iMIS, profile picture
Uploaded byiMIS
PPTX, PDF505 views

CIO Summit: Data Security in a Mobile World

The document outlines a conference agenda focused on data security issues faced by organizations in a mobile environment, discussing threats, mitigation strategies, and compliance with standards like PCI DSS. Key presentations cover the significant risks of data breaches, the necessity for robust security measures, and the evolution of customer relationship management (CRM) systems in light of modern data security challenges. The conference highlights the importance of proactive measures, employee training, and the need for integrated security solutions to mitigate risks associated with growing cyber threats.

Embed presentation

Download to read offline
Data Security in a Mobile World
Agenda • Welcome and Introductions – David Riffle, Sr. Director, ASI • Information Security Threats and Strategies – Mark Breland, Sr. Product Engineering Exec., ASI • What You Need to Know about PCI Compliance – David Johnson, Systems Engineer, Trustwave
Agenda • Why the Era of CRM is Over – Brent Sitton, Product Marketing Manager, ASI – Bruce Ryan, CIO, Florida Bankers Association – Artesha Moore, CIO, Association for Professionals in Infection Control and Epidemiology • Closing Remarks
…1800 clients across 25 countries and 6 continents…
… ASI and iMIS focus on being prepared to help minimize the risk of a security breach
Many organizations have higher data risk due to multiple systems
The era of CRM is over.
Data Security used to be a lot more simple…
…than it is today.
Data Security in a Mobile World
Security… Vulnerabilities, Mitigation, and Defensive Measures Mark Breland Senior Product Engineering Executive
Agenda • Security breaches today • Attack vector mitigation • Secure web implementation • Penetration testing • ASI Corporate Security Initiative
Security Breaches Today • By the numbers…in the US 2005 to April 2014 – Recorded breaches = 4,455 – Records exposed = 626,327,451 – Cost per record = $188 – Total cost = $117.8B • Breach attack patterns – 52% of stolen data due to “hacktivism” – 40% of breaches incorporated malware – Malicious or criminal attacks that exploit negligence or system glitches
Security Breaches Today • Primary data breach targets… – Financial – Retail – Government • 43% of all companies experienced a data breach in the last year – Of these, 27% had no response plan in place – 80% had root cause in employee negligence • Membership organizations emerging – Controversial missions/philosophies – Play to self-anointed judgment of “hacktivists” – Least likely to have protections in place
Security Breaches Today • Cyber risk and liability – Target® breach of 2013…40M compromised records, potential company liability of $90/exposed record = $3.6B – Target® directors and officers also facing derivative suits – Home Depot® breach of 2014…56M compromised PCI records, liability to exceed $3B – JPMorgan Chase breach of 2014…83M compromised PII accounts – Anthem breach of 2015…80M compromised PHI records – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
Security Breaches Today • Cyber risk and liability – Brand value drops 17-31% after a breach – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach – Software vendors mostly protected by liability limits clauses in their EULAs – Custom developed software and software implementation is another story… – Any technology company associated with a breach is open to litigation
Security Breaches Today • Why NPOs should be concerned – Larger budgets/revenues are attractive – Mission statements draw hostile attention – Greater need for online service provision – Growing IT complexity to maintain operating efficiency and maximize member benefits – Increasing reliance on 3rd party cloud/hosting service providers
Security Breaches Today • One breach, 6 investigations… – Internal investigation – Shareholders vs. Directors and Officers – Card brand vs. Company – Federal Government vs. Company – State Government vs. Company – Law Enforcement vs. Attacker
Security Breaches Today • Weak credentials – Default credential provisioning – Susceptible to brute force attacks • System misconfiguration – Accidental exposure of administrative consoles – Stood up systems outside of policy – Firewall errors/complexity • Service/Software vulnerability – Heartbleed, Shellshock – Third party software • Web application vulnerability – Most commonly exploited – Custom code developed without security • Social engineering – Phishing, link clicking
Security Breaches Today Web security today is both a proactive and reactive process…one must be fully prepared in both aspects to survive in the current threat environment.
Attack Vector Mitigation - Business • Identify and understand your business risks as regards likely channels of attack • Educate Board and senior management on responsibilities and effectively managing cyber security risk • Proactively secure data, systems, policies, and procedures in advance…plan, Plan, PLAN • Gather and share cyber attack intelligence internally and among industry peers
Attack Vector Mitigation - Business • Train staff and elevate cyber security awareness • Engage outside help when needed • Ensure compliance with all regulatory and certification security requirements • Respond clearly and deliberately to any critical incident…focus on maintaining stakeholder confidence • Benchmark your cyber security program in relation to your peers
Secure Web Implementation
Secure Web Implementation • Protect each site with a valid SSL certificate and HTTPS protocol • Isolate web servers in the DMZ zone • Protect services in the Trusted zone • Disallow non-VPN or non-direct RDP access to any server
Secure Web Implementation • GreenSQL - a unified, ready-to-use database security solution for all organizations. Easy to install, use and maintain – Hides and secures databases – Monitors all incoming and outgoing SQL queries – Alerts and blocks signature-based query attacks – Maintains database security policy in real-time – Protects against known and unknown database exploits
Secure Web Implementation – GreenSQL is located between the iMIS application and the database, inspecting all access, including queries and database responses. This ensures complete coverage for securing, monitoring and masking of sensitive information stored in databases.
Trusted Secure Web Implementation • Recommended GreenSQL deployment Database Server Green SQL iMIS Application Server Internal iMIS Clients DMZ Web Servers Public (web browsers) Registrants (web browsers) Firewall Firewall
Penetration Testing • Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques • Various end targets… – Full web site (Amazon, Google, iMIS customer) – Web application product (iMIS 20 out-of-the-box) • Various forms… – Social engineering – Application security – Physical penetration
Penetration Testing • Automated testing tools – Pros – covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications – Cons – can frequently flag false positives, only as good as the latest signature database of known exploits • Adaptive (manual) testing techniques – Pros – follows the black hat mindset, uncovers application-specific combinatorial vulnerabilities, leverages non-related tools, much more rigorous – Cons – labor-intensive, not easily repeatable, money sink
Penetration Testing • ASI committed to conducting self penetration testing – iMIS 20-100/200 and 20-300 platforms – Integral to pre-EA/GA regression testing – Employ Netsparker tool as a start, will likely expand to others • ASI engaged independent penetration testing services in 2014 – Currently GA iMIS 20-100 and 20-300 platforms – Adaptive pen testing techniques and methodology – No critical vulnerabilities found – Secure coding practices strongly recommended
ASI Corporate Security Initiative • Formed mid-2013 to address the issue of iMIS running as a secure web application for the benefit of our customers • Focused on three areas to mitigate our risk exposure with the use of the iMIS product – Web application product development – Site implementation – Cloud services • Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures
Resources • Articles – Verizon 2014 Data Breach Investigations Report - www.verizonenterprise.com/DBIR/2014/ – https://www.owasp.org/index.php/ASP.NET_Misconfigurations – http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common- mistakes-in-the-web-config-file.aspx – http://csae-trillium.tv/cyber-security-canadas-profit-organizations-attack- certain-loss/ • Best Practices – OWASP - www.owasp.org/index.php/Main_Page – NIST - www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214.pdf – www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf – www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf
Crash Course: PCI v3 David Johnson – System Engineer
Summary • What is PCI? • What has changed in PCI-DSS v3? • Scope Adjustment + Segment and Pentesting • Hosted Payment Pages Clarification • Sampling • POS Security • Tips & Tricks • What’s Next?
Who We Are WHO WE ARE Company facts and figures SERVING GLOBAL GROWING INNOVATING over 3 MILLION subscribers with over 1,100 EMPLOYEES employees in 26 countries over 56 patents granted / pending VULNERABILITY MANAGEMENT Global Threat Database feeding Big Data back-end THREAT MANAGEMENT Integrated portfolio of technologies delivering comprehensive protection COMPLIANCE MANAGEMENT Leading provider of cloud delivered IT-GRC services
WHAT IS THE PCI DSS? • The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data • Cardholder data is any personally identifiable data associated with a cardholder, including: – Primary Account Number – Expiry Date – Name • All merchants accepting debit/credit cards must comply with the PCI DSS at all times
What has changed from PCI v2 – v3?...
PCI DSS v3 Changes Definitions of Change Change Type Definition Number of Changes Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. 74 changes Additional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. 5 changes Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market. 19 changes
PCI DSS Version 3.0 • Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].” • The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment • Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.” • As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” • The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment. Most Notable Changes (1/4) A Higher Bar to Achieve “Segmentation”
PCI DSS Version 3.0 • PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).” • Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems. • Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well. • The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure. Most Notable Changes (2/4) Hosted Payment Pages Are No Longer A “silver bullet”
PCI DSS Version 3.0 Most Notable Changes (3/4) Larger Samples Are Required • The new standard requires larger samples. Specifically, “Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.” • For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.
PCI DSS Version 3.0 • In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices. • First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device. • Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering Most Notable Changes (4/4) Greater Security Around POS Physical Controls
PCI DSS Version 3.0 • Annual Pentesting – Internal & External Network (qualified internal/external resource) • Segmentation must be verified – Applications (qualified internal/external resource) • Vulnerability Scanning – Internal (ASV or Self) – External (ASV only) • Default Passwords – must be changed • Security Education – pretty much everyone – Role appropriate. Additional Major Changes or Key Areas
Tips & Tricks 1. Read the PCI-DSS v3. 2. Leverage your entire employee base. 3. Read InfoSec News. 4. Keep the conversation going. 5. Be able to show proof. 6. Stay on top of documentation. 7. Standardize and remove risk. 8. Know your compliance anniversary date. 9. Start your assessment early. 10.Establish your current Merchant Level.
What’s Next? Things to pay attention to in the near future • InfoSec companies expect an increase in CHD theft ahead of EMV 2015 integration deadline in the USA. • Employee and Business process security • P2PE – it’s new and still in the works
Thank You • Eric Wassenaar, NFP Account Executive • ewassenaar@trustwave.com • (312) 470-8743
Why the Era of CRM is Over Brent Sitton Product Marketing Manager
Why the Era of CRM is Over
Complex Integrations Disparate Products & Vendors High Cost of Ownership Designed for Staff + =A ‘Half-Cycle’ Approach Disparate Systems = A Risky Approach
Engagement Management System
New Programs and Services • Survey method – Misleading Indications – Qualitative, not Quantitative • Full Implementation – Fraught with Risk
Software Project Failure Standish CHAOS Report on Software Projects 1994 - 16% Successful 2013 – 39% Successful
Just Do It! Put your products on the web and customers will come…
Learning Organization Learning – Validate your ideas using the scientific method • Hypothesize • Build Pilot • Measure • Learn
Engagement Management • Integrate Web and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituents in ONE system • Interact with constituents on Any Device • Measure member interaction
Pilot Project in iMIS • Community Service Groups – Notify targeted group – Collect information – Match them to volunteer event – See the measurable results
Demonstration Collect New Information Notify Members Measure Results
Learning with an EMS • Integrate Web and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituent in ONE system • Interact with constituents on Any Device • Measure interaction
Learning Organization iMIS RiSE enables your organization to LEARN from customers’ actions and behavior, understanding what they VALUE Ushering in the END of the CRM era
Associations for Professionals in Infection Control and Epidemiology Artesha Moore, CAE Vice President, Membership, Education, and Technology
About APIC Mission: Create a safer world through the prevention of infection. • Over 15,000 members from variety of practice settings within healthcare • 120 domestic and international chapters • 11 special interest groups (similar to Technical Councils) • Over 50% growth in past few years • Diverse membership with varying needs
Challenge In 2005, APIC wanted to grow, yet, systems were not in place • AMS out of date, inaccurate • No true web integration • Culture not supportive Membership growth is not possible without engagement
Growth Leads to Challenges • Variable practice settings with varying needs • High % retiring in 5 years • Decreased time and increased demands impact member participation • Ever-changing regulations and need for new guidelines
Member Engagement Means... • Ease of access to features • Integration of all technologies with AMS • Enhancing customer experience
Engagement Strategy • Strengthen our AMS to enable greater connectivity to online resources • Get an accurate picture of our members using metrics and data • Increase capacity by automating routine tasks • Work with vendors to integrate 3rd party add-ons to expand program offerings Change internal culture to embrace both IT and member services
Engagement Strategy Using data to make decisions: • Identifying key members groups • Tracking member activity and performance • Identifying new leaders • Integrating with new platforms
Engagement Strategy • Open lines of communication between frontline staff, IT and leaders • Provide training to empower staff to act • Promote innovation at all levels • Connect personal goals with organizational goals • Be open to new ideas
Embracing Technology... • Plan must support your strategic plan • Strong infrastructure is essential • Knowledgeable staff to help educate members • Develop partnership with vendors
Enhancements Lead to New Possibilities As APIC's database and web resources evolved, staff focused on more ways to get and keep members engaged.
Results
Results: New Leaders • Using customized tables to create a database within existing structure • Using scoring in social media to identify new leaders • Using web analytics to understand member content needs
Results: Growth 41+% Membership Growth
"The single most important thing to remember about any enterprise is that there are no results inside its walls. The result of a business is a satisfied customer." Zig Ziglar, Sales and motivational speaker and writer
Contact Information Artesha Moore, CAE Vice President, Membership, Education, and Technology APIC amoore@apic.org
Florida Bankers Association Bruce Ryan DBA and Web Manager
Florida Bankers Association Founded in 1888 in support of Florida’s FDIC insured banks and financial institutions. – 22 Staff Members – Advocacy – Education – Membership – Associate Membership • Vendors – Endorsed Partner Program • Products – Other Services • Career Center, Fraudnet, Capwiz and more…
Challenge: Disparate Applications Schools DB Member DB Accounting DB Reports
Our Goal with iMIS 20 • 100% Retention of Members • Staff Productivity • More Efficient Member and Client Experience
Solution: iMIS 20 • CRM & CMS in one system • Events, product sales, accounting, etc. in one system • Offline/Online transactions in one system • Total web integration
Results iMIS 20 • Time Savings: Supporting one application instead of 5+ • Cost Savings: Paying for one application instead of 5+! • Reporting: Happy staff! • Ease of Use: One application vs. 5+ (Happy staff!!) • Member Engagement!
Results iMIS 20 Accounting DB Reports
Wrap Up David Riffle Senior Director Advanced Solutions International, Inc.
• Be Prepared
Lessons Learned • Massive change in communication is an opportunity to grow and thrive – Social networking - You Tube – Mobility - Personalization – Communities of Interests - Data Capture • C Level Executives must lead this transition
Multiple systems increase the complexity of securing data
Engagement Management System
Albert Einstein Insanity: “doing the same thing over and over again and expecting different results.”
The era of CRM is over.
http://bit.ly/ASISuccess Success Assessment 96
Thanks! 1-800-727-8682 www.advsol.com www.imis.com/tour @advsol.com
Wrap Up David Riffle Senior Director Advanced Solutions International, Inc.

More Related Content

PPTX
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PDF
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
bySymantec
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
PDF
Incident Response
byInnoTech
 
PPTX
Rothke rsa 2013 - the five habits of highly secure organizations
byBen Rothke
 
PDF
The Cloud is in the details webinar - Rothke
byBen Rothke
 
PPTX
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
byBen Rothke
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
bySymantec
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
Incident Response
byInnoTech
 
Rothke rsa 2013 - the five habits of highly secure organizations
byBen Rothke
 
The Cloud is in the details webinar - Rothke
byBen Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
byBen Rothke
 

What's hot

PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
PDF
Cyber threats
bySonia Baratas Alves
 
PPTX
What is the UK Cyber Essentials scheme?
byIT Governance Ltd
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
PPT
Information security management
byUMaine
 
PDF
Ibm security products portfolio
byPatrick Bouillaud
 
PPTX
Managed Security Services from Symantec
byArrow ECS UK
 
PDF
Accelerating OT - A Case Study
byDigital Bond
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PDF
A Case Study of the Capital One Data Breach
byAnchises Moraes
 
PPTX
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
byAlienVault
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PDF
Securing your presence at the perimeter
byBen Rothke
 
PPTX
Extending QRadar’s reach and simplifying incident response with BigFix
byLuigi Delgrosso
 
PDF
Breached! App Attacks, Application Protection and Incident Response
byResilient Systems
 
PDF
CIO Summit: Data Security in a Mobile World
byEdward Wendling
 
PDF
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
byIBM Security
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
PPT
2008: Web Application Security Tutorial
byNeil Matatall
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
Cyber threats
bySonia Baratas Alves
 
What is the UK Cyber Essentials scheme?
byIT Governance Ltd
 
MIS: Information Security Management
byJonathan Coleman
 
Information security management
byUMaine
 
Ibm security products portfolio
byPatrick Bouillaud
 
Managed Security Services from Symantec
byArrow ECS UK
 
Accelerating OT - A Case Study
byDigital Bond
 
Security Awareness Training
byDaniel P Wallace
 
A Case Study of the Capital One Data Breach
byAnchises Moraes
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
byAlienVault
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Securing your presence at the perimeter
byBen Rothke
 
Extending QRadar’s reach and simplifying incident response with BigFix
byLuigi Delgrosso
 
Breached! App Attacks, Application Protection and Incident Response
byResilient Systems
 
CIO Summit: Data Security in a Mobile World
byEdward Wendling
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
byIBM Security
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
2008: Web Application Security Tutorial
byNeil Matatall
 

Similar to CIO Summit: Data Security in a Mobile World

PDF
Netwealth educational webinar: Peace of mind in a digital world
bynetwealthInvest
 
PPTX
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
PDF
cybersecurity-careers.pdf
byRakeshKumar442494
 
PPTX
The Evolution of Cybercrime
byStephen Cobb
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PPT
Core.co.enterprise.deck.06.16.10
byCore Security Technologies
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PDF
Top Security Challenges Facing Credit Unions Today
byChris Gates
 
PPTX
The Year Ahead in Cyber Security: 2014 edition
byStephen Cobb
 
PPTX
Moving to the Cloud: A Security and Hosting Introduction
byBlackbaud
 
PPTX
It security the condensed version
byBrian Pichman
 
PDF
Seattle Tech4Good meetup: Data Security and Privacy
bySabra Goldick
 
PPTX
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
byAndris Soroka
 
PDF
Managed security services for financial services firms
byJake Weaver
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PDF
Cybersecurity Threats - NI Business Continuity Forum
byDavid Crozier
 
Netwealth educational webinar: Peace of mind in a digital world
bynetwealthInvest
 
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
cybersecurity-careers.pdf
byRakeshKumar442494
 
The Evolution of Cybercrime
byStephen Cobb
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
Core.co.enterprise.deck.06.16.10
byCore Security Technologies
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Fall2015SecurityShow
byAdam Heller
 
Top Security Challenges Facing Credit Unions Today
byChris Gates
 
The Year Ahead in Cyber Security: 2014 edition
byStephen Cobb
 
Moving to the Cloud: A Security and Hosting Introduction
byBlackbaud
 
It security the condensed version
byBrian Pichman
 
Seattle Tech4Good meetup: Data Security and Privacy
bySabra Goldick
 
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
byAndris Soroka
 
Managed security services for financial services firms
byJake Weaver
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
What is Information Security and why you should care ...
byJames Mulhern
 
Cybersecurity Threats - NI Business Continuity Forum
byDavid Crozier
 

More from iMIS

PPTX
iMIS Online Communities
byiMIS
 
PPTX
SCCM Member Engagement Case Study
byiMIS
 
PPTX
CxO London RCEM Case Study
byiMIS
 
PDF
iMIS Process Automation & Email Marketing
byiMIS
 
PPTX
CIO Summit: Data Security in a Mobile World
byiMIS
 
PPTX
CxO London Closing
byiMIS
 
PPTX
iMIS 20 Overview for Education Associations
byiMIS
 
PPTX
CxO Not-for-Profit Performance Improvement Summit - Closing
byiMIS
 
PPTX
CxO London MemberWise ‘Harnessing the Web’ Survey Results
byiMIS
 
PPTX
IAPD Member Engagement Case Study
byiMIS
 
PPTX
BOC Member Engagement Case Study
byiMIS
 
PPTX
CxO Not-for-Profit Performance Improvement Summit - Opening
byiMIS
 
PPTX
CxO London Managing the Membership Experience
byiMIS
 
PPTX
Sigma Kappa Donor Engagement Case Study
byiMIS
 
PPT
Staying Relevant to Members and Donors in a Constantly Changing World
byiMIS
 
PPTX
CxO London Opening
byiMIS
 
PPTX
GDF Donor Engagement Case Study
byiMIS
 
PPTX
Big Data and Donor Engagement
byiMIS
 
PPT
OFBF Member Engagement Case Study
byiMIS
 
PPTX
LTA Donor Engagement Case Study
byiMIS
 
iMIS Online Communities
byiMIS
 
SCCM Member Engagement Case Study
byiMIS
 
CxO London RCEM Case Study
byiMIS
 
iMIS Process Automation & Email Marketing
byiMIS
 
CIO Summit: Data Security in a Mobile World
byiMIS
 
CxO London Closing
byiMIS
 
iMIS 20 Overview for Education Associations
byiMIS
 
CxO Not-for-Profit Performance Improvement Summit - Closing
byiMIS
 
CxO London MemberWise ‘Harnessing the Web’ Survey Results
byiMIS
 
IAPD Member Engagement Case Study
byiMIS
 
BOC Member Engagement Case Study
byiMIS
 
CxO Not-for-Profit Performance Improvement Summit - Opening
byiMIS
 
CxO London Managing the Membership Experience
byiMIS
 
Sigma Kappa Donor Engagement Case Study
byiMIS
 
Staying Relevant to Members and Donors in a Constantly Changing World
byiMIS
 
CxO London Opening
byiMIS
 
GDF Donor Engagement Case Study
byiMIS
 
Big Data and Donor Engagement
byiMIS
 
OFBF Member Engagement Case Study
byiMIS
 
LTA Donor Engagement Case Study
byiMIS
 

Recently uploaded

PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 

CIO Summit: Data Security in a Mobile World

  • 1.
    Data Security ina Mobile World
  • 2.
    Agenda • Welcome andIntroductions – David Riffle, Sr. Director, ASI • Information Security Threats and Strategies – Mark Breland, Sr. Product Engineering Exec., ASI • What You Need to Know about PCI Compliance – David Johnson, Systems Engineer, Trustwave
  • 3.
    Agenda • Why theEra of CRM is Over – Brent Sitton, Product Marketing Manager, ASI – Bruce Ryan, CIO, Florida Bankers Association – Artesha Moore, CIO, Association for Professionals in Infection Control and Epidemiology • Closing Remarks
  • 7.
    …1800 clients across25 countries and 6 continents…
  • 8.
    … ASI andiMIS focus on being prepared to help minimize the risk of a security breach
  • 9.
    Many organizations havehigher data risk due to multiple systems
  • 10.
    The era ofCRM is over.
  • 11.
    Data Security usedto be a lot more simple…
  • 12.
  • 13.
    Data Security ina Mobile World
  • 14.
    Security… Vulnerabilities, Mitigation, and DefensiveMeasures Mark Breland Senior Product Engineering Executive
  • 15.
    Agenda • Security breachestoday • Attack vector mitigation • Secure web implementation • Penetration testing • ASI Corporate Security Initiative
  • 16.
    Security Breaches Today •By the numbers…in the US 2005 to April 2014 – Recorded breaches = 4,455 – Records exposed = 626,327,451 – Cost per record = $188 – Total cost = $117.8B • Breach attack patterns – 52% of stolen data due to “hacktivism” – 40% of breaches incorporated malware – Malicious or criminal attacks that exploit negligence or system glitches
  • 17.
    Security Breaches Today •Primary data breach targets… – Financial – Retail – Government • 43% of all companies experienced a data breach in the last year – Of these, 27% had no response plan in place – 80% had root cause in employee negligence • Membership organizations emerging – Controversial missions/philosophies – Play to self-anointed judgment of “hacktivists” – Least likely to have protections in place
  • 18.
    Security Breaches Today •Cyber risk and liability – Target® breach of 2013…40M compromised records, potential company liability of $90/exposed record = $3.6B – Target® directors and officers also facing derivative suits – Home Depot® breach of 2014…56M compromised PCI records, liability to exceed $3B – JPMorgan Chase breach of 2014…83M compromised PII accounts – Anthem breach of 2015…80M compromised PHI records – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
  • 19.
    Security Breaches Today •Cyber risk and liability – Brand value drops 17-31% after a breach – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach – Software vendors mostly protected by liability limits clauses in their EULAs – Custom developed software and software implementation is another story… – Any technology company associated with a breach is open to litigation
  • 20.
    Security Breaches Today •Why NPOs should be concerned – Larger budgets/revenues are attractive – Mission statements draw hostile attention – Greater need for online service provision – Growing IT complexity to maintain operating efficiency and maximize member benefits – Increasing reliance on 3rd party cloud/hosting service providers
  • 21.
    Security Breaches Today •One breach, 6 investigations… – Internal investigation – Shareholders vs. Directors and Officers – Card brand vs. Company – Federal Government vs. Company – State Government vs. Company – Law Enforcement vs. Attacker
  • 22.
    Security Breaches Today •Weak credentials – Default credential provisioning – Susceptible to brute force attacks • System misconfiguration – Accidental exposure of administrative consoles – Stood up systems outside of policy – Firewall errors/complexity • Service/Software vulnerability – Heartbleed, Shellshock – Third party software • Web application vulnerability – Most commonly exploited – Custom code developed without security • Social engineering – Phishing, link clicking
  • 23.
    Security Breaches Today Websecurity today is both a proactive and reactive process…one must be fully prepared in both aspects to survive in the current threat environment.
  • 24.
    Attack Vector Mitigation- Business • Identify and understand your business risks as regards likely channels of attack • Educate Board and senior management on responsibilities and effectively managing cyber security risk • Proactively secure data, systems, policies, and procedures in advance…plan, Plan, PLAN • Gather and share cyber attack intelligence internally and among industry peers
  • 25.
    Attack Vector Mitigation- Business • Train staff and elevate cyber security awareness • Engage outside help when needed • Ensure compliance with all regulatory and certification security requirements • Respond clearly and deliberately to any critical incident…focus on maintaining stakeholder confidence • Benchmark your cyber security program in relation to your peers
  • 26.
  • 27.
    Secure Web Implementation •Protect each site with a valid SSL certificate and HTTPS protocol • Isolate web servers in the DMZ zone • Protect services in the Trusted zone • Disallow non-VPN or non-direct RDP access to any server
  • 28.
    Secure Web Implementation •GreenSQL - a unified, ready-to-use database security solution for all organizations. Easy to install, use and maintain – Hides and secures databases – Monitors all incoming and outgoing SQL queries – Alerts and blocks signature-based query attacks – Maintains database security policy in real-time – Protects against known and unknown database exploits
  • 29.
    Secure Web Implementation –GreenSQL is located between the iMIS application and the database, inspecting all access, including queries and database responses. This ensures complete coverage for securing, monitoring and masking of sensitive information stored in databases.
  • 30.
    Trusted Secure Web Implementation •Recommended GreenSQL deployment Database Server Green SQL iMIS Application Server Internal iMIS Clients DMZ Web Servers Public (web browsers) Registrants (web browsers) Firewall Firewall
  • 31.
    Penetration Testing • Processto identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques • Various end targets… – Full web site (Amazon, Google, iMIS customer) – Web application product (iMIS 20 out-of-the-box) • Various forms… – Social engineering – Application security – Physical penetration
  • 32.
    Penetration Testing • Automatedtesting tools – Pros – covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications – Cons – can frequently flag false positives, only as good as the latest signature database of known exploits • Adaptive (manual) testing techniques – Pros – follows the black hat mindset, uncovers application-specific combinatorial vulnerabilities, leverages non-related tools, much more rigorous – Cons – labor-intensive, not easily repeatable, money sink
  • 33.
    Penetration Testing • ASIcommitted to conducting self penetration testing – iMIS 20-100/200 and 20-300 platforms – Integral to pre-EA/GA regression testing – Employ Netsparker tool as a start, will likely expand to others • ASI engaged independent penetration testing services in 2014 – Currently GA iMIS 20-100 and 20-300 platforms – Adaptive pen testing techniques and methodology – No critical vulnerabilities found – Secure coding practices strongly recommended
  • 34.
    ASI Corporate SecurityInitiative • Formed mid-2013 to address the issue of iMIS running as a secure web application for the benefit of our customers • Focused on three areas to mitigate our risk exposure with the use of the iMIS product – Web application product development – Site implementation – Cloud services • Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures
  • 35.
    Resources • Articles – Verizon2014 Data Breach Investigations Report - www.verizonenterprise.com/DBIR/2014/ – https://www.owasp.org/index.php/ASP.NET_Misconfigurations – http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common- mistakes-in-the-web-config-file.aspx – http://csae-trillium.tv/cyber-security-canadas-profit-organizations-attack- certain-loss/ • Best Practices – OWASP - www.owasp.org/index.php/Main_Page – NIST - www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214.pdf – www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf – www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf
  • 36.
    Crash Course: PCIv3 David Johnson – System Engineer
  • 37.
    Summary • What isPCI? • What has changed in PCI-DSS v3? • Scope Adjustment + Segment and Pentesting • Hosted Payment Pages Clarification • Sampling • POS Security • Tips & Tricks • What’s Next?
  • 38.
    Who We Are WHOWE ARE Company facts and figures SERVING GLOBAL GROWING INNOVATING over 3 MILLION subscribers with over 1,100 EMPLOYEES employees in 26 countries over 56 patents granted / pending VULNERABILITY MANAGEMENT Global Threat Database feeding Big Data back-end THREAT MANAGEMENT Integrated portfolio of technologies delivering comprehensive protection COMPLIANCE MANAGEMENT Leading provider of cloud delivered IT-GRC services
  • 39.
    WHAT IS THEPCI DSS? • The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data • Cardholder data is any personally identifiable data associated with a cardholder, including: – Primary Account Number – Expiry Date – Name • All merchants accepting debit/credit cards must comply with the PCI DSS at all times
  • 40.
    What has changed fromPCI v2 – v3?...
  • 41.
    PCI DSS v3Changes Definitions of Change Change Type Definition Number of Changes Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. 74 changes Additional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. 5 changes Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market. 19 changes
  • 42.
    PCI DSS Version3.0 • Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].” • The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment • Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.” • As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” • The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment. Most Notable Changes (1/4) A Higher Bar to Achieve “Segmentation”
  • 43.
    PCI DSS Version3.0 • PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).” • Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems. • Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well. • The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure. Most Notable Changes (2/4) Hosted Payment Pages Are No Longer A “silver bullet”
  • 44.
    PCI DSS Version3.0 Most Notable Changes (3/4) Larger Samples Are Required • The new standard requires larger samples. Specifically, “Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.” • For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.
  • 45.
    PCI DSS Version3.0 • In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices. • First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device. • Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering Most Notable Changes (4/4) Greater Security Around POS Physical Controls
  • 46.
    PCI DSS Version3.0 • Annual Pentesting – Internal & External Network (qualified internal/external resource) • Segmentation must be verified – Applications (qualified internal/external resource) • Vulnerability Scanning – Internal (ASV or Self) – External (ASV only) • Default Passwords – must be changed • Security Education – pretty much everyone – Role appropriate. Additional Major Changes or Key Areas
  • 47.
    Tips & Tricks 1.Read the PCI-DSS v3. 2. Leverage your entire employee base. 3. Read InfoSec News. 4. Keep the conversation going. 5. Be able to show proof. 6. Stay on top of documentation. 7. Standardize and remove risk. 8. Know your compliance anniversary date. 9. Start your assessment early. 10.Establish your current Merchant Level.
  • 48.
    What’s Next? Things topay attention to in the near future • InfoSec companies expect an increase in CHD theft ahead of EMV 2015 integration deadline in the USA. • Employee and Business process security • P2PE – it’s new and still in the works
  • 50.
    Thank You • EricWassenaar, NFP Account Executive • ewassenaar@trustwave.com • (312) 470-8743
  • 51.
    Why the Eraof CRM is Over Brent Sitton Product Marketing Manager
  • 52.
    Why the Eraof CRM is Over
  • 53.
    Complex Integrations Disparate Products& Vendors High Cost of Ownership Designed for Staff + =A ‘Half-Cycle’ Approach Disparate Systems = A Risky Approach
  • 54.
  • 55.
    New Programs andServices • Survey method – Misleading Indications – Qualitative, not Quantitative • Full Implementation – Fraught with Risk
  • 56.
    Software Project Failure StandishCHAOS Report on Software Projects 1994 - 16% Successful 2013 – 39% Successful
  • 57.
    Just Do It! Putyour products on the web and customers will come…
  • 58.
    Learning Organization Learning –Validate your ideas using the scientific method • Hypothesize • Build Pilot • Measure • Learn
  • 59.
    Engagement Management • IntegrateWeb and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituents in ONE system • Interact with constituents on Any Device • Measure member interaction
  • 60.
    Pilot Project iniMIS • Community Service Groups – Notify targeted group – Collect information – Match them to volunteer event – See the measurable results
  • 61.
  • 64.
    Learning with anEMS • Integrate Web and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituent in ONE system • Interact with constituents on Any Device • Measure interaction
  • 65.
    Learning Organization iMIS RiSEenables your organization to LEARN from customers’ actions and behavior, understanding what they VALUE Ushering in the END of the CRM era
  • 66.
    Associations for Professionals inInfection Control and Epidemiology Artesha Moore, CAE Vice President, Membership, Education, and Technology
  • 67.
    About APIC Mission: Createa safer world through the prevention of infection. • Over 15,000 members from variety of practice settings within healthcare • 120 domestic and international chapters • 11 special interest groups (similar to Technical Councils) • Over 50% growth in past few years • Diverse membership with varying needs
  • 68.
    Challenge In 2005, APICwanted to grow, yet, systems were not in place • AMS out of date, inaccurate • No true web integration • Culture not supportive Membership growth is not possible without engagement
  • 69.
    Growth Leads toChallenges • Variable practice settings with varying needs • High % retiring in 5 years • Decreased time and increased demands impact member participation • Ever-changing regulations and need for new guidelines
  • 70.
    Member Engagement Means... •Ease of access to features • Integration of all technologies with AMS • Enhancing customer experience
  • 71.
    Engagement Strategy • Strengthenour AMS to enable greater connectivity to online resources • Get an accurate picture of our members using metrics and data • Increase capacity by automating routine tasks • Work with vendors to integrate 3rd party add-ons to expand program offerings Change internal culture to embrace both IT and member services
  • 72.
    Engagement Strategy Using datato make decisions: • Identifying key members groups • Tracking member activity and performance • Identifying new leaders • Integrating with new platforms
  • 73.
    Engagement Strategy • Openlines of communication between frontline staff, IT and leaders • Provide training to empower staff to act • Promote innovation at all levels • Connect personal goals with organizational goals • Be open to new ideas
  • 74.
    Embracing Technology... • Planmust support your strategic plan • Strong infrastructure is essential • Knowledgeable staff to help educate members • Develop partnership with vendors
  • 75.
    Enhancements Lead toNew Possibilities As APIC's database and web resources evolved, staff focused on more ways to get and keep members engaged.
  • 76.
  • 77.
    Results: New Leaders •Using customized tables to create a database within existing structure • Using scoring in social media to identify new leaders • Using web analytics to understand member content needs
  • 78.
  • 79.
    "The single mostimportant thing to remember about any enterprise is that there are no results inside its walls. The result of a business is a satisfied customer." Zig Ziglar, Sales and motivational speaker and writer
  • 80.
    Contact Information Artesha Moore,CAE Vice President, Membership, Education, and Technology APIC amoore@apic.org
  • 81.
  • 82.
    Florida Bankers Association Foundedin 1888 in support of Florida’s FDIC insured banks and financial institutions. – 22 Staff Members – Advocacy – Education – Membership – Associate Membership • Vendors – Endorsed Partner Program • Products – Other Services • Career Center, Fraudnet, Capwiz and more…
  • 83.
  • 84.
    Our Goal withiMIS 20 • 100% Retention of Members • Staff Productivity • More Efficient Member and Client Experience
  • 85.
    Solution: iMIS 20 •CRM & CMS in one system • Events, product sales, accounting, etc. in one system • Offline/Online transactions in one system • Total web integration
  • 86.
    Results iMIS 20 •Time Savings: Supporting one application instead of 5+ • Cost Savings: Paying for one application instead of 5+! • Reporting: Happy staff! • Ease of Use: One application vs. 5+ (Happy staff!!) • Member Engagement!
  • 87.
  • 88.
    Wrap Up David Riffle SeniorDirector Advanced Solutions International, Inc.
  • 89.
  • 90.
    Lessons Learned • Massivechange in communication is an opportunity to grow and thrive – Social networking - You Tube – Mobility - Personalization – Communities of Interests - Data Capture • C Level Executives must lead this transition
  • 91.
    Multiple systems increasethe complexity of securing data
  • 92.
  • 93.
    Albert Einstein Insanity: “doingthe same thing over and over again and expecting different results.”
  • 94.
    The era ofCRM is over.
  • 96.
  • 98.
  • 99.
    Wrap Up David Riffle SeniorDirector Advanced Solutions International, Inc.

Editor's Notes

  • #2 Can everyone take their seats? We’re going to go ahead and get started. Good morning! I’m David Riffle, welcome to our first CiO Summit on Data Security in a Mobile World. I’m very excited to be here with you today and I want to personally thank you for taking time out of your schedules to be here with us, and in return, we’re going to deliver a series of presentations that, hopefully, you will not only learn from, but be inspired with great ideas on how to better protect your association’s most valued asset – your data! With more and more technology moving to the cloud, data becomes more vulnerable. And we’re going to talk about not only how do modern systems protect that data, but all the other things you need to do beyond worrying about the technology you’re using. You’ll also get to hear, at high level, some of the great things an engagement management system like iMIS can provide to your association, while at the same time, mitigating the worry around a security breach. So let me provide you with a quick overview of the day.
  • #3 Timings for David’s use: 9.30am Welcome and Introduction 9.40am Information Security Threats and Strategies 10:00am What You Need to Know about PCI Compliance 10:20am Why the Era of CRM is Over 11:20am Closing Remarks
  • #4 Timings for David’s use: 9.30am Welcome and Introduction 9.40am Information Security Threats and Strategies 10:00am What You Need to Know about PCI Compliance 10:20am Why the Era of CRM is Over 11:20am Closing Remarks
  • #5 It’s really about the cloud and the move to mobile devices that’s making data more vulnerable. How do we protect against that? And at the same time, deliver on the two biggest challenges associations face….improving engagement and providing continuous performance improvement? It’s a very daunting task that none of us (who are old enough!) faced 20 years ago.
  • #6 As I said, massive changes have occurred in the way associations communicate with members. NBC news posted these pictures on Instagram, and it illustrates how fast that change is occurring. The first is the crowd that gathered to greet Pope Benedict in 2005, jump ahead, just 8 years, and look at the crowd that welcomed Pope Francis in 2013. Almost everyone has a mobile device. Look how fast we get data today, it’s almost instantaneous. Tell my story about going to lunch and forgetting my phone.
  • #7 That’s a lot of change for just 8 years! Today we are going to explore how you protect your data in today’s world. Not only have we brought together expert presenters on data security, but you will also hear from your peers on how they are doing this. The authors of the book “Race for Relevance – 5 Radical Changes for Associations,” wrote that “not for profits must redefine their approach to technology. Technology must become an integral component of the organizations function and performance, and security is one major aspect of that.” As leaders in technology, your role has to grow to make this happen, the message must be spread beyond the IT, Membership and Development. You have to consider not only your organization, but everyone that’s going to touch your data! Members, non-members, sponsors, legislative contacts, and so on and so on. Leadership throughout the organization needs to be engaged.
  • #8 Security is a major focus for ASI because it is fast becoming a priority for our 1800 clients worldwide, spanning 25 countries and 6 continents.
  • #9 As iMIS has evolved, it has become a web application, which is the most vulnerable location for data to be compromised. Whenever, there is a data breach, it doesn't have to be ASIs cloud, it could be a client's cloud, and if they can point back to our product as the breach, it could be huge - membership could sue us, regulators, like FTC, government, organization, state attorney general. The mitigating factor is the degree of preparedness that we already have, not if, but when a data breach occurs. You’re going to hear a lot about that risk mitigation today.
  • #10 We all live in a world that has accepted, as a way of life, the maintenance and integration of multiple systems and suppliers that create highly disparate and expensive to maintain solutions, which leads to higher data risk. One of the industry consultants we work actively monitors 52 AMS products for his clients. 52! How do you provide data security and policies in an environment like that?
  • #11 Data security is one of the reasons why we feel the era of CRM if over. It’s outdated, it was built to support a staff centric approach, without consideration for this massive move to a mobile environment. Our technology, iMIS, is one system, not 5 or 6. My challenge to you, after you leave today, go back and honestly assess, is can we survive a security breach, let alone deliver on improved engagement and continuous performance improvement! You’re going to hear from industry leaders that are practicing everything I discussed this morning, and we’re going to provide you with some tools that can greatly help you ensure that you’re protected and prepared. And whether you’re staying with your existing platform, or looking for a new one, you don’t invest in a technology platform that will never be able to meet your data security need, in addition to the strategic needs of your organization.
  • #14 With that, I’m going to ask Mark Breland to take over, and step you through Information Security Threats and Strategies.
  • #39 Everyday more than 3 million business trust Trustwave to provide security and compliance services for their everyday need. We were founded in 1995 and are celebrating our 20th anniversary this year. We are global with employees in nearly 26 countries and actively selling services throughout every major region – including North America, EMEA, Latin and Central America, and the Asia Pacific region. This global footprint is a proofpoint that we are trusted globally and can service customers 24x7 to “Follow the Threat” so you don’t have to. Finally, we have a unique portfolio of over 56 patents (and counting) that cut across three major areas of customer concern – threat, vulnerability and compliance management. The fact that we own and work with our own technology allows us to control the roadmap to providing integrated and cost-effective security in a manner that other MSSPs (managed security service providers) cannot, because they rely on third-party vendor that typically sell their technologies in a “Do-it-Yourself” manner.
  • #49  E2EE vs P2PE E2EE isn’t an official standard. P2PE – official standard, regulated and test by the PCI-SSC. Short list.
  • #53 Now I’d like to shift our focus to the benefits that an Engagement Management System can deliver to your organization and your constituents. Just as the security requirements are heightened in today’s mobile environment, we believe the demand for new and better services and programs are higher today than ever before.
  • #54 Today’s constituents demand more. They expect new online services and programs that are personalized to their needs and we believe that only an engagement management system enables you to deliver personalization over multiple devices. The traditional Donor & Association Management Software (AMS) & CRM Software just aren’t built for that. They were initially designed for the staff who needed to perform administrative tasks such as processing dues payments, donations, and event registrations. These systems were also designed for on premise use instead of the hosted model or the cloud! (CLICK) Later clients found they needed additional capability and this was added on. First there was a need for a member or donor portal. (CLICK) Then there was a need to add on new social communities capability. (CLICK) Next there were financial transaction processed thru other applications. (CLICK) Later as the industry evolved web sites with their own databases had to be connected with the CRM database. All of these systems were designed to track constituents and their demographics. (CLICK) We believe this is a Half-Cycle Approach to Association and Donor Management Software and we believe it will hinder your personal and organizational goal attainment!
  • #55 The iMIS 20 Engagement Management System, on the other hand, is ONE system that is FLEXIBLE and one that allows you to QUICKLY implement new programs and services, EASILY interact with constituents, provides them ONLINE access from ANY DEVICE, and MEASURES their interaction. Today, we’re going to highlight how easy it is to implement new programs and services using the RiSE system where you can manage everything in one place.
  • #56 In the past, when it comes to using your information system to implement new programs and services you really had 2 choices. This not only applies to the system infrastructure to support new programs and services but also to deciding which ONES to implement. There are no shortage of ideas, right? (CLICK) The first method is to dip your toe in the water by surveying members, asking them what services they want and how much they are willing to pay for them. (CLICK) Unfortunately, respondents have a VERY hard time articulating their thoughts and envisioning what a solution might look like. Surveys and Focus groups work well for feedback, but not for NEW services. It’s also not reliable because respondents aren’t being asked to actually vote with their actions – it’s all qualitative research. So that leaves you with the option to jump into the water based on your assumptions that the water is deep and that there’s nothing unpleasant in the water! We believe that BOTH these methods are outdated and can predominately lead to failure. Why do we say this…
  • #57 History tells us. The Standish group found in their 1994 CHAOS survey that only 16% of all software projects failed. They were either cancelled outright or were significantly over budget or delayed. We are improving as an industry, however when you start a software project, there is less than half chance that you will be successful. The stakes are high and we need to be right.
  • #58 Let’s take a look at two similar examples of companies that proves this point. Jumping in lead to disastrous results for the organization as in the case of Pets.com who filled a warehouse, built a large ecommerce system, and advertised in the super bowl only to discover that their assumptions were completely wrong.
  • #59 Zappos is a great example of this new method of ‘Learning’ the right programs and services to provide to customers. The founder believed that people were ready to purchase shoes online. But rather than filling a large warehouse at first, he worked with a few shoe stores. Zappos put that store’s inventory online. They tested his operation with the small number of users early. In the process, Zappos discovered something they didn’t know – that customer service and the ability to return products with no questions asked was the primary element to customer satisfaction. That’s the VALUE of being a Learning Organization – you WILL discover things as you implement the new service. THEN Zappos built the business model and the business. The end result is that Amazon purchased Zappos for $1.2 BILLION in 2009.
  • #60 In order to facility the learning model, however, you MUST have an engagement management system. (CLICK) You must be able to use information in your database to drive action on the web and vice-versa. (CLICK) You must have an adaptable system without costly customization. (CLICK) Sometimes things can be very simple – if you don’t have ALL the information about your customers in ONE system, it makes it very difficult to understand your customer. (CLICK) Today, your services MUST take mobile devices into account (CLICK) Finally, you have to be able to measure your customer’s actions and behaviors.
  • #61 So, today, let’s see how iMIS allows us to quickly implement a new service and learn from it. In this case, I’m going to use research from our partners at Marketing General. They tell us that the best method of ensuring customer retention in the first year is to ask the new customer to do something for the organization. We’re going to test that hypothesis. We’re going to organize groups of volunteers to participate in local community service projects to make them feel a part of the organization. This is a win for everybody. The organization gets committed constituents, they get to network with others in the organization and give back to the community at the same time. We’re going to start small though, maybe focus on a specific location. To do this, we need to select and target a small group of constituents and notify them of the event. We’ll create the structure to collect their volunteer interests and availability. We’ll match them with events according to their interests and availability. And finally, we’ll measure the results through real time charting and dashboards. Now we don’t have to wait a year to see if our program is working. We’ll use two measures to indicate success or failure. We’ll measure whether the constituent volunteers for another event and whether they encourage others to participate.
  • #65 As you can see, we used the iMIS RiSE engagement management system to quickly create a new program, allowed our constituents to access the service from any device, and we measured their interaction. In the process we validated with quantitative results that the service is valuable to constituents. We can now expand the program and achieve even greater results. We also learned something we didn’t expect – that the majority of our constituents have an affinity with the environment. This is knowledge we can use in all of our programs and services. It also allows us to evolve by offering more volunteer events related to the environment.
  • #66 This the TRUE VALUE of an Engagement Management System – it enables your organization to become a learning organization, one that can evolve according to the actions and behaviors of your members. Remembering the sobering reports that 61% of all software projects fail, and that there are competing ideas and demands on IT to support new programs and services, we know that becoming a learning organization is critical to your success and it takes an engagement management system to help get you there.
  • #73 Using data to make decisions Who are we looking to serve? How can we track perform using iMIS? How can we identify new leaders   Ease of integration is essential Engaging new generation of content leaders to drive new areas of business Online learning Communities of practice and new content generation Tracking performance using data and dashboards
  • #82 Intro IT Guy Been using iMIS 5 Years
  • #84 This slide shows all the disparate applications we were running…prior to iMIS 20. Basically staff would duplicate multiple tasks in multiple software applications to accomplish one goal. Even though we had computers we were still doing things manually. Staff had to enter the same data into multiple systems. Excel AND DMG AND Access… Reports were manually done in order to bring together the information from multiple sources. Registrations for events and educational programs were all manual. As well as all product orders were manual. Manual systems are tiring, inefficient and prone to error. So even though we had the technology and the resources we had gotten to the point of Disparate Applications Diminished Returns. We also knew we were not taking advantage of the internet, social media and eMailing. There had to be a better way…
  • #85 We are blessed with 100% retention of members… Our primary goal was and is staff productivity – we were doing the same job manually in multiple applications. And secondarily to create a more efficient member experience - event registration, product sales and community building for our members/clients.
  • #86 And there is a better way !! We needed to streamline our processes – put them in as few containers as possible – and get everyone in the same system and connect as many of them as possible. We needed to combine our disparate databases, applications and web tools into one easy to use system. iMIS 20 provided that solution for us. We combined our schools DB and member DB into one, we brought all the reporting into iMIS. We tied all of our accounting into the same database with easy integration into our accounting software. And using iMIS 20 we were able to integrate our website management tools into the same iMIS system!. And automate most of our processes, from event registrations to product purchases.
  • #87 We are really starting to see the results. Streamlined systems, better reporting from a single source, easy backups of everything, better security – it is easier to lock down one application then many. We can respond to our member/client needs more efficiently. Members can log into the website and see – in real time – their accounts – all tied to iMIS. At first the online registrations were slow… the bankers change slowly lol… but over the past year we have seen an exponential increase in online registrations and the purchasing of products. More and more members also log in and manage their own profiles. I have been using the Company Admin feature that allows someone in a company the rights to go online and update individual’s address, phone, email, title and interest areas – that we use for contacts and mailings As our members become accustomed to the online features, managing their own accounts, registering themselves and others in their companies, purchasing products easily from our store they are more aware of what we do provide for them over all. Our magazine is online – and only available for members. Found a sponsor for the website now that it has a real value. 100% paid for !
  • #88 Time Savings: Supporting one application instead of 5+ Cost Savings: Paying for one application instead of 5+! Reporting: Happy staff! Ease of Use: One application vs. 5+ (Happy staff!!) Member Engagement! We are really starting to see the results. Streamlined systems, better reporting from a single source, easy backups of everything, better security – it is easier to lock down one application then many. We can respond to our member/client needs more efficiently. Members can log into the website and see – in real time – their accounts – all tied to iMIS. At first the online registrations were slow… the bankers change slowly lol… but over the past year we have seen an exponential increase in online registrations and the purchasing of products. More and more members also log in and manage their own profiles. I have been using the Company Admin feature that allows someone in a company the rights to go online and update individual’s address, phone, email, title and interest areas – that we use for contacts and mailings As our members become accustomed to the online features, managing their own accounts, registering themselves and others in their companies, purchasing products easily from our store they are more aware of what we do provide for them over all. Our magazine is online – and only available for members. Found a sponsor for the website now that it has a real value. 100% paid for !
  • #89 I hope you enjoyed the day as much as we did. We learned a great deal and were energized by your participation and comments. I would like to thank all the presenters for sharing their knowledge with us, and thank everyone else for attending and paying attention!
  • #91 Nobody here needs to be convinced that massive change is upon us especially in the areas of information and communications and the impact it’s having on data security. Historically, this type of massive change has been a prescription for innovation and even re-invention of organizations. As with any major change leaders are needed; we know that you will return to your organizations later today and begin leading your organizations in this direction. Harrison Coever and Mary Byers’ book, Race for Relevance 5 Radical Changes for Associations reminds us that it is imperative for Not-For-Profit Organizations “to Bridge the Technology Gap and Build a Framework for the Future.” As leaders in the not-for-profit world we need to redefine our approach to technology and that “the adoption and exploitation of technology, particularly information and communication technologies, must become an integral component of the organizations functioning and performance.” To make this happen the message must be spread beyond the IT, Membership and Development departments.  Leadership in every organization needs to be engaged and the messages you hear today are messages that need to be repeated to CEOs and COOs in every Not for profit Organization.    
  • #92 You have seen this slide before, but I think it’s important to re-introduce it during the close. If your current technology platform looks like this, it does make data security more complex, not to mention increased costs due to continuing maintenance of each separate system, as well as reduced decision making capabilities because of multiple data silos thus making access to and protection of data more difficult. Not only complicating security efforts, but inhibiting your ability to – improve engagement and performance.
  • #93 Your platform for engagement of your members and donors needs to look more like this!! Massive change in communication is an opportunity to grow and thrive, but with this growth comes a greater need for protection. And at ASI, we take data security very seriously and it is fast becoming a key ingredient in the health of all our clients.
  • #94 You’ve all seen this quote before….
  • #95 CRMs were not designed to do this!! The ERA of CRM is over.
  • #96 This member needs to register for a conference using her phone after her work out from the stadium steps and she doesn’t want to worry that by doing so the data she sends you is at risk.
  • #97 Not sure how to move forward? The ASI success assessment helps identify gaps in your operations, in 4 key areas – recruit, engage, measure and grow. We use this analysis to help understand where you need to improve in order to drive member engagement and improve performance. If this interests you, let us know on the comment form.
  • #98 This assessment can lead to further engage with us through the Success Partnership program!! The purpose of this program is for you to be able to prove to yourself that the era of CRM is over and you need an Engagement Management System. Again, if this interests you, just let us know on the comment form and we can provide you with further information.
  • #99 So let’s all leave this meeting a little more prepared and aware, so that none of us are caught by surprise when we do have a data security breach. If you would please take a few moments to fill out the survey form we’ve distributed to you, and return those to us, we would really appreciate it. Thank you for your time, and I, along with the other presenters, will be more than happy to take individual questions you may have. Thanks again!