Risk Assessment Methodology for Privacy and Security of Customer Relationship Management Systems

Author: Adam Kwiatkowski

Kwiatkowski, Adam, 2017 Risk Assessment Methodology for Privacy and Security of Customer Relationship Management Systems, Flinders University, College of Science and Engineering

Terms of Use: This electronic version is (or will be) made publicly available by Flinders University in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. You may use this material for uses permitted under the Copyright Act 1968. If you are the owner of any included third party copyright material and/or you believe that any material has been made available without permission of the copyright owner please contact copyright@flinders.edu.au with the details.


The purpose of a customer relationship management (CRM) system is to provide a benefit (for example, generating a profit) to the organisations that use them through the integration of networks, people, purpose, and process. The literature review identified that currently there is no CRM specific security and assessment methodology. Existing CRM models do not visibility and proactively manage privacy and security risks in a way that facilitates automated compliance with ISO27001. The research evaluated ISO27001 as a possible Information Security Management System (ISMS) for CRMs, given that ISO27001 can be applied to any organisation, technology and CRM. The proposed CRM model addressed the limitations of the existing CRM models and incorporates ISO27001’s principle of Plan-Do-Act-Check (PDAC) as a mechanism towards achieving automated compliance. The compliance layer with the proposed CRM model, introduces the proposed risk management methodology. The methodology implements static and dynamic security and privacy controls, that collectively work to reduce the likelihood of a hazard from occurring. This will maintain the confidentiality, integrity, and availability of personal information within the CRM. Data mining was used to enhance the model’s performance. The effectiveness of the proposed CRM model and the proposed risk management methodology are evaluated for effectiveness, strengths, and limitations. Three types of types were performed against the proposed risk assessment model, to determine how effectively the model performed, and how well it can facilitate the automation of ISO27001. The proposed risk assessment methodology enabled the privacy and security outcomes to be better aligned with the purpose of a CRM.

Keywords: crm, customer relationship management, security, ISO27001, ISO31000, australian privacy principles, machine learning, plan-do-act-check, risk management, crm assessment methodology, automated security, CIA, CIAA, confidentialty, integrity, availability, bow tie, contact relationship management

Subject: Computer Science thesis

Thesis type: Masters
Completed: 2017
School: College of Science and Engineering
Supervisor: Trent Lewis