Second in a series.
At the Philadelphia Stock Exchange, compliance with regulatory requirements is an old challenge that occasionally comes with a new label.
For decades, stock exchanges and other financial institutions have had to meet regulations imposed by the federal Securities and Exchange Commission, which sets standards for data integrity. Standards tightened even further following the September 11, 2001, terrorist attacks, when government officials feared that the next major attack might be aimed at American interests in cyberspace.
On the exchange floor, most attention is focused on the trading applications that run on transaction processing computers made by Stratus Technologies Inc., in Marlboro, Mass. IT managers at the Philadelphia Exchange began to view their Windows servers as business critical -- particularly those that run e-mail and Blackberry information -- long before extra security was required by the Sarbanes-Oxley Act (SOX) of 2002. Sections 302 and 404 of that legislation govern financial reporting and documentation of internal controls.
"We won't use Windows for trading, but people are drawing reports off of our servers," said Bernard Donnelly, vice president of quality assurance for the stock exchange, which was founded in 1790. "Now that you've opened up your network to the [Internet], you need layers of security for protection."
Multiple layers of security
The Philadelphia Stock Exchange has built a wall around its servers and appliances. Its first line of defense is an intrusion protection system made by V-Secure Technologies Inc. that is used in conjunction with a traffic management application from F5 Networks Inc. -- all of which are authenticated through a firewall made by Check Point Software Technologies Ltd. running on Nokia hardware.
These layers separate incoming traffic from a server that resides in the company's DMZ. The stock exchange relies on each software vendor's own security features, such as Windows Server's password control tools. Each of the platforms is also monitored by a console built by Consul Risk Management Inc., in Herndon, Va.
Donnelly recognizes that the country's eight stock exchanges are not garden-variety Windows shops -- the Philadelphia Exchange does much of its own custom application development, for example. But he uses the same common sense rules for Windows as he does for computers on the trading floor.
Policy is strictly enforced
IT administrators preparing for SOX compliance are trying to do something that has long been a part of the culture at the Philadelphia Exchange, where there is a longstanding, detailed security policy, in which no one is allowed to copy data or play computer games, Donnelly said.
"It's a culture change," he said. "Suddenly, you put restrictions on [employees] and they feel challenged. [At one point,] I had development managers wanting to look at code that was not their code. I tell them it's not a question of [not trusting them], but it's a question of good business practice."
Donnelly advises IT administrators to make SOX a part of the fabric of their organization and not something they do because they may be faced with an audit. All reports must be treated in the same way because you never know which report a chief financial officer will have to sign off on, he said.
In addition to its own testing, the exchange also has a third-party consultant conduct twice-yearly penetration tests. "We try to break into our systems internally and externally," Donnelly said. "We do it with the [V-Secure] both on and off."
Though the advice that Donnelly gives for Windows systems is generally good for systems across the board, experts agree that Windows administrators must pay special attention to patch management and change and configuration management and must attempt to make standard builds for servers.
Regulatory rules also tend to drive away shared and ghost accounts, since there must be more accountability and oversight in general, said Michael Rasmussen, a consultant at Forrester Research Inc., in Cambridge, Mass. Dead accounts must be removed from the system quickly, he recommended.
Compliance will be good for administrators in the long run because they are making their departments run like a business process organization and less like overhead, said Richard Ptak, principal at Ptak, Noel & Associates, in Amherst, N.H.
"In the end, it will introduce tighter controls for management of passwords, encryption and other administrative tasks," Ptak said. "But you will have fewer problems and secure access to data."