Protecting the Premises

MasterCard, Nasdaq stress common-sense disaster prevention methods.

Companies that provide financial services have been keen on taking steps to secure systems and facilities since many believe they are prime targets for terrorists.

Two companies in the financial services industry, MasterCard International Inc. and Nasdaq Stock Market Inc., are locking up their facilities and planning for the worst.

Payment systems company MasterCard, which has continually tested and revised its disaster recovery plan since it was put in place in 1990, stepped back after last years terrorist attacks on New York and Washington and re-evaluated its plan.

The Purchase, N.Y., corporation brought in an outside consulting company to evaluate each of its global facilities for security risks.

"If you look at business continuity, its an ongoing process; it is something you are continually doing," said Randy Till, vice president of global business continuity management at MasterCard. "Based on what we think are new threats, we re-prioritized our projects."

MasterCard has two data centers—one backs up the other. In the event of an attack, it would recover the remaining facility (assuming only one was attacked) using a tiered approach, bringing up critical systems first.

"We dont want to bring everything up right away; it would be too much," said Till. "Every system has a timed recovery, so if a system doesnt need to be recovered for 24 hours, it wont be recovered until then."

Till said that from a network point of view, he assumes it would continue to operate, with recovery being focused more on MasterCards central processing site.

MasterCards payments processing network was originally built for redundancy and alternate routing capabilities. As a result, if a part of the network encounters problems, traffic can be automatically rerouted following alternative paths. MasterCard has also employed an alternate recovery site, allowing it to transfer its data center operations in response to any emergency. There are two primary processing centers in the United States and others overseas, Till said.

Part of MasterCards response to the new threats deals with augmenting the physical security of its facilities and employees. For example, with the anthrax threat that followed the Sept. 11, 2001, terrorist attacks, Till moved all mail out of MasterCards corporate offices and had it processed off-site.

Enhancing physical security has also been a top priority at other financial services institutions. Prior to Sept. 11 last year, Nasdaq CIO Steven Randich said, he felt he had an exceptionally strong IT security plan in place. After Sept. 11, Randich is still confident his information security plan is state of the art. Whats changed is his approach to physical security of Nasdaqs two data centers, which are in Connecticut and Maryland.

Nasdaq is essentially a "floorless" stock exchange that trades shares in 4,100 companies via a network of computers and telecommunications gear.

"From a physical standpoint, we have made substantive changes," said Randich. "The access is far, far more restricted.

"Weve put in fingerprint access control systems, we now use armed guards at our data centers, we have thorough inspections of vehicles entering the perimeter areas of the data centers, and they have 24-by-7 manned guardhouses and a perimeter concrete wall around the two data centers."

Nasdaq deployed X-ray machines to scan all packages and electronic devices coming into the data centers. Both data centers have limited access, with a single entrance and exit, and all visitors cars are physically inspected.

"Both data centers have this level of security," said Randich. "We also have 360-degree perimeter surveillance with cameras and guards that walk around the inside and out."

As an extra level of security—and comfort—one data center has become a training facility for the Connecticut State Police canine bomb-sniffing unit.

A number of the security changes made at the data centers were in the works prior to Sept. 11 of last year, but they were expanded or accelerated.

"Theyre going to stay up for the foreseeable future," said Randich, who has also worked with the Securities and Exchange Commission to get Nasdaqs contingency plan approved.

New York-based Nasdaqs disaster recovery plans have increased as well. When a threat is received, there are now three stages of alerts. Stage 3 means Randich moves the operation from Connecticut to Maryland. Stages 1 and 2 are preparedness stages that anticipate such a move. Nasdaq conducted 30 tests during the last year to make sure the failover to its backup data center works.

"There are always some people who say an event cant happen," said MasterCards Till. "I teach this topic on the outside, and one of the questions I get is, [What do I do if] management comes back and says that this stuff isnt going to happen? We take [disaster recovery planning] very seriously. Sept. 11 has heightened the awareness in the organization—and the anxiety level within the organization."