Reporting a security issue to NACDS
NACDS IT and communications staff continuously monitor our network for indications of security vulnerabilities that may put customer data at risk. Should you have any reason to believe that an issue has gone undetected, we encourage you to report it immediately. This page presents the best way to report such problems to us and introduces our response protocol.
Please contact us via email to security@nacds.org.
Infrastructure
NACDS is a hosted Webservice. NACDS infrastructure has been built with disaster recovery in mind.
Data
NACDS office is located Arlington, Virginia. Our member data is located in our secure on premise data center. Data is transferred securely to our third-party vendors for registration processing.
Our state-of-the-art servers are protected by magnet card lockers and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.
We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated. No code will be shipped to production if a test fails.
Data protection strategy
We perform continuous database and storage backups including daily offsite backups. Daily Database and offsite backups with an unlimited retention when necessary.
Incident management and disaster recovery
We perform hourly backups of all databases and files are backed up automatically after they are uploaded to NACDS. Our backups are tested on a regular basis and have procedures in place for responding to various incidents.
Data Transfer
The communication with the Application and the Website is HTTPS encoded. All data sent to or from NACDS is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on SSL Labs’ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
There are no corporate resources or additional privileges from being on NACDS’s network. We have two-factor authentication (2FA) and strong password policies for used cloud services.
All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches.
Permissions and Admin Controls
NACDS enables permission levels to be set for any employees with access to NACDS. Permission and Access control is set for sensitive parts of the application like Backend, Server, User data and App settings, Billing, finance and Support details in the app.
Control measures
Control measures are steps or mechanisms that can reduce or eliminate various threats for the Service and help to monitor health and performance of the Service. For the NACDS application we perform periodic availability-, health-, performance- and backup-checks: 24/7 availability checks of the Service (every 1 to 5 minutes).\ Real-time crash logs: Errors that occur when using the Service will be logged. This ensures to detect unwanted events early. Automatic database health checks.
Build Process Automation
We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application within minutes. We have high confidence that we can get a security fix out quickly when required.
Incident Response
NACDS will promptly notify you in writing upon verification of a security breach of the NACDS services that affects your data. Notification will describe the breach and the status of NACDS’s investigation.
Disaster recovery
Disaster recovery involves a set of policies and procedures to enable the recovery of the Service following a natural or human-induced disaster. In case of a human-induced data loss, we can restore the Application and Database from the latest available backup (depending on backup retention period) in a timely manner.
Application Monitoring
All access to NACDS applications is logged and audited.
Application Evaluation
Automatic Unit & Integration Tests, CI continuous integration for the Application in terms of Security. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated. No code will be shipped to production if a test fails.
Service Levels
We have uptime of 99.9% or higher.
Security Audits
We use tools such as Solarwinds to monitor access to our infrastructure and provide real time access alerts. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
We also have alerts in place for excessive resource use that escalates to our IS team for manual investigation. Our products run on a dedicated network secured with firewalls and carefully monitored.
GDPR compliance
We are GDPR compliant by the 25th May 2018.
PCI Obligations
NACDS is subject to PCI obligations and actively works to maintain compliance. All payment instrument processing is handled by Paypal & Personify software, who also comply with PCI standards.
Our Third Parties list
NACDS engages certain third party processors, that may process personal data submitted to NACDS’s services. These sub processors are listed below, as may be updated by NACDS from time to time:
| · Accumail – Address validation |
| · Alpha Graphics- Print Service |
| · Capitol Marking Products, Inc- Office Signs provider |
| · CheckBox – Survey Software |
| · Chromo Graphics- Graphic services for websites |
| · CSI- Compusystems for Meeting Registrations |
| · Cision- Communication cloud service and PAC vendor |
| · Cvent- Hotel management for NACDS events |
| · District Creative Printing |
| · Envato Elements – Website templates |
| · Epicor – Finance software |
| · Frank Parsons – Print services |
| · Friendly – Meeting event website |
| · Getty Images – Image services for websites |
| · Global Printing – Print services |
| · Google Analytics – Analyze website Traffic |
| · HighRoad Solutions/RealMagnet/HigherLogic – Email Marketing |
| · iStock Photo |
| · Lindenmeyr Munroe – Print Services |
| · Linemark – Digital Printing |
| · LMO- Email Marketing |
| · MapYourShow – Trade Show exhibits |
| · Mimecast – Email filter service |
| · Morning Consult – Polling Firm |
| · MultiView – Chain Drug member directory |
| · Paypal – Credit card Processor |
| · Personify Inc. – Association Management Software |
| · PostOp Media – Video processing |
| · Pitney Bowes- Address validation Software |
| · SalesForce – Prospects database |
| · SkyDataVault – Disaster Recovery |
| · SmartSheet- cloud based spreadsheet management |
| · Social Tables- Meeting event management |
| · Type1- member directory |
| · WP Engine- Website hosting provider |
Contacting NACDS
We invite users experiencing general issues with NACDS to contact support at contactus@nacds.org. If the problem you wish to report has a bearing on platform integrity, you can also reach our security team at security@nacds.org. Alternatively, you can telephone +1 (703) 549-3001 to record a voicemail message.
When reporting a security issue, please be as thorough as possible. Describe the steps you are taking, the results you are getting and the results you were expecting to get. Also, please provide us with detailed configuration information so that we can reproduce your testing environment as accurately as possible.
Note that you are not required to provide us with personal information. However, doing so will allow us to contact you back, keep you updated on our progress and give you credit for your contributions. You are therefore strongly encouraged to provide us with at least a name or pseudonym and an email address.
Full disclosure in case of a Data breach
We value the trust relationship we entertain with our clients above all. Should we have any reason to believe that a particular account has been compromised, we will liaise with its owners promptly. We will provide them with detailed information regarding the issue as we understand it, including its cause, duration, and impact. This rule knows no exception. If a breach were to affect an unknown number of accounts, or all of the accounts we host as a whole, we would additionally post information on our web site, blog or newsletter, depending on the nature and impact of the issue.
Responsible disclosure
While NACDS does not condone any cracking attempts, we will not prosecute users who report security issues to us and provide us with the information and time necessary to fix the issue before bringing it to the public’s attention — a practice known as responsible disclosure.
This procedure is only valid as long as there is no violation against any user data/account. If there is a security issue that affects user data, the user will get informed.
Users who opt to disclose security issues to us in a responsible manner will be kept posted about the progress of our analysis and given due credit once the vulnerability is fixed.
As a general rule, NACDS welcomes all feedback from its users and the Internet community at large. This includes members of the security community who wish to share feedback or information with us.
Response procedure
Upon contacting us through our security reporting channels, you can expect to hear back within 48 business hours. Please note that we reply to each and every legitimate submission. If you have not received a reply from us within 48 business hours, feel free to re-submit the ticket or telephone us to ask for a status update.
Once a submission is acknowledged and received, it will be escalated to our engineers who will analyze the nature of the issue as it relates to the NACDS platform. If necessary, emergency patches will be published to the platform while the analysis continues in order to minimize the window of exposure.
We will keep submitters updated throughout the process and let them know once the final fix has been published. The resolution of security issues takes precedence over the development of new features or the improvement of existing ones, and we will always strive to publish updates as promptly as possible.
Every security update brought to our platform triggers a full quality assurance review, to audit and improve both our code and our testing procedures.
Questions
If you have any further questions, please do not hesitate to contactus@nacds.org.
This policy was last modified on May 23, 2018.
