Microsoft has today announced that its cloud-based customer relationship management (CRM) platform, Dynamics CRM Online, has been awarded Impact Level 2 (IL2) accreditation. The announcement further expands Microsoft’s range of IL2 accredited offerings on the government’s G-Cloud Framework and CloudStore, which includes Microsoft Office 365 and Windows Azure. The IL2 rating will benefit a broad range of UK public sector organisations, including local and regional government, NHS trusts and central government bodies, who require ‘protect’ level of security for data processing, storage and transmission. With this in mind, are you thinking of moving your CRM to the cloud? Don’t forget to check out vendors’ approach to security with our eight-point combination checklist. If you’re going to put your customer data into the cloud, you need to do it with a company you can trust. With many CRM vendors competing for your business, it’s easy to focus on features but the way they handle your critical business information is an essential selection criteria. Here is a checklist of issues you should discuss with potential vendors. Data ring-fencing Is your data isolated from other company’s data? Does it reside in a separate database? Or is it co-mingled with other people’s data? Keeping data in separate databases adds an extra layer to an application’s multi-layered defences. Data portability Can you get your data back whenever you want? Are there data migration tools that simplify exporting your data to other systems (or, indeed, importing it from your existing CRM application)? One of the attractions of cloud services is their flexibility and you want to be sure that your data isn’t going to be held to ransom. On-premise, off-premise Is there the option to migrate to an on-premise or hosted version of the CRM application? Sometimes your needs change and there are some situations where the cloud isn’t the best place for your CRM application. In this case, you want the ability to run the application on dedicated hardware. European hosting Recent controversies about US government agencies snooping on people’s email underline the importance of data sovereignty. Where will your data be stored physically? Under what legal jurisdiction? Where is the physical data centre? And the backup and failover data centres? This helps you to comply with regulatory requirements and, in turn, reassure your customers and stakeholders. EU Model Clauses Many cloud vendors rely on EU Safe Harbor clauses to comply with EU regulations about international data transfer. Does yours? Do they go further and offer the additional reassurance and higher standards of EU Model Clauses? Third-party certification What evidence does the CRM vendor give for meeting high standards of security? Look for third-party validation such as the ISO 27001 standard for information security management and the SSAE 16/ISAE 3402 that talks to the effectiveness of security controls. These kinds of validations are objectively verified by third parties, such as international accountancy firms. Best practices for security How does the vendor talk about its own security practices and physical security? Look for an intelligent and detailed discussion about the company’s track record, resources, strategy, access controls and multi-layered security. Financially backed service level agreements Availability is important if you’re relying on a cloud-hosted system. It is also a good indicator of the vendor’s approach to its operations. Do they offer service level agreements that specify their commitment to availability? Are those SLAs backed by financial guarantees – in other words, do they put their money where their mouth is? To find out more about IL2 accreditation for Dynamics CRM Online and how this significant development in the product will enable a secure cloud based CRM solution, visit the Microsoft Cloud Store here. Microsoft takes these issues very seriously. For more information about Microsoft’s approach to privacy, security and compliance practices visit: http://crm.dynamics.com/en-gb/trust-center.