Critical Privacy Questions to Ask an HCM/CRM SaaS Provider
|
|
- Patrick Grant
- 8 years ago
- Views:
Transcription
1 Research Publication Date: 31 July 2009 ID Number: G Critical Privacy Questions to Ask an HCM/CRM SaaS Provider Carsten Casper, Thomas Otter, Arabella Hallawell The vast majority (probably greater than 90%) of personal data in most organizations is processed by human capital management (HCM) and customer relationship management (CRM) software. Such software is increasingly delivered via the softwareas-a-service (SaaS) model. The processing of personal data is crucial for these applications, making privacy controls extremely important, and a long series of security breaches involving the loss of huge amounts of personal data has increased public awareness of privacy concerns. Enterprises using SaaS HCM or CRM must include privacy requirements including some that do not apply to traditional software delivery in all provider evaluations. Key Findings Although there is a common perception that using SaaS creates new privacy risks, one should not forget that privacy requirements for SaaS providers are largely the same as those for traditional software delivery (for example, masking of test data, encryption and monitoring of access). SaaS-based delivery of HCM and CRM applications may make it necessary to implement additional privacy controls (for example, separation by country and contractual controls). Best practices for SaaS providers require encryption, access monitoring, and security and privacy audits, but most SaaS providers do not yet use the capabilities of data loss prevention (DLP) tools There are also differences between major providers and many much smaller vendors that often have fewer than 50 employees and are not strong on data privacy. Recommendations Request that SaaS providers of HCM and CRM applications perform log monitoring (especially for privileged users), encrypt data transmissions over public networks and conduct privacy audits. If your enterprise operates across international borders, ask your SaaS provider to segregate or tag customer data and employee data from different countries (for example, within the database schema, or via fine-grained access control at the application layer). If your provider processes personal data in a country other than yours, ensure that legal controls are in place to protect this data. For example, ask your provider to sign the Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
2 European Union's (EU's) standard contractual clauses for privacy, or ask for certification under the U.S. Department of Commerce's Safe Harbor program, if possible. Use the questions outlined in this research when evaluating potential providers. Publication Date: 31 July 2009/ID Number: G Page 2 of 9
3 TABLE OF CONTENTS Analysis SaaS Providers and Privacy Considerations Regional Privacy Issues Personal Data in the U.S. and Europe Cross-Border Data Transfers The U.S. Patriot Act Geographical Isolation of Personal Data Operational Aspects of Privacy Data Masking Locating Personal Data Segregation of Client Data Monitoring of Access to Personal Data Encryption and DLP Vulnerability Scans and Security and Privacy Audits Privacy Questions to Ask an HCM/CRM SaaS Provider... 7 Recommended Reading... 8 LIST OF TABLES Table 1. Privacy Questions to Ask and Answers to Expect From Your HCM/CRM SaaS Provider. 7 Publication Date: 31 July 2009/ID Number: G Page 3 of 9
4 ANALYSIS 1.0 SaaS Providers and Privacy Considerations Today, privacy requirements are more important for HCM and CRM applications than five years ago, when security, performance, uptime and functionality were the dominant requirements. Nowadays, with the big HCM/CRM players and many of the smaller ones the technical security of the vendor is often better than the buyer's, and performance and uptime seem to be good enough for most clients. The issues that matter more to buyers now are integration and legal compliance, and privacy has risen to be one of the few remaining "showstoppers" for some buyers particularly in Europe and in some specific industries, like healthcare, banking, defense and some government functions. Gartner surveyed a number of providers that offer HCM SaaS (talent management, recruitment, workforce administration, performance management, time management and payroll) or CRM SaaS (marketing automation, customer service and support) about their privacy practices. Most SaaS providers' privacy practices are not fundamentally different from the traditional approach taken in IT infrastructure and business process outsourcing relationships. A few providers salesforce.com among them differentiate between SaaS privacy policy and standard website or hosting privacy policy. A provider's privacy program may be managed by the information security organization, a chief security officer or a dedicated privacy officer, and in some cases, a governance risk and compliance department or a global quality assurance manager is in charge. This diversity in management and reporting structures reflects industry trends. Responsibility for privacy is typically shared by the provider and the customer. Few providers are willing to state explicitly that the customer is ultimately responsible for privacy. Providers typically assume responsibility for implementing organizational, technical and procedural privacy controls on their end, and they help to maintain and improve information security within the client enterprise and minimize its exposure to risks. However, the client is typically held accountable by regulatory authorities under the law. The details of privacy responsibilities are sometimes specified in a data controller (client) to data processor (provider) contract. 2.0 Regional Privacy Issues 2.1 Personal Data in the U.S. and Europe SaaS can be provided from any location and can be consumed in any location, but most of the data centers used by the HCM/CRM SaaS providers consulted in the creation of this document are located in either the U.S. or the EU. However, many HCM/CRM SaaS providers do not, regrettably, make a meaningful distinction among U.S., EU and other regions' requirements. Providers typically claim that they can take a global approach to privacy and are still able to address any country-specific requirements. Clients must verify whether a specific provider can, in fact, meet national regulatory requirements for privacy (for example, whether the provider truly understands varying personal data notification requirements in different European countries, varying breach notification requirements in the U.S., and the impact that e-discovery obligations and national surveillance legislation, such as the U.S. Patriot Act and the EU Data Retention Directive, have on privacy). Publication Date: 31 July 2009/ID Number: G Page 4 of 9
5 2.2 Cross-Border Data Transfers To legalize cross-border transfers of personal data and especially for transatlantic transfers SaaS providers use the U.S./EU Safe Harbor framework, the EU's standard contractual clauses, or both. U.S. providers are quick to point to their Safe Harbor compliance as a valuable element of their approach to privacy, despite the agreement's limited applicability (financial services, insurance and other industries are not eligible for Safe Harbor certification) and enforcement concerns expressed by privacy advocates. The Safe Harbor dispute resolution mechanism often resides in Europe a requirement for the processing of HR data and escalation can be done via agencies such as the U.K. Information Commissioners Office. HCM/CRM SaaS providers are already used to signing standard contractual clauses (for example, data-controller-to-data-processor contracts) in addition to security clauses required by clients. This is particularly relevant when the provider uses a thirdparty external service provider. If this is the case, then that third party must be contractually required to adhere to the SaaS provider's security and privacy practices. For more details on transfers of personal data between countries, see "Tutorial for Navigating Privacy Legislation in Europe," especially Figure The U.S. Patriot Act The SaaS providers that Gartner has surveyed report that they have not yet received requests for data based on the U.S. Patriot Act. They indicate that they would evaluate such a request on a client-by-client basis, would work with both government authorities and the client, and would typically escalate the request to legal counsel. In any case, access could be granted for legal purposes only. The legal department would always be involved and would need to confirm the granting of access. One provider, MrTed, goes so far as to say that it would not disclose any data unless the client approved the request. 2.4 Geographical Isolation of Personal Data Given the different regulatory regimes in the U.S. and in Europe, the segregation of data from different regions would be helpful. Some European providers, such as MrTed, Patersons and NorthgateArinso, can isolate personal data to a specific geography. This can be implemented with database segmentation or by restricting access to the data based on a user's geographic location. U.S. providers such as Authoria and Workday are less worried about regional separation and typically cannot isolate the hosting of personal data to a specific geography. They point to their data-handling policies, their SafeHarbor certification and to model contract clauses as protective measures. Interestingly, the U.S.-based Ultimate Software is considering opening a data center in Canada to address the needs of Canadian clients subject to that country's strict privacy requirements (which are very similar to EU requirements). 3.0 Operational Aspects of Privacy HCM/CRM SaaS providers must address privacy concerns similar to those that affect traditional HCM/CRM software vendors. However, because the client is not in control of the application environment, the provider should be required to answer additional questions about privacy practices before any contract is signed. 3.1 Data Masking The use of personal data for testing purposes is a significant security concern, regardless of the software delivery model. SaaS providers have found different ways of using test data (for example, deploying data masking technologies). Some have their own scrambling tools for Publication Date: 31 July 2009/ID Number: G Page 5 of 9
6 transferring personal data to test and development environments, with all test data anonymized and held on separate servers. All access to such data is segregated by access control and is monitored and audited monthly by the compliance department. Some providers use applications that have the capability to mask fields or encrypt data values in a database. Others store unscrambled information in the database, but any data removed from the database is scrambled via a customer script. And other providers operate a production environment that is completely separate from the development and quality assurance (QA) testing environment, and do not need to use or scrub customer data for development or QA testing purposes, because they do not use real data for testing. 3.2 Locating Personal Data Finding personal data in applications and data stores is not a problem that HCM/CRM SaaS providers address with technology. The providers Gartner has surveyed emphasize that their policies dictate where personal data is stored (typically on dedicated servers, sometimes with hard copy maintained in a separate, locked room). The location of personal data is reviewed during internal privacy assessments and audits. Providers do not currently use additional tools to find personal data that they may not be aware of. 3.3 Segregation of Client Data Segregation of data from different clients a key concern for all HCM/CRM SaaS providers is addressed at the database or application layer. Some providers segregate clients within the database, use separate database schemata, or implement logical and physical database segregation. Others use different SAP environments or deploy a multitenant SaaS architecture or a multitenant data model. Moreover, some providers allow clients to further segregate control to prevent one subset of their own employees from accessing information in another client-owned location. 3.4 Monitoring of Access to Personal Data HCM/CRM providers do not generally monitor employees' access to personal data differently from any other form of access to sensitive information. Typically, every employee logs in using a named account with a unique identifier. Authorization and application profiles determine logical access rights. Access must be appropriate, based on business needs. All access is recorded, and transaction logs are monitored, with some providers using Tripwire or intrusion detection systems to detect security breaches. Some providers (for example, Patersons) review access reports weekly, compiling them into monthly reports that are audited as part of a larger compliance monitoring effort. 3.5 Encryption and DLP The HCM/CRM SaaS providers most commonly encrypt data on their notebook computers, and some providers also encrypt data in transit and data at rest in applications and databases. However, very few providers use DLP tools. (Ultimate Software uses DLP in the infrastructure in monitoring mode and MrTed plans some disclosure control to track transported media and verify who has received data in transported media.) 3.6 Vulnerability Scans and Security and Privacy Audits Vulnerability scans and internal and external penetration tests (including unexpected audits and operation center intrusion tests) are quite common for HCM/CRM SaaS providers. Many allow clients to conduct audits themselves (although audits may be limited in frequency, for example, to Publication Date: 31 July 2009/ID Number: G Page 6 of 9
7 once a year). A third-party audit (for example, a Statement on Auditing Standards [SAS] 70 Type II audit on the service every six month or an International Organization for Standardization [ISO] audit on security every year) is a more common approach, used by providers such as NorthgateArinso, Patersons, Ultimate Software and Workday. This does not necessarily mean that providers also scan their websites for privacy-related vulnerabilities or for privacy policy compliance. Among the providers Gartner surveyed, only Authoria has received a TRUSTe privacy seal, following a dedicated privacy assessment. Others consider privacy compliance to be sufficiently enforced via third-party audits, internal audits, internal privacy impact assessments or an annual renewal of Safe Harbor certification. Providers also conduct privacy training to varying degrees. Sometimes, it is part of new hire training; sometimes it is part of IT security training. Paterson also uses privacy training material from the U.K.'s Information Commissioners, followed by periodic refresher training. 4.0 Privacy Questions to Ask an HCM/CRM SaaS Provider Use the questions in Table 1 to find out more about the way your HCM/CRM SaaS provider protects personal data. Compare the provider's response to the answer that you can reasonably expect. Table 1. Privacy Questions to Ask and Answers to Expect From Your HCM/CRM SaaS Provider Question How do you gather privacy requirements? How do you monitor compliance with privacy requirements? How do you monitor compliance with security requirements? Do you sign EU model contracts on privacy? Are you Safe Harbor certified? How do you test your applications with personal data? How do you locate personal data? How do you segregate data from different clients? Expected Answers Providers should point to country-specific privacy legislation (and industry-specific legislation in the U.S.), in addition to client-specific requirements. A global approach to privacy ("one size fits all") is unlikely to be sufficient. They should also refer to expert legal advice. Expect different answers, including privacy audits, privacy impact assessments, security audits, establishment of a privacy officer's position and website privacy scans. Privacy training for employees is desirable, but is not the norm. In most cases, the provider will conduct vulnerability scans and penetration tests. SAS Type II certification is common, and ISO certification is increasing worldwide. Signing these model contracts (after legal review) is standard business practice. Safe Harbor certification is a weak alternative. If the provider does none of this, the client can only accept the compliance risk (or choose another provider). See "Tutorial for Navigating Privacy Legislation in Europe" for details and seek legal advice. Various solutions exist, and what is most important is that the provider gives a plausible answer. Masking can happen in the database or when data is transferred, using commercial tools or homegrown scripts. Automated solutions are not common, and providers will likely refer to their data location policies. Use of DLP technology can be considered a plus. Various solutions exist. Segregation can happen in the database, in the application or at infrastructure level. It can also be part of the SaaS architecture. Publication Date: 31 July 2009/ID Number: G Page 7 of 9
8 Question How do you monitor access to personal data? Where do you use encryption? Did you obtain a privacy certification? How long do you retain personal data after the contract terminates? Source: Gartner (August 2009) Expected Answers Do not expect a privacy-specific answer. However, the provider should have some access logging and monitoring in place, especially for privileged users. Most likely, the provider will claim to have encrypted sensitive data where necessary. Focus your attention on information stored on mobile devices and data in transit. Safe Harbor is a legal requirement, but does not guarantee sound privacy. Privacy seals are an additional plus, but there are also no guarantees, and they are not very common. A "No" answer to this question may be acceptable, too. The answer will depend on local regulatory requirements, but strict privacy laws typically request that data be deleted immediately. RECOMMENDED READING "Critical Security Questions to Ask a SaaS Provider" "Data Masking Best Practices" "Gartner for IT Leaders Overview: The Privacy Officer" "Top Five Issues and Research Agenda, : The Privacy Officer" "Testing Times for HR Systems and EU Data Protection Law" "Tutorial for Navigating Privacy Legislation in Europe" "Web Site Trust Seals: Less Than Meets the Eye" Publication Date: 31 July 2009/ID Number: G Page 8 of 9
9 REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 31 July 2009/ID Number: G Page 9 of 9
Key Issues for Identity and Access Management, 2008
Research Publication Date: 7 April 2008 ID Number: G00157012 for Identity and Access Management, 2008 Ant Allan, Earl Perkins, Perry Carpenter, Ray Wagner Gartner identity and access management research
More informationResearch. Key Issues for Software as a Service, 2009
Research Publication Date: 6 February 2009 ID Number: G00164873 Key Issues for Software as a Service, 2009 Robert P. Desisto, Ben Pring As organizations' capital budgets dry up, clients evaluating SaaS
More informationTactical Guideline: Minimizing Risk in E-Mail Hosting Relationships
Research Publication Date: 26 February 2008 ID Number: G00154838 Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships Matthew W. Cain This report discusses the often hidden risks in moving
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationNow Is the Time for Security at the Application Level
Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now
More informationThe Lack of a CRM Strategy Will Hinder Health Insurer Growth
Industry Research Publication Date: 15 October 2008 ID Number: G00162107 The Lack of a CRM Strategy Will Hinder Health Insurer Growth Joanne Galimi The Gartner 2008 healthcare payer application survey
More informationResearch Agenda and Key Issues for Converged Infrastructure, 2006
Research Publication Date: 20 July 2006 ID Number: G00141507 Research Agenda and Key Issues for Converged Infrastructure, 2006 Sylvain Fabre Gartner's research will cover fixed-mobile convergence, the
More informationThe Current State of Agile Method Adoption
Research Publication Date: 12 December 2008 ID Number: G00163591 The Current State of Agile Method Adoption David Norton As the pace of agile adoption increases, development organizations must understand
More informationOrganizations Must Employ Effective Data Security Strategies
Research Publication Date: 30 August 2005 ID Number: G00123639 Organizations Must Employ Effective Data Security Strategies Rich Mogull Organizations can best protect data through a hierarchical data security
More informationResponsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users
Research Publication Date: 17 October 2006 ID Number: G00144061 Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users Amrit T. Williams, John Pescatore, Paul E. Proctor
More informationThe Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption
Research Publication Date: 3 February 2009 ID Number: G00164356 The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption James Holincheck Gartner surveyed 123 customer references
More informationCost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products
Research Publication Date: 10 December 2008 ID Number: G00163195 Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products Lawrence Orans, Greg Young Most
More informationGlobal Talent Management Isn't Just Global
Research Publication Date: 22 July 2008 ID Number: G00159366 Global Talent Management Isn't Just Global Thomas Otter Global talent management projects must take into account local compliance issues or
More informationBest Practices for Confirming Software Inventories in Software Asset Management
Research Publication Date: 24 August 2009 ID Number: G00167067 Best Practices for Confirming Software Inventories in Software Asset Management Peter Wesche, Jane B. Disbrow This research discusses the
More informationBEA Customers Should Seek Contractual Protections Before Acquisition by Oracle
Research Publication Date: 15 February 2008 ID Number: G00155026 BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle Peter Wesche, Jane B. Disbrow Oracle has announced an agreement
More informationManaging IT Risks During Cost-Cutting Periods
Research Publication Date: 22 October 2008 ID Number: G00162359 Managing IT Risks During Cost-Cutting Periods Mark Nicolett, Paul E. Proctor, French Caldwell To provide visibility into increased risks
More informationTransactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.
Research Publication Date: 28 August 2008 ID Number: G00159897 HR Self-Service Applications Defined James Holincheck In this research, we discuss the different types of HR self-service and strategies for
More informationEight Critical Forces Shape Enterprise Data Center Strategies
Research Publication Date: 8 February 2007 ID Number: G00144650 Eight Critical Forces Shape Enterprise Data Center Strategies Rakesh Kumar Through 2017, infrastructure and operations managers, architects
More informationIT Operational Considerations for Cloud Computing
Research Publication Date: 13 June 2008 ID Number: G00157184 IT Operational Considerations for Cloud Computing Donna Scott Cloud computing market offerings increase the options available to source IT services.
More informationCDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance
Industry Research Publication Date: 1 May 2008 ID Number: G00156708 CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance Barry Runyon Care delivery organizations (CDOs) are
More information2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase
Research Publication Date: 20 April 2010 ID Number: G00176029 2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase John E. Van Decker, Cathy Tornbohm This Gartner Financial
More informationCloud E-Mail Decision-Making Criteria for Educational Organizations
Research Publication Date: 10 June 2011 ID Number: G00213675 Cloud E-Mail Decision-Making Criteria for Educational Organizations Matthew W. Cain Educational organizations sometimes struggle to choose between
More informationKey Issues for Data Management and Integration, 2006
Research Publication Date: 30 March 2006 ID Number: G00138812 Key Issues for Data Management and Integration, 2006 Ted Friedman The effective management and leverage of data represent the greatest opportunity
More information2010 FEI Technology Study: CPM and BI Show Improvement From 2009
Research Publication Date: 22 March 2010 ID Number: G00175233 2010 FEI Technology Study: CPM and BI Show Improvement From 2009 John E. Van Decker Many organizations recognize that current financial management
More informationQ&A: How Can ERP Recurring Costs Be Contained?
Research Publication Date: 18 December 2008 ID Number: G00163030 Q&A: How Can ERP Recurring Costs Be Contained? Peter Wesche Driven by increased pressure for cost containment, attendees at the 2008 Financial
More informationIron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.
Research Publication Date: 22 March 2010 ID Number: G00175194 Iron Mountain Acquires Mimosa Systems Sheila Childs, Kenneth Chin, Adam W. Couture Iron Mountain offers a portfolio of solutions for cloud-based
More informationGovernance Is an Essential Building Block for Enterprise Information Management
Research Publication Date: 18 May 2006 ID Number: G00139707 Governance Is an Essential Building Block for Enterprise Information Management David Newman, Debra Logan Organizations are seeking new ways
More informationWhen to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud
Industry Research Publication Date: 3 May 2010 ID Number: G00175030 When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud Massimiliano Claps, Andrea Di Maio Cloud computing
More informationBusiness Intelligence Platform Usage and Quality Dynamics, 2008
Research Publication Date: 2 July 2008 ID Number: G00159043 Business Intelligence Platform Usage and Quality Dynamics, 2008 James Richardson This report gives results from a survey of attendees at Gartner's
More informationThe Five Competencies of MRM 'Re-' Defined
Research Publication Date: 14 March 2008 ID Number: G00155835 The Five Competencies of MRM 'Re-' Defined Kimberly Collins This research details the five key competencies of marketing resource management
More informationQ&A: The Many Aspects of Private Cloud Computing
Research Publication Date: 22 October 2009 ID Number: G00171807 Q&A: The Many Aspects of Private Cloud Computing Thomas J. Bittman Cloud computing is at the Peak of Inflated Expectations on the Gartner
More informationUse These Guidelines for Making Better CRM Consulting Provider Selections
Research Publication Date: 7 July 2006 ID Number: G00141062 Use These Guidelines for Making Better CRM Consulting Provider Selections Matthew Goldman, Ed Thompson, Lorrie Scardino Gartner sees many inconsistencies
More informationBusiness Intelligence Focus Shifts From Tactical to Strategic
Research Publication Date: 22 May 2006 ID Number: G00139352 Business Intelligence Focus Shifts From Tactical to Strategic Betsy Burton, Lee Geishecker, Kurt Schlegel, Bill Hostmann, Tom Austin, Gareth
More informationEHR Advantages and Disadvantages
Industry Research Publication Date: 3 February 2010 ID Number: G00174011 The Limits of Certification and Guarantees in Buying Electronic Health Records in the U.S. Wes Rishel It is important not to rely
More informationUser Survey Analysis: Usage Plans for SaaS Application Software, France, Germany and the U.K., 2009
Dataquest Publication Date: 23 February 2009 ID Number: G00165376 User Survey Analysis: Usage Plans for SaaS Application Software, France, Germany and the U.K., 2009 Chris Pang Gartner surveyed nearly
More informationEstablishing a Strategy for Database Security Is No Longer Optional
Establishing a Strategy for Database Security Is No Longer Optional Published: 29 November 2011 G00226793 Analyst(s): Jeffrey Wheatman The options for securing increasingly valuable databases are very
More informationKnowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets
Research Publication Date: 31 July 2009 ID Number: G00169664 Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets Regina Casonato This research
More informationCase Study: A K-12 Portal Project at the Miami-Dade County Public Schools
Industry Research Publication Date: 31 December 2007 ID Number: G00154138 Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools Bill Rust The Miami-Dade County Public Schools a school
More informationAssessing the Security Risks of Cloud Computing
Research Publication Date: 3 June 2008 ID Number: G00157782 Assessing the Security Risks of Cloud Computing Jay Heiser, Mark Nicolett Organizations considering cloud-based services must understand the
More informationToolkit: Reduce Dependence on Desk-Side Support Technicians
Gartner for IT Leaders Publication Date: 23 April 2007 ID Number: G00147075 Toolkit: Reduce Dependence on Desk-Side Support Technicians David M. Coyle, Terrence Cosgrove The IT service desk and PC life
More informationDeliver Process-Driven Business Intelligence With a Balanced BI Platform
Research Publication Date: 12 April 2006 ID Number: G00139377 Deliver Process-Driven Business Intelligence With a Balanced BI Platform Kurt Schlegel To enable process-driven business intelligence, IT organizations
More informationXBRL Will Enhance Corporate Disclosure and Corporate Performance Management
Research Publication Date: 23 April 2008 ID Number: G00156910 XBRL Will Enhance Corporate Disclosure and Corporate Performance Management Nigel Rayner, Neil Chandler Extensible Business Reporting Language
More informationFor cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.
Research Publication Date: 15 October 2010 ID Number: G00208009 ITIL 'in the Cloud' George Spafford, Ed Holub The cloud-computing delivery model is generating a lot of interest from organizations wishing
More informationVendor Focus for IBM Global Services: Consulting Services for Cloud Computing
Research Publication Date: 22 February 2010 ID Number: G00174046 Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing Susan Tan Amid the hype and buzz of cloud computing are very
More informationDiscovering the Value of Unified Communications
Research Publication Date: 12 February 2007 ID Number: G00144673 Discovering the Value of Unified Communications Bern Elliot, Steve Cramoysan Unified communications represent a broad range of new solutions
More informationBackup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity
Research Publication Date: 11 August 2011 ID Number: G00215300 Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity John P Morency, Donna Scott, Dave Russell For the
More informationOvercoming the Gap Between Business Intelligence and Decision Support
Research Publication Date: 9 April 2009 ID Number: G00165169 Overcoming the Gap Between Business Intelligence and Decision Support Rita L. Sallam, Kurt Schlegel Although the promise of better decision
More informationEmbrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy
Research Publication Date: 19 August 2010 ID Number: G00205618 Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy Johan Jacobs Customers are insisting on multiple methods to
More informationThe Value of Integrating Configuration Management Databases With Enterprise Architecture Tools
Research Publication Date: 13 January 2011 ID Number: G00210132 The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools Ronni J. Colville, Patricia Adams As configuration
More informationIAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.
Research Publication Date: 1 September 2009 ID Number: G00161012 SIEM and IAM Technology Integration Mark Nicolett, Earl Perkins Integration of identity and access management (IAM) and security information
More informationGartner Defines Enterprise Information Architecture
Research Publication Date: 20 February 2008 ID Number: G00154071 Gartner Defines Enterprise Information Architecture David Newman, Nicholas Gall, Anne Lapkin As organizations look for new ways to exploit
More informationThe Seven Building Blocks of MDM: A Framework for Success
Research Publication Date: 11 October 2007 ID Number: G00151496 The Seven Building Blocks of MDM: A Framework for Success John Radcliffe Gartner's Seven Building Blocks of Master Data Management (MDM)
More informationWhat Is the Role of Quality Assurance in a SaaS Environment?
Research Publication Date: 15 September 2009 ID Number: G00170552 What Is the Role of Quality Assurance in a SaaS Environment? Thomas E. Murphy, Daniel Sholler, Christian Hestermann Software as a service
More informationResearch. Mastering Master Data Management
Research Publication Date: 25 January 2006 ID Number: G00136958 Mastering Master Data Management Andrew White, David Newman, Debra Logan, John Radcliffe Despite vendor claims, master data management has
More informationData Center Consolidation in Western Europe Faces Limitations
Research Publication Date: 19 September 2006 ID Number: G00143179 Data Center Consolidation in Western Europe Faces Limitations Rakesh Kumar Organizations embarking on pan-european data center site consolidation
More informationIntegrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process
Research Publication Date: 26 October 2010 ID Number: G00207031 Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process Kimberly Collins This research
More informationConsider Identity and Access Management as a Process, Not a Technology
Research Publication Date: 2 September 2005 ID Number: G00129998 Consider and Management as a Process, Not a Technology Earl L. Perkins, Ant Allan This Research Note complements earlier Gartner research
More informationUnderstanding Vulnerability Management Life Cycle Functions
Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability
More informationCloud IaaS: Service-Level Agreements
G00210096 Cloud IaaS: Service-Level Agreements Published: 7 March 2011 Analyst(s): Lydia Leong Cloud infrastructure-as-a-service (IaaS) providers typically offer SLAs that cover the various elements of
More informationEmerging PC Life Cycle Configuration Management Vendors
Research Publication Date: 20 January 2011 ID Number: G00209766 Emerging PC Life Cycle Configuration Management Vendors Terrence Cosgrove Although the PC configuration life cycle management (PCCLM) market
More informationERP, SCM and CRM: Suites Define the Packaged Application Market
Research Publication Date: 25 July 2008 ID Number: G00158827 ERP, SCM and CRM: Suites Define the Packaged Application Market Yvonne Genovese, Jeff Woods, James Holincheck, Nigel Rayner, Michael Maoz Users
More informationGartner Updates Its Definition of IT Infrastructure Utility
Research Publication Date: 23 April 2004 ID Number: M-22-2393 Gartner Updates Its Definition of IT Infrastructure Utility Claudio Da Rold Our new definition of IT infrastructure utility clears away some
More informationPrivate Cloud Computing: An Essential Overview
Research Publication Date: 23 November 2010 ID Number: G00209000 Private Cloud Computing: An Essential Overview Thomas J. Bittman Private cloud computing requires strong leadership and a strategic plan
More informationCase Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students
Industry Research Publication Date: 26 January 2010 ID Number: G00172722 Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students Steve Bittinger Australia's New
More informationMicrosoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality
Research Publication Date: 4 November 2008 ID Number: G00162793 Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality David Mitchell Smith, Neil MacDonald At Professional Developers
More informationCloud IaaS: Security Considerations
G00210095 Cloud IaaS: Security Considerations Published: 7 March 2011 Analyst(s): Lydia Leong, Neil MacDonald Ensuring adherence to your organization's security and compliance requirements is one of the
More informationCloud, SaaS, Hosting and Other Off-Premises Computing Models
Research Publication Date: 8 July 2008 ID Number: G00159042 Cloud, SaaS, Hosting and Other Off-Premises Computing Models Yefim V. Natis, Nicholas Gall, David W. Cearley, Lydia Leong, Robert P. Desisto,
More informationIT asset management (ITAM) will proliferate in midsize and large companies.
Research Publication Date: 2 October 2008 ID Number: G00161024 Trends on Better IT Asset Management Peter Wesche New exiting trends will lead to a higher adoption of asset management methodologies. Tighter
More informationAn outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success
Research Publication Date: 1 March 2007 ID Number: G00146362 How to Create a Powerful CRM Vision Gene Alvarez This research provides: Guidance on how to develop a CRM vision An outline of the five critical
More informationHow Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits
Research Publication Date: 13 June 2008 ID Number: G00158605 How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits Nigel Rayner Eneco was faced with
More informationThe EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.
Research Publication Date: 4 April 2008 ID Number: G00155260 Integrate EA and IT Governance s Betsy Burton, R. Scott Bittler, Cassio Dreyfuss In many organizations, we find that IT governance (ITG) initiatives
More information2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities
Research Publication Date: 23 July 2009 ID Number: G00168896 2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities John E. Van Decker Many organizations recognize that existing financial
More informationClients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in
Research Publication Date: 15 March 2011 ID Number: G00210952 Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in Tim Zimmerman Enterprises must
More informationThe IT Service Desk Market Is Ready for SaaS
Research Publication Date: 17 April 2009 ID Number: G00166526 The IT Service Desk Market Is Ready for SaaS David M. Coyle The IT service desk market is well-positioned to use the software-as-a-service
More informationInvest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement.
Research Publication Date: 29 April 2008 ID Number: G00154802 Key Metrics for IT Service and Support David M. Coyle, Kris Brittain To evaluate IT service and support performance, senior management must
More informationReal-Time Decisions Need Corporate Performance Management
Research Publication Date: 26 April 2004 ID Number: COM-22-3674 Real-Time Decisions Need Corporate Performance Management Frank Buytendijk, Brian Wood, Mark Raskino The real-time enterprise model depends
More informationRisk Intelligence: Applying KM to Information Risk Management
Research Publication Date: 19 September 2007 ID Number: G00151742 Risk Intelligence: Applying KM to Information Risk Management French Caldwell Risk intelligence is the alignment of information governance
More informationData in the Cloud: The Changing Nature of Managing Data Delivery
Research Publication Date: 1 March 2011 ID Number: G00210129 Data in the Cloud: The Changing Nature of Managing Data Delivery Eric Thoo Extendible data integration strategies and capabilities will play
More informationNGFWs will be most effective when working in conjunction with other layers of security controls.
Research Publication Date: 12 October 2009 ID Number: G00171540 Defining the Next-Generation Firewall John Pescatore, Greg Young Firewalls need to evolve to be more proactive in blocking new threats, such
More informationThe What, Why and When of Cloud Computing
Research Publication Date: 4 June 2009 ID Number: G00168582 The What, Why and When of Cloud Computing David Mitchell Smith, Daryl C. Plummer, David W. Cearley Cloud computing continues to gain visibility.
More informationKey Issues for Business Intelligence and Performance Management Initiatives, 2008
Research Publication Date: 14 March 2008 ID Number: G00156014 Key Issues for Business Intelligence and Performance Management Initiatives, 2008 Kurt Schlegel The Business Intelligence and Performance Management
More informationBest Practice: Having a 'Big Picture' View of IP Telephony Will Give the Buyer More Control
Research Publication Date: 12 February 2008 ID Number: G00154811 Best Practice: Having a 'Big Picture' View of IP Telephony Will Give the Buyer More Control Steve Blood Companies spend too much on IP-PBXs
More informationEnterprise Asset Management Migration Requires Detailed Planning
Research Publication Date: 2 September 2005 ID Number: G00130205 Enterprise Asset Management Migration Requires Detailed Planning Kristian Steenstrup Neglecting to address key areas when migrating to packaged
More informationAgenda for Supply Chain Strategy and Enablers, 2012
G00230659 Agenda for Supply Chain Strategy and Enablers, 2012 Published: 23 February 2012 Analyst(s): Michael Dominy, Dana Stiffler When supply chain executives establish the right strategies and enabling
More informationRoundup of Business Intelligence and Information Management Research, 1Q08
Gartner for IT Leaders Publication Date: 2 May 2008 ID Number: G00157226 Roundup of Business Intelligence and Information Management Research, 1Q08 Bill Hostmann This document provides a roundup of our
More informationSuccessful EA Change Management Requires Five Key Elements
Research Publication Date: 26 December 2007 ID Number: G00153908 Successful EA Change Management Requires Five Key Elements Richard Buchanan Change, in all its many aspects, is a critical aspect of the
More informationGartner Clarifies the Definition of the Term 'Enterprise Architecture'
Research Publication Date: 12 August 2008 ID Number: G00156559 Gartner Clarifies the Definition of the Term 'Enterprise Architecture' Anne Lapkin, Philip Allega, Brian Burke, Betsy Burton, R. Scott Bittler,
More informationX.509 Certificate Management: Avoiding Downtime and Brand Damage
G00226426 X.509 Certificate Management: Avoiding Downtime and Brand Damage Published: 4 November 2011 Analyst(s): Eric Ouellet, Vic Wheatman Organizations are often not aware of the scope or the validity
More informationRecognize the Importance of Digital Marketing
Recognize the Importance of Digital Marketing Laura McLellan, Lead Author Laura McLellan, Laura McLellan serves CMOs and other marketing executives, sharing how digital strategies are being integrated
More informationGartner's View on 'Bring Your Own' in Client Computing
G00217298 Gartner's View on 'Bring Your Own' in Client Computing Published: 20 October 2011 Analyst(s): Leif-Olof Wallin Here, we bring together recently published research covering the hot topic of supporting
More informationGoogle and Microsoft Battle for the.edu E-Mail Market
Research Publication Date: 16 August 2007 ID Number: G00150690 Google and Microsoft Battle for the.edu E-Mail Market Matthew W. Cain, Marti Harris This document compares the current no-fee e-mail programs
More informationEvaluating Microsoft, Oracle and SAP CRM Application Strategy
Research Publication Date: 8 October 2009 ID Number: G00170698 Evaluating Microsoft, Oracle and SAP CRM Application Strategy Michael Maoz, Kimberly Collins, Robert P. Desisto The quality of the customer
More informationCase Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game
Research Publication Date: 23 November 2010 ID Number: G00208615 Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game Brian Burke, Mary Mesaglio The U.K.'s
More informationQ&A: The Impact of XBRL on Corporate Performance Management
Research Publication Date: 27 May 2008 ID Number: G00158184 Q&A: The Impact of XBRL on Corporate Performance Management Nigel Rayner Extensible Business Reporting Language is an XML-based standard that
More informationBankinter Differentiates Itself by Focusing on Innovation and CRM
Research Publication Date: 4 October 2005 ID Number: G00127276 Bankinter Differentiates Itself by Focusing on Innovation and CRM John Radcliffe Bankinter successfully competes in the Spanish banking market
More informationModify Your Storage Backup Plan to Improve Data Management and Reduce Cost
G00238815 Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost Published: 4 October 2012 Analyst(s): Dave Russell IT leaders and storage managers must rethink their backup procedures
More informationHow BPM Can Enhance the Eight Building Blocks of CRM
Research Publication Date: 6 April 2007 ID Number: G00146588 How BPM Can Enhance the Eight Building Blocks of CRM Marc Kerremans, Jim Davies Business process management (BPM) should complement an organization's
More informationCase Study: Social Networking Tool Becomes Essential Workplace Infrastructure at Deloitte
Research Publication Date: 3 April 2009 ID Number: G00166424 Case Study: Social Networking Tool Becomes Essential Workplace Infrastructure at Deloitte Nikos Drakos We look at the motivation, justification
More informationMicrosoft and Google Jostle Over Cloud-Based E-Mail and Collaboration
Research Publication Date: 24 March 2008 ID Number: G00156216 Microsoft and Google Jostle Over Cloud-Based E-Mail and Collaboration Tom Austin Both Google and Microsoft come up short in terms of delivering
More informationThe Six Triggers for Using Data Center Infrastructure Management Tools
G00230904 The Six Triggers for Using Data Center Infrastructure Management Tools Published: 29 February 2012 Analyst(s): Rakesh Kumar This research outlines the six main triggers for users to start using
More information