on-premises deployments of
Microsoft Dynamics CRM 2013 also use Microsoft Dynamics CRM Deployment Manager, a
Microsoft Management Console (MMC) application, to manage on-premises deployments of
Microsoft Dynamics CRM Server 2013.
For more information, see the following Microsoft Management Console (MMC) accessibility
topics:
Navigation in MMC Using the Keyboard and Mouse
MMC Keyboard Shortcuts
Accessibility features in browsers
Browser Documentation
Internet Explorer Microsoft Accessibility
Language Support and Accessibility Features
Mozilla Firefox Accessibility features in Firefox
Apple Safari Safari
Google Chrome Accessibility Technical Documentation
For additional information, see the Microsoft Accessibility Resource Center
Feedback We appreciate hearing from you. To send your feedback, click the link below and type your
comments in the message body.
The subject-line information is used to route your feedback. If you remove or modify the
subject line, we may be unable to process your feedback.
Send feedback
Note
Note
