Quiero saber acerca de...

60508

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
jspears on DSK121TN23PROD with NOTICES1

applications, and then controlling what information they can access; ii security governance and controls for sensitive data; iii security configuration, provisioning, logging, and monitoring; and iv security testing.
i. Network and IAM Controls OCC recognizes that robust network security configuration and IAM will provide reasonable assurance that usersincluding OCC employees, market participants, and service accounts for systems 27are granted least-privileged access 28 to the network, applications, and data. OCC will use third-party tools to automate appropriate role-based access to the core clearing, risk management, and data management applications running in the Cloud. By enforcing strict separation of duties and least-privileged access for infrastructure, applications, and data, OCC will protect the confidentiality, availability, and integrity of the data.
The maintenance of an on-premises backup data center necessitates additional network controls. The onpremises data center will be physically separate from networks supporting routine business functions, which will make the overall protection of the environment easier simply by eliminating connectivity other than for critical operations. OCC will explicitly provision all connectivity and will manage and mitigate risks through use of jump hosts that are heavily monitored e.g., data feeds in and out, provisioned mechanisms for the delivery of the software, and a minimum management interface that requires multi-factor authentication for access. This connection model, coupled with limited access via dedicated private circuits, eliminates the most common threat exposures such as internet connectivity and email. The default physical separation defined in the on-premises backup architecture will be overlaid with industry standard monitoring and blocking tools to ensure that lateral movement between SCI and non-SCI
environments is controlled in accordance with the risk.
OCC has established IAM
requirements that build upon the leastprivileged model. As part of the IAM
program, all users must be assigned an appropriate enterprise identification.
Users will be granted access to systems via a standardized and auditable 27 Service accounts are non-interactive accounts that permit application access to support activities such as monitoring, logging, or backup.
28 Least-privileged access means users will have only the permissioning needed to perform their work, and no more.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

approval process. The user identifications and granted access will be managed through their full lifecycle from a centralized IAM system maintained and administered by OCC.
Role-, attribute-, and context-based access controls will be used as defined by internal standards consistent with industry recommended practices to promote the principles of leastprivileged access and separation of duties.
OCC will use and manage third party tools not otherwise provided by nor managed by the CSP for single sign-on and least-privileged access. The network will also include hardware and software to limit and monitor ingress and egress traffic, encrypt data in transmission, and isolate traffic between OCC and the Virtual Private Cloud. Since OCC will continue to provide cryptographic services, including key management, the CSP and other network service providers will not be able to decrypt OCC data either at rest or while in transit.
ii. Security Governance and Controls for Sensitive Data OCCs data governance framework that applies to the Cloud Implementation is identified within the OCC Enterprise Security Standards.29
The Enterprise Security Standards address data moving between systems within the Cloud as well as data transiting and traversing both trusted and untrusted networks. For example, the Enterprise Security Standards require a system or Software as a Solution to: i Store data and information, including all copies of data and information in the system, in the United States throughout its lifecycle;
ii be able to retrieve and access the data and information throughout its lifecycle; iii for data in the system hosted in the Cloud, encrypt such data with key pairs kept and owned by OCC;
iv comply with United States federal and applicable state data regulations regarding data location; and v enable secure disposition of non-records in accordance with OCCs Information Governance Policy.30
Furthermore, OCC policies establish the overall data governance framework 29 OCC has separately submitted a request for confidential treatment to the Commission regarding the Enterprise Security Standards, which OCC has provided in confidential Exhibit 3m to File No. SR
OCC2021802. OCC security controls and standards are created, published, and managed in accordance with applicable OCC policies.
30 OCC has separately submitted a request for confidential treatment to the Commission regarding the Information Governance Policy, which OCC has provided as confidential Exhibit 3n to File No. SR
OCC2021802.

PO 00000

Frm 00068

Fmt 4703

Sfmt 4703

applied to the management, use, and governance of OCC information to include digital instantiations, storage media, or whether the information is located, processed, stored, or transmitted on OCCs information systems and networks, public, private, or hybrid Cloud infrastructures, thirdparty data centers and data repositories, or Software-as-a-Service SaaS
applications.31 The Information Classification and Handling Policy classifies OCCs information into three categories. System owners of technology that enable classification and/or labeling of information are responsible for ensuring the correct classification level is designated in the system of record and the applicable controls are enforced. All information requiring disposal is required to be disposed of securely in accordance with all applicable procedures. Sensitive data must be handled in a manner consistent with requirements in the Information Classification and Handling Policy.
OCC will implement key components of a zero trust control environment, namely ubiquitous authentication and encryption via use of an automated public key infrastructure, coupled with responsive, highly available authentication, authorization tools, and key management strategies to ensure appropriate industry standard security controls are in place for sensitive data both in transit and at rest. External connectivity to OCC systems hosted by the CSP will be provided as it is now, through dedicated private circuits or over encrypted tunnels through the internet. These network links will also have additional security controls, including encryption during transmission and restrictions on network access to and from the Virtual Private Cloud. Additionally, OCC will use dedicated redundant private network connections between OCC data centers and the CSP infrastructure. OCC
currently maintains two data centers and will do so in the future to provide redundant, geographically diverse connectivity for market participants. All network communications between OCC
and the Cloud Infrastructure will rely on industry standard encryption for traffic while in transit. Data at rest will be safeguarded through pervasive encryption. OCCs Encryption Standards describe requirements for implementation of the minimum required strengths, encryption at rest, 31 OCC has separately submitted a request for confidential treatment to the Commission regarding the Information Classification and Handling Policy, which OCC has provided in confidential Exhibit 3o to File No. SROCC2021802.

E:FRFM02NON1.SGM

02NON1