Quiero saber acerca de...

60506

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
FFIEC Risk Management Categories.
As discussed in the next section, the OCC is implementing practices for its proposed Cloud deployment consistent with this guidance.
Governance: Strategies for using Cloud computing services as part of the financial institutions information technology strategic plan and architecture.
Cloud Security Management: i Appropriate due diligence and ongoing oversight and monitoring of CSPs security; ii contractual responsibilities, capabilities, and restrictions for the financial institution and CSP; iii inventory process for systems and information assets residing in the Cloud;
iv security configuration, provisioning, logging, and monitoring; v identity and access management IAM and network controls; vi security controls for sensitive data; and vii information security awareness and training programs.
Change Management: i Change management and software development lifecycle processes and ii security and reliability of microservice 16
architecture.
Resiliency and Recovery: i Business resiliency and recovery capabilities and ii incident response capabilities.
Audit and Controls Assessment: i Regular testing of financial institution controls for critical systems; ii oversight and monitoring of CSPmanaged controls; and iii oversight and monitoring of controls unique to Cloud computing services, including those related to a management of the virtual infrastructure; b use of containers in the Cloud Infrastructure;
c use of managed security services for the Cloud Infrastructure; d consideration of interoperability and portability of data and services; and e data destruction or sanitization.
Governance
jspears on DSK121TN23PROD with NOTICES1

OCCs ongoing Cloud Implementation is a natural progression of its information technology strategy and aligns seamlessly with its overall corporate strategy. OCCs information technology strategy fully supports OCCs corporate strategy to: i Reinforce OCCs foundational capabilities and deliver effective and efficient services;
ii deliver product and service 16 OCCs use of microservices include specialized third-party applications and a set of containers that work together to compose an application. A
container holds both an application and all the elements the application needs to run properly, including system libraries, system settings, and other dependencies. See Application Container Security Guide, NIST SP 800190.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

enhancements that enable growth in OCCs core capabilities and provide capital efficiencies to market participants; and iii demonstrate thought leadership in the delivery of innovative solutions that provide longterm value and efficiencies for OCC and its stakeholders. The corporate strategy is fortified by six guiding principles: i Operating solutions that deliver reliability, predictability, and integrity;
ii designing efficiency into OCC
processes through automation and nearfrictionless capabilities; iii providing outcome-focused solutions; iv prioritizing collaboration and accountability within the information technology team; v ensuring protection for OCC, its clearing members, and the broader financial market; and vi incorporating a continuous learning mindset.
As a SIFMU and the only provider of clearance and settlement services for listed options in the US, it is vital that OCCs critical services remain continuously available with sufficient security measures in place to detect and defend against possible security threats.
The Cloud Implementation will present OCC with an agile operating environment that can scale throughput to match workloads nearly instantaneously and that will enable OCC to build a secure by design pervasive security methodology that incorporates the NIST Cybersecurity Frameworks functions, categories, and subcategories as a roadmap for Cloud security. Movement to an agile, Cloudbased operating environment further reinforces OCCs commitment to building in a comprehensive and adaptable risk-based security methodology instead of a traditional perimeter-centric model.
OCCs Cloud Implementation does not alter OCCs responsibility to maintain compliance with applicable regulations.
Consistent with FFIEC Guidance, OCCs plan for Cloud Implementation supports OCCs ability to comply with the SECs Regulation Systems, Compliance, and Integrity Reg SCI 17 and the CFTCs Systems Safeguards.18 Reg SCI imposes certain information security and incident reporting standards on OCC
and requires OCC to adopt an information technology governance framework reasonably designed to ensure that SCI systems, and for purpose of security, indirect SCI
systems, have adequate levels of capacity, integrity, resiliency, 17 17
18 17

PO 00000

CFR 242.1000 et seq.
CFR 39.18 et seq.

Frm 00066

Fmt 4703

Sfmt 4703

availability, and security.19 As the SCI
Entity, OCC remains solely responsible for meeting all Regulation SCI
obligations.20 Similarly, Systems Safeguards requires OCC to have cybersecurity programs with risk analysis and oversight that ensure automated systems are secure, reasonably reliable, and have adequate scalable capacity. Within its agreement with the CSP Cloud Agreement, OCC has established obligations on the CSP to provide support for OCCs compliance with all applicable regulations.21
OCC believes the combination of the following provides OCC reasonable assurance that the proposed Cloud Implementation would enable OCC to continue to fully satisfy its Regulation SCI obligations: i The Cloud Agreement; ii CSPs compliance programs as described in its Whitepapers 22 and publicly available policies e.g., its Penetration Testing Policy, user guides, and other documents; iii CSPs Service Level Agreements; iv CSPs Systems Organization Controls reports e.g., SOC
1, SOC 2, SOC 3 and ISO certifications e.g., ISO 27001; v CSPs size, scale, and ability to deploy extensive resources to protect and secure its 19 See 17 CFR 242.1001a. SCI Systems are all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. Indirect SCI
Systems are systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI
systems.
20 References herein to Shared Responsibility conveys the responsibility of OCC and the CSP visa-vis each other from a business operations perspective and it not intended to suggest the CSP
has taken on, or that OCC has relinquished, any of OCCs Reg SCI compliance requirements.
21 OCC has separately submitted a request for confidential treatment to the Commission regarding the Cloud Agreement. OCC has provided these documents in confidential Exhibit 3c to File No.
SROCC2021802, confidential Exhibit 3d to File No. SROCC2021802, confidential Exhibit 3e to File No. SROCC2021802, and confidential Exhibit 3f to File No. SROCC2021802. Among other things, the Cloud Agreement sets forth the CSPs responsibility to maintain the hardware, software, networking, and facilities that run the Cloud services. See also the separately submitted Table of Reg SCI Provisions, confidential Exhibit 3g to File No. SROCC2021802 that provides a summary of the terms and conditions of the Cloud Agreement that OCC believes enables OCC to comply with Reg SCI.
22 OCC has separately submitted requests for confidential treatment to the Commission regarding two examples of CSP Whitepapers, which OCC has provided in confidential Exhibit 3h to File No. SR
OCC2021802 and confidential Exhibit 3i to File No. SROCC2021802.

E:FRFM02NON1.SGM

02NON1