[ISN] Protecting the Premises

From: InfoSec News (isnat_private)
Date: Tue Nov 05 2002 - 22:25:45 PST

  • Next message: InfoSec News: "Re: [ISN] Feds pursue secrecy for corporate victims of hacking"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    November 4, 2002 
    Protecting the Premises
    By Renee Boucher Ferguson 
    Companies that provide financial services have been keen on taking
    steps to secure systems and facilities since many believe they are
    prime targets for terrorists.
    Two companies in the financial services industry, MasterCard
    International Inc. and Nasdaq Stock Market Inc., are locking up their
    facilities and planning for the worst.
    Payment systems company MasterCard, which has continually tested and
    revised its disaster recovery plan since it was put in place in 1990,
    stepped back after last year's terrorist attacks on New York and
    Washington and re-evaluated its plan.
    The Purchase, N.Y., corporation brought in an outside consulting
    company to evaluate each of its global facilities for security risks.
    "If you look at business continuity, it's an ongoing process; it is
    something you are continually doing," said Randy Till, vice president
    of global business continuity management at MasterCard. "Based on what
    we think are new threats, we re-prioritized our projects."
    MasterCard has two data centers—one backs up the other. In the event
    of an attack, it would recover the remaining facility (assuming only
    one was attacked) using a tiered approach, bringing up critical
    systems first.
    "We don't want to bring everything up right away; it would be too
    much," said Till. "Every system has a timed recovery, so if a system
    doesn't need to be recovered for 24 hours, it won't be recovered until
    Till said that from a network point of view, he assumes it would
    continue to operate, with recovery being focused more on MasterCard's
    central processing site.
    MasterCard's payments processing network was originally built for
    redundancy and alternate routing capabilities. As a result, if a part
    of the network encounters problems, traffic can be automatically
    rerouted following alternative paths. MasterCard has also employed an
    alternate recovery site, allowing it to transfer its data center
    operations in response to any emergency. There are two primary
    processing centers in the United States and others overseas, Till
    Part of MasterCard's response to the new threats deals with augmenting
    the physical security of its facilities and employees. For example,
    with the anthrax threat that followed the Sept. 11, 2001, terrorist
    attacks, Till moved all mail out of MasterCard's corporate offices and
    had it processed off-site.
    Enhancing physical security has also been a top priority at other
    financial services institutions. Prior to Sept. 11 last year, Nasdaq
    CIO Steven Randich said, he felt he had an exceptionally strong IT
    security plan in place. After Sept. 11, Randich is still confident his
    information security plan is state of the art. What's changed is his
    approach to physical security of Nasdaq's two data centers, which are
    in Connecticut and Maryland.
    Nasdaq is essentially a "floorless" stock exchange that trades shares
    in 4,100 companies via a network of computers and telecommunications
    "From a physical standpoint, we have made substantive changes," said
    Randich. "The access is far, far more restricted.
    "We've put in fingerprint access control systems, we now use armed
    guards at our data centers, we have thorough inspections of vehicles
    entering the perimeter areas of the data centers, and they have
    24-by-7 manned guardhouses and a perimeter concrete wall around the
    two data centers."
    Nasdaq deployed X-ray machines to scan all packages and electronic
    devices coming into the data centers. Both data centers have limited
    access, with a single entrance and exit, and all visitors' cars are
    physically inspected.
    "Both data centers have this level of security," said Randich. "We
    also have 360-degree perimeter surveillance with cameras and guards
    that walk around the inside and out."
    As an extra level of security—and comfort—one data center has become a
    training facility for the Connecticut State Police canine
    bomb-sniffing unit.
    A number of the security changes made at the data centers were in the
    works prior to Sept. 11 of last year, but they were expanded or
    "They're going to stay up for the foreseeable future," said Randich,
    who has also worked with the Securities and Exchange Commission to get
    Nasdaq's contingency plan approved.
    New York-based Nasdaq's disaster recovery plans have increased as
    well. When a threat is received, there are now three stages of alerts.  
    Stage 3 means Randich moves the operation from Connecticut to
    Maryland. Stages 1 and 2 are preparedness stages that anticipate such
    a move. Nasdaq conducted 30 tests during the last year to make sure
    the failover to its backup data center works.
    "There are always some people who say an event can't happen," said
    MasterCard's Till. "I teach this topic on the outside, and one of the
    questions I get is, '[What do I do if] management comes back and says
    that this stuff isn't going to happen?' We take [disaster recovery
    planning] very seriously. Sept. 11 has heightened the awareness in the
    organization - and the anxiety level within the organization."
    eric wolbrom, CISSP                     Safe Harbor Technologies
    President & CIO                         190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000            Katonah, NY 10536
    Fax   914.767.3911                              http://www.shtech.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 00:36:10 PST