Quiero saber acerca de...

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
jspears on DSK121TN23PROD with NOTICES1

facilities and services; 23 and vi CSPs commercial incentive to perform.
OCC and the CSP rely on the shared responsibility model, which differentiates between the security of the Cloud and security in the Cloud.24
The CSP maintains sole responsibility and control over the security of the Cloud, and their customers are responsible for the security in the Cloud; i.e., security of hosted applications and data. Thus, OCC
remains responsible for managing and maintaining the operating system and all applications, including security and patching, running in the Cloud. There is no primary/secondary relationship as each partner has a specific set of responsibilities which, when combined, address the entire risk space.
The CSP performs its own risk and vulnerability assessments of the CSP
infrastructure on which OCC will run its core clearing, risk management, and data management applications. In published documentation and in meetings conducted with members of CSPs staff, the CSP asserts that it maintains an industry-leading automated test system, with strong executive oversight, and conducts fullscope assessments of its hardware, infrastructure, internal threats, and application software. The CSP asserts that it has an aggressive program for conducting internal adversarial assessments Red Team designed not only to evaluate system security but also the processes used to monitor and defend its infrastructure. The CSP also uses external, third-party assessments as a cross-check against its own results and to ensure that testing is conducted in an independent fashion. Per the CSPs documentation, results of these processes are reviewed weekly by the CSP CISO and the CEO with senior CSP
leaders to discuss security and action plans.25
23 The OCC has contracted to work with a top-tier CSP that provides Cloud hosting services to Fortune 500 companies and the U.S. Government, amongst many others.
24 References herein to Shared Responsibility conveys the responsibility of OCC and the CSP visa-vis each other from a business operations perspective and it not intended to suggest the CSP
has taken on, or that OCC has relinquished, any of OCCs Reg SCI compliance requirements. See supra, footnote 20.
OCC has separately submitted a request for confidential treatment to the Commission regarding a diagram that provides a summary of the shared responsibility model between OCC and the CSP, which OCC has provided in confidential Exhibit 3j to File No. SROCC2021802.
25 The CSP does not provide assessment results to its customers, as doing so would constitute a breach of generally accepted security best practices.
Instead, the CSP provides its customers with industry-standard reportssuch as SOC2 Type II
prepared by an independent third-party auditor to
VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

OCC has the responsibility to perform risk assessments and technical security testing, including control validation, penetration testing, and adversarial testing, of OCC applications running on the CSP. This includes testing of the application interface layer of some CSP
provided services such as storage and key management. OCCs security testing model will remain as it is for the onpremises operations: The Security Engineering team will define security control requirements and validate their correct implementation on OCC systems and deployed core clearing, risk management, and data management applications; automated tools will be used to scan OCC application code and open source for security defects during the development process; and automated vulnerability management tools will conduct periodic scans of deployed software and devices to ensure that security patches and fixes are correctly implemented within required timelines.
As mentioned, OCCs testing includes assessing the configuration of CSP
provided services: Security Services will work with Information Technology staff to ensure that CSP tools are configured to appropriately manage and mitigate potential sources of risk and will assess the effectiveness of those configurations. The OCC Red Team will operate freely in the Cloud, attempting to subvert or circumvent controls; their testing will include probing of CSP provided services to look for weaknesses in OCCs deployment of those tools.
Security Services will routinely report test results to Enterprise Risk Management, appropriate functional Operations and Information Technology management, senior management, and the Board of Directors. Automated vulnerability scanning reports, source code analysis, and results of specific assessments will be risk-rated and assigned a priority for remediation in accordance with OCC policy.
Management and oversight of the Cloud Implementation follows standard governing principles for large information technology projects. OCCs Board of Directors has established a Technology Committee to assist the Board of Directors in overseeing OCCs information technology strategy and other company-wide operational capabilities. The Risk and Technology Committees are responsible for different aspects of the oversight of the Cloud provide relevant contextual information to its customers. The CSP also conducts periodic audit meetings specifically designed to discuss security concerns with its customers discussed later during the CSP Audit Symposium.

PO 00000

Frm 00067

Fmt 4703

Sfmt 4703

60507

Implementation. Information Technology and Security Services, in collaboration with Enterprise Risk Management, are responsible for the identification, management, monitoring, and reporting on the risks associated with the Cloud Implementation. To that end, management presents the Technology Committee with copies to the Risk Committee and the Board of Directors with reports on the status and progress of the Cloud Implementation on at least a quarterly basis. This report includes an overall risk and issue summary and an analysis of key risk indicators for the Cloud Implementation.26 Finally, OCCs Internal Audit Department is responsible for auditing security controls and configurations, including those related to the Cloud, prior to OCCs planned Cloud Implementation.
Starting in 2021 and going forward, the Internal Audit Annual Plan is designed to assess important elements of the new core clearing, risk management, and data management application roll-out.
For example, the 2021 Audit Plan includes an audit on the Cloud Implementation. These audits will help assess OCCs readiness for the Cloud Implementation as discussed below, in Audit and Controls Assessment.
Cloud Security Management OCC has established a robust Cloud security program to both: i Manage the security of the core clearing, risk management, and data management applications that will be running on the Cloud Infrastructure hosted by the CSP, and ii assess and monitor the CSP
management of security of the Cloud Infrastructure that it operates. The security program is designed to encompass all OCC assets existing in OCC offices, data centers, and within the CSPs Cloud Infrastructure. The security program is built upon enterprise security standards that establish requirements that apply to any technology system as well as any tool that provides technology services. The following paragraphs in this section describe elements of OCCs Cloud security management in the areas of: i Network and IAM controls e.g., determining who is accessing the systems, granting access to the 26 OCC has separately submitted a request for confidential treatment to the Commission regarding an example of this Cloud Implementation risk report, which OCC has provided in confidential Exhibit 3k to File No. SROCC2021802.
OCC has also submitted a request for confidential treatment to the Commission regarding Risk Appetite Statements and Risk Tolerances for Cloud Services, which OCC has provided in confidential Exhibit 3l to File No. SROCC2021802.

E:FRFM02NON1.SGM

02NON1