MemberzPlus
Ross Group Inc   Client Portal  |  (800) 652-4985  |  Contact   



MemberzPlus Security

Security culture is the set of values shared by everyone on the MemberzPlus team. This determines how people think about and approach security. Getting security culture right helps develop a security-conscious workforce and promote the desired behaviors.

MemberzPlus Security Banner

Intro

MemberzPlus Security Lock

A quick Google search on the definition of “security” returns as the first result: “the state of being free from danger or threat.” Unfortunately, there is no such state in the realm of applications such as MemberzPlus. We serve as a conduit and repository of information that is not only valuable to our customers but also can have value to others who would look to exploit that data for gain. Because of this, the threat is ever-present, and we can never be completely free from danger or threat as the definition above states. But before we get overly gloomy and defeatist, I would point out that we are not powerless victims destined for exploitation at the hands of an unseen menace. There are plenty of actions we can take to protect our operations and our data, and the MemberzPlus team is committed to doing just that to protect us from the villainous threat.

The MemberzPlus application is provided within a Software as a Service (SaaS) model. This means we are not just giving you a disc or license key to install our application in your environment. Instead, we are providing not only the application software but also the application server, database server, hosting hardware, and the physical facility that houses it all. Since we are taking on most of the infrastructure requirements and lessening those of our customers, we are also taking on a greater share of the security responsibility. Given that, it is not hard to see that this SaaS model demands that we take a well-defined and comprehensive approach to security. An important aspect of that approach is having a playbook to follow and feedback on existing security measures. With that in mind, I want to provide you a brief overview of some of the things we use to guide our effort regarding securing MemberzPlus.

SOC Audit

MemberzPlus SOC Audit

One of the key aspects of our overall security policy is that we don’t just trust ourselves in all this. We also depend on an outside party to help us make sure we are not overlooking something. This is primarily in the form of an annual SOC 1 -SSAE 18 Audit. That terminology may not have meaning to all of you; it is essentially a systematic review of the processes, procedures and controls we have in place regarding security that is performed by an outside auditor trained and accredited to do so. The audit is broken down into a number of areas to include:

  • Control Environment – this is concerned with the discipline and structure of our team and how management implements and oversees policy. So, it is concerned with a big picture look of how we function as an organization.
  • Physical Security – just like it sounds, this is focused on our building and how access is controlled to it as well as critical equipment within it, such as server rooms. This also applies to off premise partner facilities that host hardware for us. Each of these partner facilities undergo their own SOC audits as well.
  • Environmental Security – this looks at our plans and contingencies for dealing with things like power outages and fires.
  • Backup and Storage – looks at backup procedures to include schedules, retention periods and recovery plans. We can customize these based on the varying needs of our customers.
  • System Uptime and Maintenance – is concerned with those things that help ensure system availability. This includes a variety of things such as server monitoring, patching procedures, anti-virus software, trouble ticket resolution, and helpdesk operations among others.
  • Information Security – this is a real meat and potatoes section regarding security. This covers things like PCI compliance, password policy, remote access rules, firewall implementation, data encryption methods, communication protocols and more.
  • Application Development, Change Management and Quality Assurance – this section is concerned with our procedures for developing and deploying software in a way that prevents introducing problems and security risks.

The above is just a brief description of the major topics in the audit. During the audit process each topic is broken down into very specific sub elements that we are evaluated on to demonstrate compliance. The comprehensive and rigorous nature of this audit helps give us confidence that we are taking reasonable and sufficient measures to safeguard our MemberzPlus data and operations. We routinely share these audit results with our customers to display the detailed items covered and the auditor’s findings on each item.

Other Tools

While the SOC audit is the most comprehensive review we undergo, there are a number of other tools that we use to help us make MemberzPlus even more secure. Among these are:

  • PCI DSS – This is the Payment Card Industry Data Security Standards; it is a set of guidelines for data security intended to help safeguard the storage and processing of credit card data. We are a level 3 credit card merchant by this standard and conduct an annual self-assessment to insure we are complying with their guidelines.
  • TQS5 – The Technology Quality Standard 5 is a customer developed standard from the National AAA Motor Club organization. Each local AAA franchise must meet the standards defined in TQS5. Since several regional AAA clubs are MemberzPlus users we undergo an annual assessment against their TQS5 standard.
  • Penetration scans – We run an automated penetration scan tool against any exposed elements of our environment on a quarterly basis. This tool provides a very detailed report which we use to remediate any discovered issues and confirm we are secure from known vulnerabilities.
  • Weekly meetings – Our internal infrastructure team meets on a weekly basis to discuss all aspects of maintaining the IT structure that we and our customers depend on. These regular meetings involve our dba’s, network engineers, server admins, developers and managers and help us ensure that we are keeping our environment updated and secure. We feel these regularly scheduled meetings with key stakeholders are a major component of staying on top of security issues and being proactive in our security program.

Conclusion

We leave you with one last definition: Google tells us that “mitigate” is to “make less severe, serious, or painful”. At MemberzPlus we know that the safety and security of our customer’s data and operational transactions is our business. I have outlined a few of the steps we take to help us audit and manage our efforts to provide that security. Though we may never totally be free from threat when it comes to security, the MemberzPlus team believes our vigilant and systematic approach to security does greatly mitigate that threat.


Wendell Riley
COO

Mr. Riley joined the company in 1998 as an experienced developer in Oracle and PL/SQL. He has been a technical lead and task manager on numerous high visibility projects within Ross Group’s Veterinary Solution Division and now with MemberzPlus. These tasks include the initial go-live implementations at numerous large teaching hospitals as well as a migration of the product from a client/server model to a three tier application server model. Mr. Riley served as an officer in the United States Marine Corps and as a task lead at Computer Sciences Corporation (CSC) prior to joining Ross Group. He holds bachelors degrees in Aviation Management and Computer Sciences.