On April 2nd, ASI held its first invitation-only CIO Summit — on Data Security in a Mobile World in downtown Washington, DC, exclusively for not-for-profit CIOs. The event brought together the best and brightest minds from the association, non-profit, and business communities to address the current data security threats they're facing, particularly in this increasingly mobile world.

1. Data Security in a Mobile World

2. Agenda
• Welcome and Introductions
– David Riffle, Sr. Director, ASI
• Information Security Threats and Strategies
– Mark Breland, Sr. Product Engineering Exec., ASI
• What You Need to Know about PCI
Compliance
– David Johnson, Systems Engineer, Trustwave

3. Agenda
• Why the Era of CRM is Over
– Brent Sitton, Product Marketing Manager, ASI
– Bruce Ryan, CIO, Florida Bankers Association
– Artesha Moore, CIO, Association for Professionals
in Infection Control and Epidemiology
• Closing Remarks

7. …1800 clients across 25 countries
and 6 continents…

8. … ASI and iMIS focus on being
prepared to help minimize the
risk of a security breach

9. Many organizations have higher
data risk due to multiple systems

10. The era of CRM is
over.

11. Data Security used to be a lot more simple…

12. …than it is today.

13. Data Security in a Mobile World

14. Security…
Vulnerabilities, Mitigation,
and Defensive Measures
Mark Breland
Senior Product Engineering Executive

15. Agenda
• Security breaches today
• Attack vector mitigation
• Secure web implementation
• Penetration testing
• ASI Corporate Security Initiative

16. Security Breaches Today
• By the numbers…in the US 2005 to April 2014
– Recorded breaches = 4,455
– Records exposed = 626,327,451
– Cost per record = $188
– Total cost = $117.8B
• Breach attack patterns
– 52% of stolen data due to “hacktivism”
– 40% of breaches incorporated malware
– Malicious or criminal attacks that exploit negligence
or system glitches

17. Security Breaches Today
• Primary data breach targets…
– Financial
– Retail
– Government
• 43% of all companies experienced a data breach in the
last year
– Of these, 27% had no response plan in place
– 80% had root cause in employee negligence
• Membership organizations emerging
– Controversial missions/philosophies
– Play to self-anointed judgment of “hacktivists”
– Least likely to have protections in place

18. Security Breaches Today
• Cyber risk and liability
– Target® breach of 2013…40M compromised records,
potential company liability of $90/exposed record =
$3.6B
– Target® directors and officers also facing derivative suits
– Home Depot® breach of 2014…56M compromised PCI
records, liability to exceed $3B
– JPMorgan Chase breach of 2014…83M compromised PII
accounts
– Anthem breach of 2015…80M compromised PHI records
– Data loss not typically covered under corporate
insurance policies…cyber liability insurance required to
cover corporate costs of a breach

19. Security Breaches Today
• Cyber risk and liability
– Brand value drops 17-31% after a breach
– Data loss not typically covered under corporate
insurance policies…cyber liability insurance required
to cover corporate costs of a breach
– Software vendors mostly protected by liability limits
clauses in their EULAs
– Custom developed software and software
implementation is another story…
– Any technology company associated with a breach is
open to litigation

20. Security Breaches Today
• Why NPOs should be concerned
– Larger budgets/revenues are attractive
– Mission statements draw hostile attention
– Greater need for online service provision
– Growing IT complexity to maintain operating
efficiency and maximize member benefits
– Increasing reliance on 3rd party cloud/hosting
service providers

21. Security Breaches Today
• One breach, 6 investigations…
– Internal investigation
– Shareholders vs. Directors and Officers
– Card brand vs. Company
– Federal Government vs. Company
– State Government vs. Company
– Law Enforcement vs. Attacker

22. Security Breaches Today
• Weak credentials
– Default credential provisioning
– Susceptible to brute force attacks
• System misconfiguration
– Accidental exposure of administrative consoles
– Stood up systems outside of policy
– Firewall errors/complexity
• Service/Software vulnerability
– Heartbleed, Shellshock
– Third party software
• Web application vulnerability
– Most commonly exploited
– Custom code developed without security
• Social engineering
– Phishing, link clicking

23. Security Breaches Today
Web security today is both a proactive and
reactive process…one must be fully prepared in
both aspects to survive in the current threat
environment.

24. Attack Vector Mitigation - Business
• Identify and understand your business risks as
regards likely channels of attack
• Educate Board and senior management on
responsibilities and effectively managing cyber
security risk
• Proactively secure data, systems, policies, and
procedures in advance…plan, Plan, PLAN
• Gather and share cyber attack intelligence
internally and among industry peers

25. Attack Vector Mitigation - Business
• Train staff and elevate cyber security awareness
• Engage outside help when needed
• Ensure compliance with all regulatory and
certification security requirements
• Respond clearly and deliberately to any critical
incident…focus on maintaining stakeholder
confidence
• Benchmark your cyber security program in
relation to your peers

26. Secure Web Implementation

27. Secure Web Implementation
• Protect each site with a valid SSL certificate
and HTTPS protocol
• Isolate web servers in the DMZ zone
• Protect services in the Trusted zone
• Disallow non-VPN or non-direct RDP access to
any server

28. Secure Web Implementation
• GreenSQL - a unified, ready-to-use database
security solution for all organizations. Easy to
install, use and maintain
– Hides and secures databases
– Monitors all incoming and outgoing SQL queries
– Alerts and blocks signature-based query attacks
– Maintains database security policy in real-time
– Protects against known and unknown database
exploits

29. Secure Web Implementation
– GreenSQL is located between the iMIS application and the
database, inspecting all access, including queries and
database responses. This ensures complete coverage for
securing, monitoring and masking of sensitive information
stored in databases.

30. Trusted
Secure Web Implementation
• Recommended GreenSQL deployment
Database
Server
Green SQL
iMIS
Application
Server
Internal iMIS
Clients
DMZ
Web
Servers
Public (web
browsers)
Registrants
(web
browsers)
Firewall
Firewall

31. Penetration Testing
• Process to identify security vulnerabilities in a
web application or site by evaluating the system
or network with various malicious techniques
• Various end targets…
– Full web site (Amazon, Google, iMIS customer)
– Web application product (iMIS 20 out-of-the-box)
• Various forms…
– Social engineering
– Application security
– Physical penetration

32. Penetration Testing
• Automated testing tools
– Pros – covers a lot of ground very fast, cost efficient,
consistent and repeatable, best suited for rapidly
evolving web applications
– Cons – can frequently flag false positives, only as good
as the latest signature database of known exploits
• Adaptive (manual) testing techniques
– Pros – follows the black hat mindset, uncovers
application-specific combinatorial vulnerabilities,
leverages non-related tools, much more rigorous
– Cons – labor-intensive, not easily repeatable, money
sink

33. Penetration Testing
• ASI committed to conducting self penetration testing
– iMIS 20-100/200 and 20-300 platforms
– Integral to pre-EA/GA regression testing
– Employ Netsparker tool as a start, will likely expand to
others
• ASI engaged independent penetration testing services
in 2014
– Currently GA iMIS 20-100 and 20-300 platforms
– Adaptive pen testing techniques and methodology
– No critical vulnerabilities found
– Secure coding practices strongly recommended

34. ASI Corporate Security Initiative
• Formed mid-2013 to address the issue of iMIS
running as a secure web application for the
benefit of our customers
• Focused on three areas to mitigate our risk
exposure with the use of the iMIS product
– Web application product development
– Site implementation
– Cloud services
• Phase 1 complete, Phase 2 emphasis on
establishing a corporate ASI Security Assurance
Plan with associated policies/procedures

35. Resources
• Articles
– Verizon 2014 Data Breach Investigations Report -
www.verizonenterprise.com/DBIR/2014/
– https://www.owasp.org/index.php/ASP.NET_Misconfigurations
– http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common-
mistakes-in-the-web-config-file.aspx
– http://csae-trillium.tv/cyber-security-canadas-profit-organizations-attack-
certain-loss/
• Best Practices
– OWASP - www.owasp.org/index.php/Main_Page
– NIST - www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214.pdf
– www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf
– www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf

36. Crash Course: PCI v3
David Johnson – System Engineer

37. Summary
• What is PCI?
• What has changed in PCI-DSS v3?
• Scope Adjustment + Segment and Pentesting
• Hosted Payment Pages Clarification
• Sampling
• POS Security
• Tips & Tricks
• What’s Next?

38. Who We Are
WHO WE ARE
Company facts and figures
SERVING
GLOBAL
GROWING
INNOVATING
over 3 MILLION subscribers
with over 1,100
EMPLOYEES
employees in 26 countries
over 56 patents granted / pending
VULNERABILITY
MANAGEMENT
Global Threat Database
feeding Big Data back-end
THREAT
MANAGEMENT
Integrated portfolio of
technologies delivering
comprehensive protection
COMPLIANCE
MANAGEMENT
Leading provider of cloud
delivered IT-GRC services

39. WHAT IS THE PCI DSS?
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12
requirements designed to protect cardholder data
• Cardholder data is any personally identifiable data associated with a
cardholder, including:
– Primary Account Number
– Expiry Date
– Name
• All merchants accepting debit/credit cards must comply with the PCI
DSS at all times

40. What has changed
from PCI v2 – v3?...

41. PCI DSS v3 Changes
Definitions of Change
Change Type Definition Number of Changes
Clarification Clarifies intent of requirement. Ensures that
concise wording in the standard portrays
the desired intent of requirements.
74 changes
Additional
guidance
Explanation, definition and/or instruction
to increase understanding or provide
further information or guidance on a
particular topic.
5 changes
Evolving
Requirement
Changes to ensure that the standards are
up to date with emerging threats and
changes in the market.
19 changes

42. PCI DSS Version 3.0
• Specifically, scoping has been clarified to indicate that system components include, “Any component or
device located within or connected to the [cardholder data environment].”
• The new language also states that the “PCI DSS security requirements apply to all system components
included in or connected to the cardholder data environment
• Additionally, a new requirement has been added requiring that if segmentation is used, “penetration
testing procedures are designed to test all segmentation methods to confirm they are operational and
effective, and isolate all out-of-scope systems from in-scope systems.”
• As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system
component must be properly isolated (segmented) from the CDE such that even if the out-of-scope
system component was compromised it could not impact the security of the CDE.”
• The additional focus on connected systems likely expands (potentially greatly) the number of systems
considered in-scope for many organizations. For example, in most networks using Windows Activity
Directory security, a compromise of systems outside the CDE could impact the CDE and then could be
considered in-scope for the PCI assessment.
Most Notable Changes (1/4)
A Higher Bar to Achieve “Segmentation”

43. PCI DSS Version 3.0
• PCI DSS 3.0 offers a new definition of system components: “System components include
systems that may impact the security of the CDE (for example web redirection servers).”
• Up until now, web servers had been considered out-of-scope if they used iFrames, hosted
payment pages or other redirection technologies to prevent cardholder data from touching
the merchant’s systems.
• Under the new standard, all of these servers fall in-scope and, due to the new segmentation
requirement, likely bring the rest of a company’s network into scope as well.
• The only “out” for companies that lack the ability to ensure the security of web servers
internally remains fully outsourcing the web infrastructure.
Most Notable Changes (2/4)
Hosted Payment Pages Are No Longer A “silver bullet”

44. PCI DSS Version 3.0
Most Notable Changes (3/4)
Larger Samples Are Required
• The new standard requires larger samples. Specifically, “Samples of system components must
include every type and combination that is in use. For example, where applications are
sampled, the sample must include all versions and platforms for each type of application.”
• For merchants undergoing a third party assessment or Level 1 merchants that self assess, the
level of effort in the validation process is likely to increase.

45. PCI DSS Version 3.0
• In response to recent attacks in which POS devices have been physically
modified to capture card holder data, there is a new set of control
requirements around physical security for POS devices.
• First, merchants must maintain an inventory of POS devices, which must
be identified in detail, including the location and serial number of each
device.
• Additionally, POS devices must be inspected periodically for tampering,
and employees at POS locations must be trained in how to detect and
prevent device tampering
Most Notable Changes (4/4)
Greater Security Around POS Physical Controls

46. PCI DSS Version 3.0
• Annual Pentesting
– Internal & External Network (qualified internal/external resource)
• Segmentation must be verified
– Applications (qualified internal/external resource)
• Vulnerability Scanning
– Internal (ASV or Self)
– External (ASV only)
• Default Passwords – must be changed
• Security Education – pretty much everyone
– Role appropriate.
Additional Major Changes or Key Areas

47. Tips & Tricks
1. Read the PCI-DSS v3.
2. Leverage your entire employee base.
3. Read InfoSec News.
4. Keep the conversation going.
5. Be able to show proof.
6. Stay on top of documentation.
7. Standardize and remove risk.
8. Know your compliance anniversary date.
9. Start your assessment early.
10.Establish your current Merchant Level.

48. What’s Next?
Things to pay attention to in the near future
• InfoSec companies expect an increase in CHD theft ahead of EMV 2015
integration deadline in the USA.
• Employee and Business process security
• P2PE – it’s new and still in the works

50. Thank You
• Eric Wassenaar, NFP Account Executive
• ewassenaar@trustwave.com
• (312) 470-8743

51. Why the Era of
CRM is Over
Brent Sitton
Product Marketing Manager

52. Why the Era of CRM is Over

53. Complex Integrations
Disparate Products &
Vendors
High Cost of Ownership
Designed for Staff
+ =A ‘Half-Cycle’ Approach
Disparate Systems = A Risky Approach

54. Engagement Management System

55. New Programs and Services
• Survey method
– Misleading Indications
– Qualitative, not Quantitative
• Full Implementation
– Fraught with Risk

56. Software Project Failure
Standish CHAOS Report on Software Projects
1994 - 16% Successful
2013 – 39% Successful

57. Just Do It!
Put your products on the web and customers
will come…

58. Learning Organization
Learning – Validate your ideas using the
scientific method
• Hypothesize
• Build Pilot
• Measure
• Learn

59. Engagement Management
• Integrate Web and Data Quickly
• Flexibility to adapt to deliver new services
• Complete 360° view of your constituents in
ONE system
• Interact with constituents on Any Device
• Measure member interaction

60. Pilot Project in iMIS
• Community Service Groups
– Notify targeted group
– Collect information
– Match them to volunteer event
– See the measurable results

61. Demonstration
Collect New Information
Notify Members
Measure Results

64. Learning with an EMS
• Integrate Web and Data Quickly
• Flexibility to adapt to deliver new services
• Complete 360° view of your constituent in
ONE system
• Interact with constituents on Any Device
• Measure interaction

65. Learning Organization
iMIS RiSE enables your organization to LEARN
from customers’ actions and behavior,
understanding what they VALUE
Ushering in the END
of the CRM era

66. Associations for
Professionals in Infection
Control and Epidemiology
Artesha Moore, CAE
Vice President, Membership,
Education, and Technology

67. About APIC
Mission: Create a safer world through
the prevention of infection.
• Over 15,000 members from variety
of practice settings within
healthcare
• 120 domestic and international
chapters
• 11 special interest groups (similar
to Technical Councils)
• Over 50% growth in past few years
• Diverse membership with varying
needs

68. Challenge
In 2005, APIC wanted to grow, yet, systems were
not in place
• AMS out of date, inaccurate
• No true web integration
• Culture not supportive
Membership growth is not
possible without engagement

69. Growth Leads to Challenges
• Variable practice
settings with varying
needs
• High % retiring in 5
years
• Decreased time and
increased demands
impact member
participation
• Ever-changing
regulations and need
for new guidelines

70. Member Engagement Means...
• Ease of access to
features
• Integration of all
technologies with
AMS
• Enhancing customer
experience

71. Engagement Strategy
• Strengthen our AMS to enable greater connectivity to
online resources
• Get an accurate picture of our members using metrics
and data
• Increase capacity by automating routine tasks
• Work with vendors to integrate 3rd party add-ons to
expand program offerings
Change internal culture to embrace
both IT and member services

72. Engagement Strategy
Using data to make
decisions:
• Identifying key
members groups
• Tracking member
activity and
performance
• Identifying new
leaders
• Integrating with new
platforms

73. Engagement Strategy
• Open lines of
communication
between frontline
staff, IT and leaders
• Provide training to
empower staff to act
• Promote innovation at
all levels
• Connect personal goals
with organizational
goals
• Be open to new ideas

74. Embracing Technology...
• Plan must support
your strategic plan
• Strong infrastructure
is essential
• Knowledgeable staff
to help educate
members
• Develop partnership
with vendors

75. Enhancements Lead to New Possibilities
As APIC's database
and web resources
evolved, staff
focused on more
ways to get and keep
members engaged.

76. Results

77. Results: New Leaders
• Using customized
tables to create a
database within
existing structure
• Using scoring in social
media to identify new
leaders
• Using web analytics to
understand member
content needs

78. Results: Growth
41+% Membership Growth

79. "The single most important thing to
remember about any enterprise is
that there are no results inside its
walls. The result of a business is a
satisfied customer."
Zig Ziglar, Sales and motivational speaker and writer

80. Contact Information
Artesha Moore, CAE
Vice President, Membership,
Education, and Technology
APIC
amoore@apic.org

81. Florida Bankers
Association
Bruce Ryan
DBA and Web Manager

82. Florida Bankers Association
Founded in 1888 in support of Florida’s FDIC insured banks
and financial institutions.
– 22 Staff Members
– Advocacy
– Education
– Membership
– Associate Membership
• Vendors
– Endorsed Partner Program
• Products
– Other Services
• Career Center, Fraudnet, Capwiz and more…

83. Challenge: Disparate Applications
Schools
DB
Member
DB
Accounting
DB
Reports

84. Our Goal with iMIS 20
• 100% Retention of
Members
• Staff Productivity
• More Efficient
Member and Client
Experience

85. Solution: iMIS 20
• CRM & CMS in one
system
• Events, product sales,
accounting, etc.
in one system
• Offline/Online
transactions in one
system
• Total web integration

86. Results iMIS 20
• Time Savings: Supporting
one application instead of
5+
• Cost Savings: Paying for
one application instead of
5+!
• Reporting: Happy staff!
• Ease of Use: One
application vs. 5+ (Happy
staff!!)
• Member Engagement!

87. Results iMIS 20
Accounting DB
Reports

88. Wrap Up
David Riffle
Senior Director
Advanced Solutions International, Inc.

89. • Be Prepared

90. Lessons Learned
• Massive change in communication is an
opportunity to grow and thrive
– Social networking - You Tube
– Mobility - Personalization
– Communities of Interests - Data Capture
• C Level Executives must lead this transition

91. Multiple systems increase the
complexity of securing data

92. Engagement Management
System

93. Albert Einstein
Insanity: “doing the same thing over
and over again and expecting different
results.”

94. The era of CRM is
over.

96. http://bit.ly/ASISuccess
Success Assessment
96

98. Thanks!
1-800-727-8682
www.advsol.com
www.imis.com/tour
@advsol.com

99. Wrap Up
David Riffle
Senior Director
Advanced Solutions International, Inc.