Customer relationship management: risks and controls; Built to better serve customers and increase sales, CRM database systems need specific controls to mitigate the associated risks

Internal Auditor, Dec, 2004 by George R. Aldhizer, III, James D. Cashell

* Demilitarized zones (DMZ) -- A DMZ, which is a separate network between the Internet and the organization's internal network, can further reduce the risk that vendors and other closely related business partners may obtain unauthorized access to intellectual property. This zone is protected on both sides by separate firewalls. It includes frequently requested information that can be accessed by customers and other external parties without penetrating the internal network.

* Passwords and smart cards -- Organizations ideally should require all employees to use at least 15-character phrases as their primary passwords, because state-of-the-art cracking tools can effectively decode traditional eight-character alphanumeric passwords within a few minutes. Organizational policies should require these passwords to be changed frequently (e.g., monthly or quarterly). This policy should be monitored closely as recent studies indicate that approximately one-third of all employee passwords are rarely or never changed.

Organizations also should instruct employees never to give out their passwords, even if the requester claims to be a help-desk employee, their supervisor, or an organizational executive. Recent studies indicate that approximately 70 percent of untrained employees will give out their passwords to potential computer crackers and disgruntled employees posing as one of these individuals. Organizations also should educate employees never to store their current passwords on pieces of paper in their desk drawers or in unencrypted documents. Finally, the master file of employee passwords should be stored securely.

As an alternative to traditional password technology, smart cards or tokens may be used. Smart cards are an example of a two factor authentication device because they require not only a password, but also the physical presence of the smart card inserted into a reader that fits into a floppy drive or an external device that plugs into a serial port. Smart cards also are an extension of traditional alphanumeric password technology because they automatically change a user's password every time he or she logs onto the network. Thus, even if a disgruntled employee or computer cracker obtains access to another employee's password, its usefulness is limited to the instant they obtain it. Additionally, smart cards can be tagged so that global positioning technology can be used to identify the location where the individual is using the password.

* Encrypted data -- Sensitive data, such as customer credit card numbers, passwords, new product designs, and chemical formulas, should always be encrypted while in transit between networks. An ideal method is to use public-private key pairs. Using 128-bit secure socket layer encryption helps minimize the risk that computer crackers or disgruntled employees who intercept sensitive data will be able to de-encrypt the data. Also, sensitive DMS information should always be stored in an encrypted format.

* Remote access controls -- Telecommuting employees' PCs should use personal firewall software, cutting-edge password technology, and encryption to reduce the risk that crackers can steal sensitive organizational information stored on their hard drives. Additionally, if the Internet is used as the primary network to connect remote users, control can be enhanced by using a virtual private network (VPN) in combination with employee authentication techniques (e.g., cutting-edge password technology) when transmitting data from telecommuting employees' PCs to an organization's central database. VPNs create a "virtually private" encrypted tunnel from a remote PC through the Internet to an organizational database. The use of VPNs is rapidly growing in popularity.