The iMIS Cloud

Data Security in a Mobile World

Can everyone take their seats? Were going to go ahead and get started.

Good morning! Im David Riffle, welcome to our first CiO Summit on Data Security in a Mobile World.

Im very excited to be here with you today and I want to personally thank you for taking time out of your schedules to be here with us, and in return, were going to deliver a series of presentations that, hopefully, you will not only learn from, but be inspired with great ideas on how to better protect your associations most valued asset your data! With more and more technology moving to the cloud, data becomes more vulnerable.

And were going to talk about not only how do modern systems protect that data, but all the other things you need to do beyond worrying about the technology youre using. Youll also get to hear, at high level, some of the great things an engagement management system like iMIS can provide to your association, while at the same time, mitigating the worry around a security breach.

So let me provide you with a quick overview of the day.

1

Agenda

Welcome and Introductions

David Riffle, Sr. Director, ASI

Information Security Threats and Strategies

Mark Breland, Sr. Product Engineering Exec., ASI

What You Need to Know about PCI Compliance

David Johnson, Systems Engineer, Trustwave

Timings for Davids use:

9.30amWelcome and Introduction

9.40amInformation Security Threats and Strategies

10:00amWhat You Need to Know about PCI Compliance

10:20amWhy the Era of CRM is Over

11:20am Closing Remarks

2

Agenda

Why the Era of CRM is Over

Brent Sitton, Product Marketing Manager, ASI

Bruce Ryan, CIO, Florida Bankers Association

Artesha Moore, CIO, Association for Professionals in Infection Control and Epidemiology

Closing Remarks

Timings for Davids use:

9.30amWelcome and Introduction

9.40amInformation Security Threats and Strategies

10:00amWhat You Need to Know about PCI Compliance

10:20amWhy the Era of CRM is Over

11:20am Closing Remarks

3

Its really about the cloud and the move to mobile devices thats making data more vulnerable. How do we protect against that? And at the same time, deliver on the two biggest challenges associations face.improving engagement and providing continuous performance improvement? Its a very daunting task that none of us (who are old enough!) faced 20 years ago.

4

As I said, massive changes have occurred in the way associations communicate with members. NBC news posted these pictures on Instagram, and it illustrates how fast that change is occurring. The first is the crowd that gathered to greet Pope Benedict in 2005, jump ahead, just 8 years, and look at the crowd that welcomed Pope Francis in 2013. Almost everyone has a mobile device. Look how fast we get data today, its almost instantaneous.

Tell my story about going to lunch and forgetting my phone.

5

Thats a lot of change for just 8 years! Today we are going to explore how you protect your data in todays world.

Not only have we brought together expert presenters on data security, but you will also hear from your peers on how they are doing this.

The authors of the book Race for Relevance 5 Radical Changes for Associations, wrote that not for profits must redefine their approach to technology. Technology must become an integral component of the organizations function and performance, and security is one major aspect of that.

As leaders in technology, your role has to grow to make this happen, the message must be spread beyond the IT, Membership and Development.You have to consider not only your organization, but everyone thats going to touch your data! Members, non-members, sponsors, legislative contacts, and so on and so on. Leadership throughout the organization needs to be engaged.

6

1800 clients across 25 countries and 6 continents

Security is a major focus for ASI because it is fast becoming a priority for our 1800 clients worldwide, spanning 25 countries and 6 continents.

7

ASI and iMIS focus on being prepared to help minimize the risk of a security breach

As iMIS has evolved, it has become a web application, which is the most vulnerable location for data to be compromised. Whenever, there is a data breach, it doesn't have to be ASIs cloud, it could be a client's cloud, and if they can point back to our product as the breach, it could be huge - membership could sue us, regulators, like FTC, government, organization, state attorney general. The mitigating factor is the degree of preparedness that we already have, not if, but when a data breach occurs. Youre going to hear a lot about that risk mitigation today.

8

Many organizations have higher data risk due to multiple systems

We all live in a world that has accepted, as a way of life, the maintenance and integration of multiple systems and suppliers that create highly disparate and expensive to maintain solutions, which leads to higher data risk. One of the industry consultants we work actively monitors 52 AMS products for his clients. 52! How do you provide data security and policies in an environment like that?

9

The era of CRM is over.

Data security is one of the reasons why we feel the era of CRM if over. Its outdated, it was built to support a staff centric approach, without consideration for this massive move to a mobile environment. Our technology, iMIS, is one system, not 5 or 6. My challenge to you, after you leave today, go back and honestly assess, is can we survive a security breach, let alone deliver on improved engagement and continuous performance improvement!

Youre going to hear from industry leaders that are practicing everything I discussed this morning, and were going to provide you with some tools that can greatly help you ensure that youre protected and prepared. And whether youre staying with your existing platform, or looking for a new one, you dont invest in a technology platform that will never be able to meet your data security need, in addition to the strategic needs of your organization.

10

Data Security used to be a lot more simple

than it is today.

Data Security in a Mobile World

With that, Im going to ask Mark Breland to take over, and step you through Information Security Threats and Strategies.

13

SecurityVulnerabilities, Mitigation, and Defensive Measures

Mark Breland

Senior Product Engineering Executive

Agenda

Security breaches today

Attack vector mitigation

Secure web implementation

Penetration testing

ASI Corporate Security Initiative

Security Breaches Today

By the numbersin the US 2005 to April 2014

Recorded breaches = 4,455

Records exposed = 626,327,451

Cost per record = $188

Total cost = $117.8B

Breach attack patterns

52% of stolen data due to hacktivism

40% of breaches incorporated malware

Malicious or criminal attacks that exploit negligence or system glitches

Security Breaches Today

Primary data breach targets

Financial

Retail

Government

43% of all companies experienced a data breach in the last year

Of these, 27% had no response plan in place

80% had root cause in employee negligence

Membership organizations emerging

Controversial missions/philosophies

Play to self-anointed judgment of hacktivists

Least likely to have protections in place

Security Breaches Today

Cyber risk and liability

Target breach of 201340M compromised records, potential company liability of $90/exposed record = $3.6B

Target directors and officers also facing derivative suits

Home Depot breach of 201456M compromised PCI records, liability to exceed $3B

JPMorgan Chase breach of 201483M compromised PII accounts

Anthem breach of 201580M compromised PHI records

Data loss not typically covered under corporate insurance policiescyber liability insurance required to cover corporate costs of a breach

Security Breaches Today

Cyber risk and liability

Brand value drops 17-31% after a breach

Data loss not typically covered under corporate insurance policiescyber liability insurance required to cover corporate costs of a breach

Software vendors mostly protected by liability limits clauses in their EULAs

Custom developed software and software implementation is another story

Any technology company associated with a breach is open to litigation

Security Breaches Today

Why NPOs should be concerned

Larger budgets/revenues are attractive

Mission statements draw hostile attention

Greater need for online service provision

Growing IT complexity to maintain operating efficiency and maximize member benefits

Increasing reliance on 3rd party cloud/hosting service providers

Security Breaches Today

One breach, 6 investigations

Internal investigation

Shareholders vs. Directors and Officers

Card brand vs. Company

Federal Government vs. Company

State Government vs. Company

Law Enforcement vs. Attacker

Security Breaches Today

Weak credentials

Default credential provisioning

Susceptible to brute force attacks

System misconfiguration

Accidental exposure of administrative consoles

Stood up systems outside of policy

Firewall errors/complexity

Service/Software vulnerability

Heartbleed, Shellshock

Third party software

Web application vulnerability

Most commonly exploited

Custom code developed without security

Social engineering

Phishing, link clicking

Security Breaches Today

Web security today is both a proactive and reactive processone must be fully prepared in both aspects to survive in the current threat environment.

Attack Vector Mitigation - Business

Identify and understand your business risks as regards likely channels of attack

Educate Board and senior management on responsibilities and effectively managing cyber security risk

Proactively secure data, systems, policies, and procedures in advanceplan, Plan, PLAN

Gather and share cyber attack intelligence internally and among industry peers

Attack Vector Mitigation - Business

Train staff and elevate cyber security awareness

Engage outside help when needed

Ensure compliance with all regulatory and certification security requirements

Respond clearly and deliberately to any critical incidentfocus on maintaining stakeholder confidence

Benchmark your cyber security program in relation to your peers

Secure Web Implementation

Secure Web Implementation

Protect each site with a valid SSL certificate and HTTPS protocol

Isolate web servers in the DMZ zone

Protect services in the Trusted zone

Disallow non-VPN or non-direct RDP access to any server

Secure Web Implementation

GreenSQL - a unified, ready-to-use database security solution for all organizations.Easy to install, use and maintain

Hides and secures databases

Monitors all incoming and outgoing SQL queries

Alerts and blocks signature-based query attacks

Maintains database security policy in real-time

Protects against known and unknown database exploits

Secure Web Implementation

GreenSQL is located between the iMIS application and the database, inspecting all access, including queries and database responses. This ensures complete coverage for securing, monitoring and masking of sensitive information stored in databases.

Trusted

Secure Web Implementation

Recommended GreenSQL deployment

Database Server

Green SQL

iMIS Application Server

Internal iMIS Clients

DMZ

Web Servers

Public (web browsers)

Registrants (web browsers)

Firewall

Firewall

Penetration Testing

Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques

Various end targets

Full web site (Amazon, Google, iMIS customer)

Web application product (iMIS 20 out-of-the-box)

Various forms

Social engineering

Application security

Physical penetration

Penetration Testing

Automated testing tools

Pros covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications

Cons can frequently flag false positives, only as good as the latest signature database of known exploits

Adaptive (manual) testing techniques

Pros follows the black hat mindset, uncovers application-specific combinatorial vulnerabilities, leverages non-related tools, much more rigorous

Cons labor-intensive, not easily repeatable, money sink

Penetration Testing

ASI committed to conducting self penetration testing

iMIS 20-100/200 and 20-300 platforms

Integral to pre-EA/GA regression testing

Employ Netsparker tool as a start, will likely expand to others

ASI engaged independent penetration testing services in 2014

Currently GA iMIS 20-100 and 20-300 platforms

Adaptive pen testing techniques and methodology

No critical vulnerabilities found

Secure coding practices strongly recommended

ASI Corporate Security Initiative

Formed mid-2013 to address the issue of iMIS running as a secure web application for the benefit of our customers

Focused on three areas to mitigate our risk exposure with the use of the iMIS product

Web application product development

Site implementation

Cloud services

Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures

Resources

Articles

Verizon 2014 Data Breach Investigations Report - www.verizonenterprise.com/DBIR/2014/

https://www.owasp.org/index.php/ASP.NET_Misconfigurations

http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five-common-mistakes-in-the-web-config-file.aspx

http://csae-trillium.tv/cyber-security-canadas-profit-organizations-attack-certain-loss/

Best Practices

OWASP - www.owasp.org/index.php/Main_Page

NIST - www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf

www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf

Crash Course: PCI v3

David Johnson System Engineer

Summary

What is PCI?

What has changed in PCI-DSS v3?

Scope Adjustment + Segment and Pentesting

Hosted Payment Pages Clarification

Sampling

POS Security

Tips & Tricks

Whats Next?

Who We Are

WHO WE ARE

Company facts and figures

SERVING

GLOBAL

GROWING

INNOVATING

over 3 MILLION subscribers

with over 1,100 EMPLOYEES

employees in 26 countries

over 56 patents granted / pending

VULNERABILITY MANAGEMENT

Global Threat Database feeding Big Data back-end

THREAT

MANAGEMENT

Integrated portfolio of technologies delivering comprehensive protection

COMPLIANCE MANAGEMENT

Leading provider of cloud delivered IT-GRC services

Everyday more than 3 million business trust Trustwave to provide security and compliance services for their everyday need.

We were founded in 1995 and are celebrating our 20th anniversary this year.

We are global with employees in nearly 26 countries and actively selling services throughout every major region including North America, EMEA, Latin and Central America, and the Asia Pacific region. This global footprint is a proofpoint that we are trusted globally and can service customers 24x7 to Follow the Threat so you dont have to.

Finally, we have a unique portfolio of over 56 patents (and counting) that cut across three major areas of customer concern threat, vulnerability and compliance management. The fact that we own and work with our own technology allows us to control the roadmap to providing integrated and cost-effective security in a manner that other MSSPs (managed security service providers) cannot, because they rely on third-party vendor that typically sell their technologies in a Do-it-Yourself manner.

38

WHAT IS THE PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data

Cardholder data is any personally identifiable data associated with a cardholder, including:

Primary Account Number

Expiry Date

Name

All merchants accepting debit/credit cards must comply with the PCI DSS at all times

What has changed from PCI v2 v3?...

PCI DSS v3 Changes

Definitions of Change

Change TypeDefinitionNumber of ChangesClarificationClarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. 74 changesAdditional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. 5 changes Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market. 19 changes

PCI DSS Version 3.0

Specifically, scoping has been clarified to indicate that system components include, Any component or device located within or connected to the [cardholder data environment].

The new language also states that the PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment

Additionally, a new requirement has been added requiring that if segmentation is used, penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.

As further clarity, the standard states that, To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.

The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in-scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in-scope for the PCI assessment.

Most Notable Changes (1/4)

A Higher Bar to Achieve Segmentation

42

PCI DSS Version 3.0

PCI DSS 3.0 offers a new definition of system components: System components include systems that may impact the security of the CDE (for example web redirection servers).

Up until now, web servers had been considered out-of-scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchants systems.

Under the new standard, all of these servers fall in-scope and, due to the new segmentation requirement, likely bring the rest of a companys network into scope as well.

The only out for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure.

Most Notable Changes (2/4)

Hosted Payment Pages Are No Longer A silver bullet

PCI DSS Version 3.0

Most Notable Changes (3/4)

Larger Samples Are Required

The new standard requires larger samples. Specifically, Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.

For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.

PCI DSS Version 3.0

In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices.

First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device.

Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering

Most Notable Changes (4/4)

Greater Security Around POS Physical Controls

PCI DSS Version 3.0

Annual Pentesting

Internal & External Network (qualified internal/external resource)

Segmentation must be verified

Applications (qualified internal/external resource)

Vulnerability Scanning

Internal (ASV or Self)

External (ASV only)

Default Passwords must be changed

Security Education pretty much everyone

Role appropriate.

Additional Major Changes or Key Areas

Tips & Tricks

Read the PCI-DSS v3.

Leverage your entire employee base.

Read InfoSec News.

Keep the conversation going.

Be able to show proof.

Stay on top of documentation.

Standardize and remove risk.

Know your compliance anniversary date.

Start your assessment early.

Establish your current Merchant Level.

Whats Next?

Things to pay attention to in the near future

InfoSec companies expect an increase in CHD theft ahead of EMV 2015 integration deadline in the USA.

Employee and Business process security

P2PE its new and still in the works

E2EE vs P2PE

E2EE isnt an official standard.

P2PE official standard, regulated and test by the PCI-SSC. Short list.

48

Thank You

Eric Wassenaar, NFP Account Executive

ewassenaar@trustwave.com

(312) 470-8743

Why the Era of CRM is Over

Brent SittonProduct Marketing Manager

Why the Era of CRM is Over

Now Id like to shift our focus to the benefits that an Engagement Management System can deliver to your organization and your constituents.

Just as the security requirements are heightened in todays mobile environment, we believe the demand for new and better services and programs are higher today than ever before.

52

Complex Integrations

Disparate Products & Vendors

High Cost of Ownership

Designed for Staff

Member

Portal

Social Communities

Main Association

Web site

Mobile

+

=

A Half-Cycle Approach

Financial Transactions

Disparate Systems = A Risky Approach

Todays constituents demand more. They expect new online services and programs that are personalized to their needs and we believe that only an engagement management system enables you to deliver personalization over multiple devices.

The traditional Donor & Association Management Software (AMS) & CRM Software just arent built for that. They were initially designed for the staff who needed to perform administrative tasks such as processing dues payments, donations, and event registrations. These systems were also designed for on premise use instead of the hosted model or the cloud!

(CLICK) Later clients found they needed additional capability and this was added on. First there was a need for a member or donor portal.

(CLICK) Then there was a need to add on new social communities capability.

(CLICK) Next there were financial transaction processed thru other applications.

(CLICK) Later as the industry evolved web sites with their own databases had to be connected with the CRM database.

All of these systems were designed to track constituents and their demographics.

(CLICK) We believe this is a Half-Cycle Approach to Association and Donor Management Software and we believe it will hinder your personal and organizational goal attainment!

53

Engagement Management System

The iMIS 20 Engagement Management System, on the other hand, is ONE system that is FLEXIBLE and one that allows you to QUICKLY implement new programs and services, EASILY interact with constituents, provides them ONLINE access from ANY DEVICE, and MEASURES their interaction.

Today, were going to highlight how easy it is to implement new programs and services using the RiSE system where you can manage everything in one place.

54

New Programs and Services

Survey method

Misleading Indications

Qualitative, not Quantitative

Full Implementation

Fraught with Risk

In the past, when it comes to using your information system to implement new programs and services you really had 2 choices. This not only applies to the system infrastructure to support new programs and services but also to deciding which ONES to implement. There are no shortage of ideas, right?

(CLICK) The first method is to dip your toe in the water by surveying members, asking them what services they want and how much they are willing to pay for them.

(CLICK) Unfortunately, respondents have a VERY hard time articulating their thoughts and envisioning what a solution might look like. Surveys and Focus groups work well for feedback, but not for NEW services.

Its also not reliable because respondents arent being asked to actually vote with their actions its all qualitative research.

So that leaves you with the option to jump into the water based on your assumptions that the water is deep and that theres nothing unpleasant in the water!

We believe that BOTH these methods are outdated and can predominately lead to failure.

Why do we say this

55

Software Project Failure

Standish CHAOS Report on Software Projects

1994 - 16% Successful

2013 39% Successful

History tells us.

The Standish group found in their 1994 CHAOS survey that only 16% of all software projects failed. They were either cancelled outright or were significantly over budget or delayed.

We are improving as an industry, however when you start a software project, there is less than half chance that you will be successful. The stakes are high and we need to be right.

56

Just Do It!

Put your products on the web and customers will come

Lets take a look at two similar examples of companies that proves this point.

Jumping in lead to disastrous results for the organization as in the case of Pets.com who filled a warehouse, built a large ecommerce system, and advertised in the super bowl only to discover that their assumptions were completely wrong.

57

Learning Organization

Learning Validate your ideas using the scientific method

Hypothesize

Build Pilot

Measure

Learn

Zappos is a great example of this new method of Learning the right programs and services to provide to customers.

The founder believed that people were ready to purchase shoes online. But rather than filling a large warehouse at first, he worked with a few shoe stores.

Zappos put that stores inventory online.

They tested his operation with the small number of users early.

In the process, Zappos discovered something they didnt know that customer service and the ability to return products with no questions asked was the primary element to customer satisfaction.

Thats the VALUE of being a Learning Organization you WILL discover things as you implement the new service.

THEN Zappos built the business model and the business.

The end result is that Amazon purchased Zappos for $1.2 BILLION in 2009.

58

Engagement Management

Integrate Web and Data Quickly

Flexibility to adapt to deliver new services

Complete 360 view of your constituents in ONE system

Interact with constituents on Any Device

Measure member interaction

In order to facility the learning model, however, you MUST have an engagement management system.

(CLICK) You must be able to use information in your database to drive action on the web and vice-versa.

(CLICK) You must have an adaptable system without costly customization.

(CLICK) Sometimes things can be very simple if you dont have ALL the information about your customers in ONE system, it makes it very difficult to understand your customer.

(CLICK) Today, your services MUST take mobile devices into account

(CLICK) Finally, you have to be able to measure your customers actions and behaviors.

59

Pilot Project in iMIS

Community Service Groups

Notify targeted group

Collect information

Match them to volunteer event

See the measurable results

So, today, lets see how iMIS allows us to quickly implement a new service and learn from it. In this case, Im going to use research from our partners at Marketing General. They tell us that the best method of ensuring customer retention in the first year is to ask the new customer to do something for the organization.

Were going to test that hypothesis. Were going to organize groups of volunteers to participate in local community service projects to make them feel a part of the organization. This is a win for everybody. The organization gets committed constituents, they get to network with others in the organization and give back to the community at the same time.

Were going to start small though, maybe focus on a specific location.

To do this, we need to select and target a small group of constituents and notify them of the event.

Well create the structure to collect their volunteer interests and availability.

Well match them with events according to their interests and availability.

And finally, well measure the results through real time charting and dashboards.

Now we dont have to wait a year to see if our program is working. Well use two measures to indicate success or failure. Well measure whether the constituent volunteers for another event and whether they encourage others to participate.

60

Demonstration

Collect New Information

Notify Members

Measure Results

61

Learning with an EMS

Integrate Web and Data Quickly

Flexibility to adapt to deliver new services

Complete 360 view of your constituent in ONE system

Interact with constituents on Any Device

Measure interaction

As you can see, we used the iMIS RiSE engagement management system to quickly create a new program, allowed our constituents to access the service from any device, and we measured their interaction.

In the process we validated with quantitative results that the service is valuable to constituents. We can now expand the program and achieve even greater results.

We also learned something we didnt expect that the majority of our constituents have an affinity with the environment. This is knowledge we can use in all of our programs and services. It also allows us to evolve by offering more volunteer events related to the environment.

64

Learning Organization

iMIS RiSE enables your organization to LEARN from customers actions and behavior, understanding what they VALUE

Ushering in the END

of the CRM era

This the TRUE VALUE of an Engagement Management System it enables your organization to become a learning organization, one that can evolve according to the actions and behaviors of your members.

Remembering the sobering reports that 61% of all software projects fail, and that there are competing ideas and demands on IT to support new programs and services, we know that becoming a learning organization is critical to your success and it takes an engagement management system to help get you there.

65

Associations for Professionals in Infection Control and Epidemiology

Artesha Moore, CAE

Vice President, Membership, Education, and Technology

About APIC

Mission: Create a safer world through the prevention of infection.

Over 15,000 members from variety of practice settings within healthcare

120 domestic and international chapters

11 special interest groups (similar to Technical Councils)

Over 50% growth in past few years

Diverse membership with varying needs

Challenge

In 2005, APIC wanted to grow, yet, systems were not in place

AMS out of date, inaccurate

No true web integration

Culture not supportive

Membership growth is not possible without engagement

Growth Leads to Challenges

Variable practice settings with varying needs

High % retiring in 5 years

Decreased time and increased demands impact member participation

Ever-changing regulations and need for new guidelines

Member Engagement Means...

Ease of access to features

Integration of all technologies with AMS

Enhancing customer experience

Engagement Strategy

Strengthen our AMS to enable greater connectivity to online resources

Get an accurate picture of our members using metrics and data

Increase capacity by automating routine tasks

Work with vendors to integrate 3rd party add-ons to expand program offerings

Change internal culture to embrace both IT and member services

Engagement Strategy

Using data to make decisions:

Identifying key members groups

Tracking member activity and performance

Identifying new leaders

Integrating with new platforms

Using data to make decisions

Who are we looking to serve?

How can we track perform using iMIS?

How can we identify new leaders

Ease of integration is essential

Engaging new generation of content leaders to drive new areas of business

Online learning

Communities of practice and new content generation

Tracking performance using data and dashboards

72

Engagement Strategy

Open lines of communication between frontline staff, IT and leaders

Provide training to empower staff to act

Promote innovation at all levels

Connect personal goals with organizational goals

Be open to new ideas

73

Embracing Technology...

Plan must support your strategic plan

Strong infrastructure is essential

Knowledgeable staff to help educate members

Develop partnership with vendors

74

Enhancements Lead to New Possibilities

As APIC's database and web resources evolved, staff focused on more ways to get and keep members engaged.

75

Results

Results: New Leaders

Using customized tables to create a database within existing structure

Using scoring in social media to identify new leaders

Using web analytics to understand member content needs

Results: Growth

41+% Membership Growth

"The single most important thing to remember about any enterprise is that there are no results inside its walls. The result of a business is a satisfied customer."

Zig Ziglar, Sales and motivational speaker and writer

Contact Information

Artesha Moore, CAE

Vice President, Membership, Education, and Technology

APIC

amoore@apic.org

Florida Bankers Association

Bruce RyanDBA and Web Manager

Intro

IT Guy

Been using iMIS 5 Years

81

Florida Bankers Association

Founded in 1888 in support of Floridas FDIC insured banks and financial institutions.

22 Staff Members

Advocacy

Education

Membership

Associate Membership

Vendors

Endorsed Partner Program

Products

Other Services

Career Center, Fraudnet, Capwiz and more

82

Challenge: Disparate Applications

Schools DB

Member DB

Accounting DB

Reports

WWW

CMS

CRM

AMS

This slide shows all the disparate applications we were runningprior to iMIS 20.

Basically staff would duplicate multiple tasks in multiple software applications to accomplish one goal.

Even though we had computers we were still doing things manually.

Staff had to enter the same data into multiple systems. Excel AND DMG AND Access

Reports were manually done in order to bring together the information from multiple sources.

Registrations for events and educational programs were all manual.

As well as all product orders were manual.

Manual systems are tiring, inefficient and prone to error.

So even though we had the technology and the resources we had gotten to the point of Disparate Applications Diminished Returns.

We also knew we were not taking advantage of the internet, social media and eMailing.

There had to be a better way

83

Our Goal with iMIS 20

100% Retention of Members

Staff Productivity

More Efficient Member and Client Experience

We are blessed with 100% retention of members

Our primary goal was and is staff productivity we were doing the same job manually in multiple applications.

And secondarily to create a more efficient member experience - event registration, product sales and community building for our members/clients.

84

Solution: iMIS 20

CRM & CMS in one system

Events, product sales, accounting, etc. in one system

Offline/Online transactions in one system

Total web integration

And there is a better way !!

We needed to streamline our processes put them in as few containers as possible and get everyone in the same system and connect as many of them as possible.

We needed to combine our disparate databases, applications and web tools into one easy to use system.

iMIS 20 provided that solution for us.

We combined our schools DB and member DB into one, we brought all the reporting into iMIS.

We tied all of our accounting into the same database with easy integration into our accounting software.

And using iMIS 20 we were able to integrate our website management tools into the same iMIS system!.

And automate most of our processes, from event registrations to product purchases.

85

Results iMIS 20

Time Savings: Supporting one application instead of 5+

Cost Savings: Paying for one application instead of 5+!

Reporting: Happy staff!

Ease of Use: One application vs. 5+ (Happy staff!!)

Member Engagement!

We are really starting to see the results.

Streamlined systems, better reporting from a single source, easy backups of everything, better security it is easier to lock down one application then many.

We can respond to our member/client needs more efficiently.

Members can log into the website and see in real time their accounts all tied to iMIS.

At first the online registrations were slow the bankers change slowly lol but over the past year we have seen an exponential increase in online registrations and the purchasing of products.

More and more members also log in and manage their own profiles.

I have been using the Company Admin feature that allows someone in a company the rights to go online and update individuals address, phone, email, title and interest areas that we use for contacts and mailings

As our members become accustomed to the online features, managing their own accounts, registering themselves and others in their companies, purchasing products easily from our store they are more aware of what we do provide for them over all.

Our magazine is online and only available for members.

Found a sponsor for the website now that it has a real value.

100% paid for !

86

Results iMIS 20

Accounting DB

Reports

Time Savings: Supporting one application instead of 5+

Cost Savings: Paying for one application instead of 5+!

Reporting: Happy staff!

Ease of Use: One application vs. 5+ (Happy staff!!)

Member Engagement!

We are really starting to see the results.

Streamlined systems, better reporting from a single source, easy backups of everything, better security it is easier to lock down one application then many.

We can respond to our member/client needs more efficiently.

Members can log into the website and see in real time their accounts all tied to iMIS.

At first the online registrations were slow the bankers change slowly lol but over the past year we have seen an exponential increase in online registrations and the purchasing of products.

More and more members also log in and manage their own profiles.

I have been using the Company Admin feature that allows someone in a company the rights to go online and update individuals address, phone, email, title and interest areas that we use for contacts and mailings

As our members become accustomed to the online features, managing their own accounts, registering themselves and others in their companies, purchasing products easily from our store they are more aware of what we do provide for them over all.

Our magazine is online and only available for members.

Found a sponsor for the website now that it has a real value.

100% paid for !

87

Wrap Up

David Riffle

Senior Director

Advanced Solutions International, Inc.

I hope you enjoyed the day as much as we did. We learned a great deal and were energized by your participation and comments. I would like to thank all the presenters for sharing their knowledge with us, and thank everyone else for attending and paying attention!

88

Be Prepared

Lessons Learned

Massive change in communication is an opportunity to grow and thrive

Social networking - You Tube

Mobility - Personalization

Communities of Interests- Data Capture

C Level Executives must lead this transition

Nobody here needs to be convinced that massive change is upon us especially in the areas of information and communications and the impact its having on data security. Historically, this type of massive change has been a prescription for innovation and even re-invention of organizations. As with any major change leaders are needed; we know that you will return to your organizations later today and begin leading your organizations in this direction.

Harrison Coever and Mary Byers book, Race for Relevance 5 Radical Changes for Associations reminds us that it is imperative for Not-For-Profit Organizations to Bridge the Technology Gap and Build a Framework for the Future.

As leaders in the not-for-profit world we need to redefine our approach to technology and that the adoption and exploitation of technology, particularly information and communication technologies, must become an integral component of the organizations functioning and performance.

To make this happen the message must be spread beyond the IT, Membership and Development departments. Leadership in every organization needs to be engaged and the messages you hear today are messages that need to be repeated to CEOs and COOs in every Not for profit Organization.

90

Multiple systems increase the complexity of securing data

You have seen this slide before, but I think its important to re-introduce it during the close. If your current technology platform looks like this, it does make data security more complex, not to mention increased costs due to continuing maintenance of each separate system, as well as reduced decision making capabilities because of multiple data silos thus making access to and protection of data more difficult. Not only complicating security efforts, but inhibiting your ability to improve engagement and performance.

91

Engagement Management System

Your platform for engagement of your members and donors needs to look more like this!!

Massive change in communication is an opportunity to grow and thrive, but with this growth comes a greater need for protection. And at ASI, we take data security very seriously and it is fast becoming a key ingredient in the health of all our clients.

92

Albert Einstein

Insanity: doing the same thing over and over again and expecting different results.

Youve all seen this quote before.

93

The era of CRM is over.

CRMs were not designed to do this!! The ERA of CRM is over.

94

This member needs to register for a conference using her phone after her work out from the stadium steps and she doesnt want to worry that by doing so the data she sends you is at risk.

95

http://bit.ly/ASISuccess

Success Assessment

96

Not sure how to move forward? The ASI success assessment helps identify gaps in your operations, in 4 key areas recruit, engage, measure and grow. We use this analysis to help understand where you need to improve in order to drive member engagement and improve performance. If this interests you, let us know on the comment form.

96

This assessment can lead to further engage with us through the Success Partnership program!! The purpose of this program is for you to be able to prove to yourself that the era of CRM is over and you need an Engagement Management System. Again, if this interests you, just let us know on the comment form and we can provide you with further information.

97

Thanks!

1-800-727-8682

www.advsol.com

www.imis.com/tour

@advsol.com

So lets all leave this meeting a little more prepared and aware, so that none of us are caught by surprise when we do have a data security breach. If you would please take a few moments to fill out the survey form weve distributed to you, and return those to us, we would really appreciate it.

Thank you for your time, and I, along with the other presenters, will be more than happy to take individual questions you may have. Thanks again!

98

Wrap Up

David Riffle

Senior Director

Advanced Solutions International, Inc.

99

Volunteer Form

CIO Email