http://www.informationweek.com/security/attacks/exclusive-anatomy-of-a-brokerage-it-melt/240008569 By Mathew J. Schwartz InformationWeek October 08, 2012 The network slowdown was one of the first clues that something was amiss at GunnAllen Financial, a now defunct broker-dealer whose IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm. It was the spring of 2005. Over a period of roughly seven business days, traffic had slowed to a crawl at the Tampa, Fla.-based firm, which had outsourced its IT department to The Revere Group. GunnAllen's acting CIO, a Revere Group partner, asked a member of the IT team to investigate. Dan Saccavino, a former Revere Group employee who at the time served at GunnAllen as the IT manager in charge of the help desk, laptops, and desktops, says he and another network engineer eventually pinpointed the cause of the slowdown: A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem. As a result, none of the company's trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulations. Despite the fact that at least five people at The Revere Group knew about the engineer's action, it's unclear whether it was reported at the time to GunnAllen or regulators. The SEC didn't reference the incident in a subsequent announcement about a settlement with GunnAllen for unrelated privacy and data security violations, and interviews with former Revere Group employees reveal that regulators may have known about only a fraction of the data security failures at the firm. What follows is a chronicle of one firm's myriad IT and other missteps over a period of at least four years, as related by former employees and various official documents. It's a cautionary tale of what happens when a company tosses all IT responsibility over a wall and rarely peeks back. It also reveals what happens when an IT outsourcing vendor gets in over its head, and it points to the failures of regulators to identify and clean up a corporate mess on a grand scale. While these missteps go back as far as seven years, they have continuing relevance today in the context of how businesses oversee outsourcing, information security, regulatory, and employee matters. [...] -- Get your CEH, CISSP or ISSMP with ExpandingSecurity.com Live OnLine classes that will not wreck your schedule. Come to a free class and see how good our program really is. Free weekly PainPill: http://www.expandingsecurity.com/PainPillReceived on Tue Oct 09 2012 - 22:11:20 PDT
This archive was generated by hypermail 2.2.0 : Tue Oct 09 2012 - 22:08:18 PDT