Feature

PING: Bernard Donnelly

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."

Download it now to read this article plus other related content.

BERNARD DONNELLY


As vice president of quality assurance for the Philadelphia Stock Exchange, Bernard Donnelly is responsible for the security and availability of a network that approaches 100 Gbps and 500,000 quotes per second. To add to the complexity, the exchange recently implemented a wireless trading network that relies on handhelds and demands ironclad security and unquestioned availability.

Why did you move to a wireless trading system given all of the security issues that it can create? Two years ago we made the strategic decision that we couldn't be floor-based anymore. It was just too chaotic. We came up with the handheld trading system, which monitors the markets to generate quotes on behalf of the traders. The member firms have the same capability on a larger scale, but we had to do it in order to stay ahead of what everyone else is doing.

What special measures did you take to secure the wireless trading network? First off, nobody comes directly into our network. They have to go through a variety of authentication and authorization mechanisms and several other hops. We only have icons on the handhelds--just the things you need to get the presentation layer to the trader. All of the traffic is encrypted. We had this on an 802.11 network, but the amount of data was too much for it.

What's the extent of your disaster planning? We just spent $10 million on a fiber network from here to New Jersey so that we can get

    Requires Free Membership to View

a five millisecond response time. We're going to own the fiber and we'll become our own carrier. And we just built a data center in Philadelphia, so we have two here and a colocation facility in New York. Uptime is paramount for us; a 30-second outage is devastating. We might see one every two years, but that's too many. I also oversee all of the change controls, which is a sort of disaster prevention. It's one of our strong points as an organization, and it pays because systems don't break until you change something. We act as an auditing department, and I have the final determination on all of the security packages.

Financial services has more than its share of regulations already, so why did you decide to comply with Sarbanes-Oxley voluntarily? For a lot of companies that are going public, they're doing things they've never done before [to comply with Sarbanes-Oxley]. But it is a carbon copy of what the SEC has required us to do for years. I'd recommend it for other companies, too. It's a good best-practice and will lead you to find things you wouldn't find otherwise.


Read the full version of this interview with Bernard Donnelly at searchsecurity.com/ismag.

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: