Philadelphia Exchange Audits for Compliance

When it comes to regulations, organizations must implement effective processes and procedures, or face the consequences.

By Mathew Schwartz

When it comes to regulations, organizations must implement effective processes and procedures, or face the consequences. Of course that’s especially true in the financial sector. “Basel II and Sarbanes-Oxley have really put security on the CEO’s dashboard,” notes Marc van Zadelhoff, vice president of business development and strategy for Consul risk management BV, a Delft, Netherlands-based software company.

Yet not all organizations are sweating. “What people are starting to experience under Sarbanes-Oxley, we’ve been doing that for as long as I’ve been there,” says Bernie Donnelly, vice president of quality assurance (QA) at the Philadelphia Stock Exchange (PHLX), the oldest equity exchange in the country. He joined the organization in 1983, and has been in charge of QA ever since.

PHLX is a case study about how maintaining a good-citizen culture, and working proactively to stay secure, can enable an organization to more quickly meet regulatory requirements and thus focus more time on staying competitive.

Donnelly’s philosophy when it comes to complying with regulations is to start early. “When it comes to any type of [government-imposed] regulation,” he says, “there’s not really a choice thing. You have to do it, and it’s either do it now or do it later, and doing it later is always more painful, because it’s dictated to you.” Dictated changes always interrupt everyday processes, he notes, so it’s better to work it out before regulators come along.

On that front, PHLX regularly audits its systems. Internal audits are outsourced to The Outsourcing Partnership; external audits to Grant Thornton, which also does the annual review. Once every 18-20 months, the SEC also performs an on-site audit.

PHLX must regularly report on the state of its automation processes to the Securities and Exchange Commission (SEC), which has regulatory oversight. “We’ve actually classified outages between minor and significant, and if significant, we have an obligation to report to them,” says Donnelly. For example, if trading goes down, PHLX needs to notify the SEC how many minutes it will take to come back up.

Coordinating Compliance

Then there’s Sarbanes-Oxley. As a self-regulating organization, PHLX doesn’t have to comply with Sarbanes, but it “de-mutualized” in 2004, and anticipates “possibly going public down the road, so we figured we might as well start complying with it now,” says Donnelly.

Before, the exchange had many of its policies and procedures documented, at least on paper. “The difference we see now with Sarbanes-Oxley is you need to centralize all that information, instead of leaving it within departments, and that’s not a big deal.” The reason for the centralization, of course, is “to ensure there aren’t any holes in the process, because when you have it decentralized, someone may figure someone else has to deal with it.” Regulators want to ensure someone takes responsibility.

At PHLX, Donnelly’s QA department, which he likens to a project management office, fulfills that function. The group tracks all commitments, whether to auditors or internal groups, to ensure nothing slips through the cracks, and keeps an eye on what gets done. For example, it reviews the 1,000 changes made each year to production systems, using software from Tripwire Inc. to take before-and-after snapshots of the systems.

The QA group also coordinates PHLX’s approach to compliance. “We’re the audit liaisons with both internal and external groups, and the regulators,” says Donnelly. “So whenever anyone wants to knock on the door, we’ll set up the interviews.” In general, auditors don’t get to interview someone below middle management without one of Donnelly’s QA group members also being present. That’s because employees “below a certain level tend to think this is an opportunity to get a pet project going,” he notes, and audits aren’t the right forum for that. On the other hand, “above a certain level, you’re viewing it from the big-picture view.”

PHLX also conducts exit interviews with auditors, and requests a draft of auditors’ findings in advance, just to ensure nothing was misinterpreted. The goal here, says Donnelly, is not to dispute every auditor’s finding, but rather to avoid contention. “Everyone here is of the opinion that they’re here to help us,” he says, yet auditors may get carried away when dealing with their own areas of expertise. For example, one did a full-scale Customer Information Control System (CICS) audit when only a handful of PHLX employees actually use it. “I don’t want them to nit-pick stuff,” he says.

When both groups agree to disagree, auditors make the final call. Yet a compromise is often possible. For example, auditors wanted PHLX to change all passwords every 30 days. That would be easy to implement for employees, but difficult for customers -- especially organizations that have multiple employees, each with a different password, each accessing the PHLX site to download reports. In the end, PHLX was able to negotiate a compromise: it sends customers a letter every three months recommending they change their passwords. “That was more of a service thing, but from an auditor’s perspective it was black and white,” he notes.

Consolidating Audit Logs

One auditor-proposed change Donnelly was finally able to implement, however, was consolidating server logs. These audit log printouts amounted to “three feet of paper from each system,” he notes. The SEC “was pushing me for 10 years” to consolidate them, yet software to consolidate and standardize the format of his system logs -- VOS for Stratus, Unix on Sun, and OS/390 -- didn’t exist.

Since PHLX already used Consul products for mainframe monitoring, auditing, and administration, Donnelly had asked them to add Stratus compatibility. Several years ago, Consul incorporated the functionality into its Consul InSight Security Manager (ISM), which PHLX adopted. Later, the exchange also turned to Consul’s ISM Sarbanes-Oxley module.

In general, having a complete audit log can help companies better meet regulations. “Auditors do not usually have the time, and a company doesn’t usually have the money, to do an exhaustive audit,” says Pierre Noel, vice president of regulatory compliance for Consul. Yet incomplete data can lead to flawed reports and requirements. Without more complete data, “you have to accept it,” he says.

By consolidating logs, at PHLX a single security manager can now view log exceptions, putting the organization “into a proactive state,” notes Donnelly. For example, “if you see someone intentionally trying to probe the defenses, then we have a policy in place” to deal with it, he says. Typically, an employee has to discuss the situation with a manager, but for obvious malice, they can just be escorted out the door. That said, “we’ve been fortunate with our group of employees, we have a pretty good crew,” notes Donnelly. The bigger issue is “creative individuals” who see a problem and decide to fix it themselves. “They can do more damage unintentionally than intentionally,” he says. As a result, PHLX keeps its administrators well monitored.

This proactive approach to meeting regulations is paying off. In the past, large projects such as year-2000 remediation, and the move from fractions to decimals for reporting stock price changes, were mandatory, and costly. “There are many projects that cost millions and have zero-revenue return,” notes Donnelly. PHLX, however, is finally seeing a decrease in time and money spent meeting such requirements, and “we’re now getting to spend money on competitive projects.”

One of those projects is PHLX XL, the exchange’s more-electronic trading system. Currently, PHLX handles 70,000 inbound messages per second, and 20,000 outbound messages per second. The goal is to boost inbound capacity to 125,000 and outbound to 40,000. Doing that, however, requires the latest in server technology, and “we can’t get the vendors to build systems fast enough,” says Donnelly. With an approach now in place to meet regulations, however, the exchange has the time and energy to make it happen.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.