When we compare the current Consolidated Audit Trail (CAT) design with our “A-Z” requirements listed below, we see significant deficiencies and ineffective controls in CAT that require immediate attention. Is that the reason why the CAT operating committee seems to hesitate to respond to each of our 26 suggestions? These principle based requirements are better than the Enhanced Data Security proposal which only ask FINRA CAT LLC to comply with outdated security guidance – the revision 4 of SP800-53 by the NIST [see prior article’s endnote for a elaborated discussion]. To address the flaws in CAT’s outdated design and to resolve CAT’s challenges, it will take not just cooperation and collaboration, but development and deployment efforts.
Suggested Clauses:
(A) CAT should minimize ‘data-in-motion’ whenever and wherever possible. The rationale/ justifications being the more frequent the transmittal of data in-and-out and within CAT, the more vulnerable it is.
(B) Whenever and wherever the data is consumed or ‘in-use’, it has to serve ‘defined purpose(s)’ and be at a ‘secured environment’. The rationale/ justifications being there are civic concerns of massive government surveillance. ‘Data-in-use’ is more vulnerable than ‘at-rest’. The more users/ devices access to data, the greater the risk hackers may alter/ add/ insert/ use the data abusively.
(C) The appropriate eradication or removal of data as soon as data has been transmitted or used to avoid ‘function creep’. The rationale/ justifications being omission or incomplete or untimely eradication would introduce opportunities for hackers.
(D) No usage or possession outside of ‘defined purposes’. The rationale/ justifications being ‘Function creep’ = abuse of CAT related tech or data.
(E) When data is ‘at-rest’, it must be stored at designated ‘secured environments’. The rationale/ justifications being data-vault, data-lake, and ‘golden source of data’ are indeed prime targets attracting hackers to treasure hunt.
(F) ‘Secured environments’ must be segregated in accordance to ‘sensitivity’ of stored data. The rationale/ justifications being, it will minimize vulnerability to specific range of data fields and/or records.
(G) If data is considered ‘sensitive’, it must be obfuscated at all times (‘at-rest’/ ‘in-motion’) except when it is ‘in-use’; whenever ‘alternate’ surveillance methods are available, CAT users should refrain from querying ‘sensitive’ data. The rationale/ justifications being if there is a way(s) to enable surveillance intelligence without crossing the line of privacy hazard, CAT must adopt because personal identifiable information or any data similar to that nature is deemed sensitive.
(H) ‘Defined purposes’ are limited to ‘market surveillance’, ‘specific case investigation’ and/or ‘rule enforcement’ only. Again, the rationale/ justifications being the civic concerns as stated in “B”. No-one wants his/her data be used by regulator(s) to develop policies that potentially may discriminative against him/her.
(I) If using metadata can achieve the ‘defined purpose’, CAT should by all mean avoid collecting or creating repetitive copies of raw data. The rationale/ justifications being the prevention of information leakage. Somehow metadata is more useful than raw data, especially when raw data is inherited with imperfect quality (50±ms tolerance).
(J) If using ‘integrated’ data can achieve the ‘defined purpose’, CAT should avoid collecting data at lower domain. The rationale/ justifications being: ‘roll-up aggregation’ is another technique similar to masking or obfuscation that helps prevent leakage.
(K) All data trajectory must be mapped, assessed, and monitored. The rationale/ justifications being it will allow scrutiny of any Repurpose or Reuse or Recycle of data.
(L) All users’ entitlement in accessing CAT or its data must be duly authorized and maintained without delay. The rationale/ justifications being: ‘share access’ is a common threat, and lapsed entitlement introduces opportunities for hackers.
(M) No access to CAT before a ‘defined purpose’ is identified and a secured connection is established. The rationale/ justifications being gateway and proxies need appropriate inspection to deter unsecure connection to CAT. Access entitlement does not mean there is no usage limit on CAT.
(N) All user activities must be logged timely in the system. The rationale/ justifications being it will allow scrutiny of any abnormal activities.
(O) CAT functionalities and ‘data-in-use’ should be segregated based on ‘defined purpose(s)’ of specific user group(s). The rationale/ justifications being it will restrict the usage to specific range of data fields and/or records that fits the ‘defined purpose(s)’.
(P) Whenever possible, apply analytic techniques closest to the original source of data rather than making redundant copies of data. The rationale/ justifications being it will avoid redundant copies of data that affects data quality and exposes the information to higher chance of unauthorized access.
(Q) Use of ‘predefined automated analytical steps’ instead of ad-hoc data query wherever possible. The rationale/ justifications being ‘predefined automated analytical steps’ should always require proper testing and authorization by the Operating Committee.
(R) Volume and frequency of ad-hoc data queries for ‘specific case investigation’ or ‘rule enforcement’ purpose is limited. E.g. limited to < 0.001% of daily order volume of the targeted broker-dealer with suspicious activity per-query per-user per-day, and < 0.01% in aggregate every two weeks.
(S) No access to CAT for ‘market surveillance’ purpose prior to identifying symptoms of irregularity that are substantiated by data at SIPs and/or analytical procedures at SROs/ the SEC. Again, the rationale/ justifications being the civic concern as stated in “B”. Suspicion of crime or anticipation of market turmoil should begin with some basis or require ‘search warrant’ before permissible surveillance on information that would otherwise be considered as private.
(T) Bulk data extraction is generally prohibited, except during ‘market crash’ with special authorization from the SEC. Where ‘market crash’ period may refer to Limit Up-Limit Down trigger or exchange halt scenarios.
(U) Database server infrastructure and configuration should prioritize ‘consistency’ and ‘partition tolerance’ over ‘availability’, and CAT system should be in compliant with Atomicity, Consistency, Isolation, and Durability requirements. The controversy is that CAT as a surveillance tool is supposed to prioritize ‘availability’ over the two other attributes. Real-time or velocity of data serves to provide a higher values than veracity of data during a ‘market crash’. The T+5 access defeats CAT purpose.
(V) Data loss protection infrastructure must include proper steps for effective and efficient data disposal. Record retention must be enforced diligently. Retaining more data than necessary is a liability.
(W) Audit logs (including user activities, network performance and other system gauges for automated threat detection) must be readily available for exam upon request. The timelier the review, the higher the chance to salvage a loss situation.
(X) Abnormality to CAT or its data or connectivity, or breach of control must be reported in timely manner. The SEC and operating committee should give the independent reviewers the authority to provide non-bias and timely report of problems to the upmost seniors.
(Y) Any control compromised must be diligently rectified. Independent assessment to recommend interim actions will help avoid ‘bandage’ or temporary fix, or a fix in one area may inadvertently cause vulnerability in other area(s).
(Z) Must actively observe, adopt and pursuit relevant information security and privacy best practices. The rationale/ justifications being continuous improvement would help ensure CAT processor and operating committee are forward looking (e.g. today’s encryption will be obsoleted upon quantum).
***
At Data Boiler, we see big to continuously boil down the essential improvements that fit for your purpose. Between my patented inventions and the wealth of experience of my partner, Peter Martyn, we are about finding rare but high-impact values in controversial matters, straight talk of control flaws, leading innovation and change, creation of viable paths toward sustainable development and economic growth.
Published by