When it comes to preparing for terrorist attacks, two companies in the financial services industry, MasterCard International Inc. and the Nasdaq Stock Market Inc., are locking up their facilities and planning for the worst.
MasterCard has had its disaster recovery plan in place since 1990, with continuous tests and revisions since then. Rather than compel MasterCard to redo its recovery plans, what 9/11 did do is force the payment system giant to step back and re-evaluate its current plans.
For example, with the anthrax threat that followed the Sept. 11, 2001 terrorist attacks, Randy Till, vice president of global business continuity management at MasterCard, moved all mail out of MasteCards corporate offices and have it processed offsite.
MasterCard also brought in an outside consulting firm to evaluate each of its global facilities for security risks.
“If you look at business continuity its an ongoing process, it is something you are continually doing,” said Till, in Purchase, N.Y. “We stepped back and said what is it we have on our plate. Based on what we think are new threats, we reprioritized our projects.”
MasterCard has two data centers, one that backs up the other. In the event of an attack, they would recover the remaining facility (assuming only one was attacked) using a tiered approach, bringing up critical systems first.
“We dont want to bring everything up right away, it would be too much,” said Till. “So every system has a timed recovery, so if a system doesnt need to be recovered for 24 hours, it wont be recovered until then.”
Till said that from a network point of view, he assumes it will continue to operate with recovery being focused more on MasterCards central processing site.
MasterCards payments processing network was originally built for redundancy and alternate routing capabilities. As a result, if a part of the network encounters problems, traffic can be automatically rerouted following alternative paths. MasterCard has also employed an alternate recovery site allowing it to transfer its data center operations in response to any emergency. There are two primary processing centers in the U.S. and others overseas, according to Till.
Meanwhile, Nasdaq is essentially a floorless stock exchange, trading shares in 4,100 companies via a network of computers and telecommunications gear.
Page Two
: Locked Down, Planning For the Worst”>
Prior to Sept. 11, 2001, Steve Randich, CIO at Nasdaq, felt he had an exceptionally strong IT security plan in place. After 9/11, Randich is still confident his information security plan is state-of-the art. Whats changed is Randichs approach to physical security of the Nasdaqs two data centers in Connecticut and Maryland.
“From a physical standpoint we have made substantive changes,” said Randich. “The access is far, far more restricted. “Weve put in finger print access control systems, we now use armed guards at our data centers, we have thorough inspections of vehicles entering the parameter areas of the data center and it has 24-by-7 manned guard houses and a parameter concrete wall around the two data centers.”
In addition, Randich deployed X-Ray machines to scan all packages and electronic devices coming into the data centers. Both data centers have limited access, with a single entrance and exit, and all visitors cars are manually inspected.
“Both data centers have this level of security,” said Randich. “We also have 360-degree perimeter surveillance with cameras and guards that walk around the inside and out.”
As an extra level of security – and comfort –one data center has become a training facility for the Connecticut State Police canine bomb sniffing unit.
A number of the security changes made at the data centers were in the works prior to 9/11. After, they were expanded or accelerated.
“Theyre going to stay up for the foreseeable future,” said Randich, who also worked with the Securities and Exchange Commission to get Nasdaqs contingency plans approved.
New York-based Nasdaqs disaster recovery plans have increased as well. When a threat is received, there are now three stages of alerts. Stage three means Randich moves the operation from Connecticut to Maryland. Stage one and two are preparedness stages to do that. Nasdaq conducted 30 tests during the last year to make sure the fail over to its backup data center works.
“There are always some people who say an event cant happen,” said MasterCards Till. “I teach this topic on the outside and one of the questions I get is, someones management comes back and says that this stuff isnt going to happen. We take this stuff [disaster recovery planning] very seriously. Sept. 11 has heightened the awareness in the organization – and the anxiety level within the organization.”
Related Stories:
- Rebuilding for Tomorrow
- Focus on Identity, Vigilance