Protecting the Premises

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

November 4, 2002 
Protecting the Premises
By Renee Boucher Ferguson 

Companies that provide financial services have been keen on taking
steps to secure systems and facilities since many believe they are
prime targets for terrorists.

Two companies in the financial services industry, MasterCard
International Inc. and Nasdaq Stock Market Inc., are locking up their
facilities and planning for the worst.

Payment systems company MasterCard, which has continually tested and
revised its disaster recovery plan since it was put in place in 1990,
stepped back after last year's terrorist attacks on New York and
Washington and re-evaluated its plan.

The Purchase, N.Y., corporation brought in an outside consulting
company to evaluate each of its global facilities for security risks.

"If you look at business continuity, it's an ongoing process; it is
something you are continually doing," said Randy Till, vice president
of global business continuity management at MasterCard. "Based on what
we think are new threats, we re-prioritized our projects."

MasterCard has two data centers—one backs up the other. In the event
of an attack, it would recover the remaining facility (assuming only
one was attacked) using a tiered approach, bringing up critical
systems first.

"We don't want to bring everything up right away; it would be too
much," said Till. "Every system has a timed recovery, so if a system
doesn't need to be recovered for 24 hours, it won't be recovered until
then."

Till said that from a network point of view, he assumes it would
continue to operate, with recovery being focused more on MasterCard's
central processing site.

MasterCard's payments processing network was originally built for
redundancy and alternate routing capabilities. As a result, if a part
of the network encounters problems, traffic can be automatically
rerouted following alternative paths. MasterCard has also employed an
alternate recovery site, allowing it to transfer its data center
operations in response to any emergency. There are two primary
processing centers in the United States and others overseas, Till
said.

Part of MasterCard's response to the new threats deals with augmenting
the physical security of its facilities and employees. For example,
with the anthrax threat that followed the Sept. 11, 2001, terrorist
attacks, Till moved all mail out of MasterCard's corporate offices and
had it processed off-site.

Enhancing physical security has also been a top priority at other
financial services institutions. Prior to Sept. 11 last year, Nasdaq
CIO Steven Randich said, he felt he had an exceptionally strong IT
security plan in place. After Sept. 11, Randich is still confident his
information security plan is state of the art. What's changed is his
approach to physical security of Nasdaq's two data centers, which are
in Connecticut and Maryland.

Nasdaq is essentially a "floorless" stock exchange that trades shares
in 4,100 companies via a network of computers and telecommunications
gear.

"From a physical standpoint, we have made substantive changes," said
Randich. "The access is far, far more restricted.

"We've put in fingerprint access control systems, we now use armed
guards at our data centers, we have thorough inspections of vehicles
entering the perimeter areas of the data centers, and they have
24-by-7 manned guardhouses and a perimeter concrete wall around the
two data centers."

Nasdaq deployed X-ray machines to scan all packages and electronic
devices coming into the data centers. Both data centers have limited
access, with a single entrance and exit, and all visitors' cars are
physically inspected.

"Both data centers have this level of security," said Randich. "We
also have 360-degree perimeter surveillance with cameras and guards
that walk around the inside and out."

As an extra level of security—and comfort—one data center has become a
training facility for the Connecticut State Police canine
bomb-sniffing unit.

A number of the security changes made at the data centers were in the
works prior to Sept. 11 of last year, but they were expanded or
accelerated.

"They're going to stay up for the foreseeable future," said Randich,
who has also worked with the Securities and Exchange Commission to get
Nasdaq's contingency plan approved.

New York-based Nasdaq's disaster recovery plans have increased as
well. When a threat is received, there are now three stages of alerts.  
Stage 3 means Randich moves the operation from Connecticut to
Maryland. Stages 1 and 2 are preparedness stages that anticipate such
a move. Nasdaq conducted 30 tests during the last year to make sure
the failover to its backup data center works.

"There are always some people who say an event can't happen," said
MasterCard's Till. "I teach this topic on the outside, and one of the
questions I get is, '[What do I do if] management comes back and says
that this stuff isn't going to happen?' We take [disaster recovery
planning] very seriously. Sept. 11 has heightened the awareness in the
organization - and the anxiety level within the organization."
 


_______________________________________________________________________
eric wolbrom, CISSP                     Safe Harbor Technologies
President & CIO                         190 Goldens Bridge Ct.
Voice 914.767.9090 ext. 6000            Katonah, NY 10536
Fax   914.767.3911                              http://www.shtech.net
_______________________________________________________________________




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.