Putting ITs Stock in a Proactive Approach

Despite SRO status, exchange works to comply with act voluntarily.

As many corporations agonize over Sarbanes-Oxley mandates, the Philadelphia Stock Exchange Inc. is complying with the act voluntarily.

The stock exchange, which recently incorporated, is exempt from Sarbanes-Oxley because it is not a publicly traded company. "We are not obligated to comply with Sarbanes-Oxley as an exchange because of our SRO [self-regulating organization] status," said Bernie Donnelly, vice president of the Quality Assurance Group at the exchange. "However, were working to comply because, someday down the road, we may become a public company and want to be ready."

Although their Sarbanes-Oxley compliance strategy is still in development, officials at the stock exchange said one thing is clear: Security is the priority.

Founded in 1790, the Philadelphia Stock Exchange is the nations first stock exchange. It trades more than 2,200 stocks, more than 1,180 listed equity options and 15 index options. In its automation division alone, the exchange employs more than 200 people.

Since the 1970s, the exchange has had to adhere to Securities and Exchange Commission requirements that include the ability to gather account and log files from mission-critical trading systems. The SEC requires the exchange to maintain a record of who has access to its systems and whether or not those users are authorized.

Status Report

Company: Philadelphia Stock Exchange Inc.
Location: Philadelphia
Sarbanes-Oxley stage: Evaluation of systems
Compliance timeline: As a company that is not publicly traded and just recently incorporated, the Philadelphia Stock Exchange is not required to comply with Sarbanes-Oxley—yet. It is choosing to voluntarily comply.
Currently focused on: Understanding Sarbanes-Oxley requirements; further increasing security and access to applications
Tools: IBM mainframes; Microsoft Corp.s Windows NT 4.0; Sun Microsystems Inc.s Solaris; Stratus Technologies Bermuda Ltd.s Stratus ftServer; Consul Risk Management BV Inc.s zSecure Suite, zAudit and zAdmin

Source: eWEEK reporting

"As far as Sarbanes-Oxley is concerned, the stock exchange has been under regulation forever, and a lot of what businesses are trying to deal with now is the kind of stuff weve been doing all along as an SRO," Donnelly said. "A lot of this is old hat to us."

The exchange runs a mixed computing environment that includes IBM mainframes, Microsoft Corp. Windows NT 4.0-based servers, Sun Microsystems Inc. Solaris-based servers and Stratus Technologies Bermuda Ltd. servers running Stratus Virtual Operating System.

The exchange had used auditing and policy management software from Consul Risk Management Inc. to manage security access for its IBM mainframes and Microsoft and Sun servers, but the software did not work with the Stratus systems. Donnelly was reluctant to run separate packages to manage the Stratus boxes because of increased management issues.

In 2002, the exchange teamed with Consul to develop an event management tool for the Stratus platform. The exchange deployed the Stratus-based tool last year along with Consul InSight Security Manager, which enables the exchange to view data for all its systems in one report.

The exchange currently runs as many as 30,000 messages per second. This process generates event logs covering 3 feet of paper per day per server.

Federal law—including Sarbanes-Oxley—mandates that security administrators log and analyze this information, and the process of going through the logs manually is tedious.

Agents from the Consul InSight Security Manager software collect data and pull it into a Sun 6500 Server. The tool then pools all the data and puts it into a common language so that IT managers and the exchange go through only one report to verify that authorized users are on its network.

By using Consul InSight Security Manager, the exchange can automate event management and auditing, according to Allan Pomerantz, chief security officer at the exchange.

"We used to be in a reactionary mode, and now we can be proactive," Pomerantz said. "While we are just beginning to understand what our Sarbanes-Oxley requirements are, we do understand that one of the requirements is good security. If youre going to sign off on the accuracy of your financial statement, you need to have some assurance that theyre secure."

Donnelly said he hopes later this year to have exceptions automated so that whenever someone logs onto a production system, Consul InSight Security Manager will automatically alert IT that someone logged in, which system the user logged in to and whether the person is authorized.

As the stock exchange works to improve its security procedures, the organization is developing a framework for the documentation of policies and procedures specific to Sarbanes-Oxley.

"If we can accomplish the documentation this year, well have made major strides," Donnelly said. "Its a good position to be in."