Forwarded from: "eric wolbrom, CISSP" <ericat_private> November 4, 2002 Protecting the Premises By Renee Boucher Ferguson Companies that provide financial services have been keen on taking steps to secure systems and facilities since many believe they are prime targets for terrorists. Two companies in the financial services industry, MasterCard International Inc. and Nasdaq Stock Market Inc., are locking up their facilities and planning for the worst. Payment systems company MasterCard, which has continually tested and revised its disaster recovery plan since it was put in place in 1990, stepped back after last year's terrorist attacks on New York and Washington and re-evaluated its plan. The Purchase, N.Y., corporation brought in an outside consulting company to evaluate each of its global facilities for security risks. "If you look at business continuity, it's an ongoing process; it is something you are continually doing," said Randy Till, vice president of global business continuity management at MasterCard. "Based on what we think are new threats, we re-prioritized our projects." MasterCard has two data centers—one backs up the other. In the event of an attack, it would recover the remaining facility (assuming only one was attacked) using a tiered approach, bringing up critical systems first. "We don't want to bring everything up right away; it would be too much," said Till. "Every system has a timed recovery, so if a system doesn't need to be recovered for 24 hours, it won't be recovered until then." Till said that from a network point of view, he assumes it would continue to operate, with recovery being focused more on MasterCard's central processing site. MasterCard's payments processing network was originally built for redundancy and alternate routing capabilities. As a result, if a part of the network encounters problems, traffic can be automatically rerouted following alternative paths. MasterCard has also employed an alternate recovery site, allowing it to transfer its data center operations in response to any emergency. There are two primary processing centers in the United States and others overseas, Till said. Part of MasterCard's response to the new threats deals with augmenting the physical security of its facilities and employees. For example, with the anthrax threat that followed the Sept. 11, 2001, terrorist attacks, Till moved all mail out of MasterCard's corporate offices and had it processed off-site. Enhancing physical security has also been a top priority at other financial services institutions. Prior to Sept. 11 last year, Nasdaq CIO Steven Randich said, he felt he had an exceptionally strong IT security plan in place. After Sept. 11, Randich is still confident his information security plan is state of the art. What's changed is his approach to physical security of Nasdaq's two data centers, which are in Connecticut and Maryland. Nasdaq is essentially a "floorless" stock exchange that trades shares in 4,100 companies via a network of computers and telecommunications gear. "From a physical standpoint, we have made substantive changes," said Randich. "The access is far, far more restricted. "We've put in fingerprint access control systems, we now use armed guards at our data centers, we have thorough inspections of vehicles entering the perimeter areas of the data centers, and they have 24-by-7 manned guardhouses and a perimeter concrete wall around the two data centers." Nasdaq deployed X-ray machines to scan all packages and electronic devices coming into the data centers. Both data centers have limited access, with a single entrance and exit, and all visitors' cars are physically inspected. "Both data centers have this level of security," said Randich. "We also have 360-degree perimeter surveillance with cameras and guards that walk around the inside and out." As an extra level of security—and comfort—one data center has become a training facility for the Connecticut State Police canine bomb-sniffing unit. A number of the security changes made at the data centers were in the works prior to Sept. 11 of last year, but they were expanded or accelerated. "They're going to stay up for the foreseeable future," said Randich, who has also worked with the Securities and Exchange Commission to get Nasdaq's contingency plan approved. New York-based Nasdaq's disaster recovery plans have increased as well. When a threat is received, there are now three stages of alerts. Stage 3 means Randich moves the operation from Connecticut to Maryland. Stages 1 and 2 are preparedness stages that anticipate such a move. Nasdaq conducted 30 tests during the last year to make sure the failover to its backup data center works. "There are always some people who say an event can't happen," said MasterCard's Till. "I teach this topic on the outside, and one of the questions I get is, '[What do I do if] management comes back and says that this stuff isn't going to happen?' We take [disaster recovery planning] very seriously. Sept. 11 has heightened the awareness in the organization - and the anxiety level within the organization." _______________________________________________________________________ eric wolbrom, CISSP Safe Harbor Technologies President & CIO 190 Goldens Bridge Ct. Voice 914.767.9090 ext. 6000 Katonah, NY 10536 Fax 914.767.3911 http://www.shtech.net _______________________________________________________________________ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:36:10 PST