Quiero saber acerca de...

60510

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
independently. All required technical controls deployed via or reliant on CSP
services will be replaced or supplemented to ensure equivalent independent operation of the onpremises backup.38
Finally, the CSP prioritizes assurance programs and certifications, underscoring its ability to comply with financial services regulations and standards and to provide OCC with a secure Cloud Infrastructure.39

jspears on DSK121TN23PROD with NOTICES1

iv. Security Testing and Verification by the 2nd and 3rd Line Security testing is integrated into business-as-usual processes as outlined in relevant policy and procedures.
These documents define how testing is initiated, executed, and tracked.
For new assets and application or code releases, Security determines whether and what type of security testing is required through a risk-based analysis. If required, testing is conducted prior to implementation and the different testing techniques are outlined below:
Automated Security Testing: Using industry standard security testing tools and/or other security engineering techniques specifically configured for each test, Security will test to identify vulnerabilities and deliver payloads with the intent to break, change, or gain access to unauthorized areas within an application, data, or system.
Manual Penetration Testing: Using information gathered from automated testing and/or other information sources, Security will manually test to identify vulnerabilities and deliver payloads with the intent to break, change, or gain access to the unauthorized area within an application or system.
Blue Team Testing: The Blue Team identifies security threats and risks in the operating environment and analyzes the network, system, and SaaS
environments and their current state of security readiness. Blue Team assessment results guide risk mitigation and remediation, validate the effectiveness of controls, and provide evidence to support authorization or approval decisions. Blue Team testing ensures that OCCs networks, systems, and SaaS solutions are as secure as 38 OCC has separately submitted a request for confidential treatment to the Commission regarding the Key Technologies, which OCC has provided in confidential Exhibit 3s to File No. SROCC2021
802.
39 The CSP has certifications for the following frameworks: NIST, Cloud Security Alliance, Control Objectives for Information and Related Technology COBIT, International Organization for Standardization ISO, and the Federal Information Security Management Act FISMA.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

possible before deploying to a production environment.
The results of Security controls testing are risk-rated and managed to remediation via the Security Observation Risk Tracking process.
Change Management Consistent with FFIEC Guidance, OCCs use of the Cloud will have sufficient change management controls in place to effectively transition systems and information assets to the Cloud and will help ensure the security and reliability of microservices in the Cloud.
OCCs enterprise software development lifecycle processes help ensure the same control environment for all OCC
resources, irrespective of whether they reside in an on-premises environment or in the Cloud. OCC has established baselines for design inputs and control requirements and enforces workload isolation and segregation through a Virtual Private Cloud using existing Cloud native technical controls and added new tools. OCC also plans to use other specialized platform monitoring tools for logging, scanning of configuration, and systems process scanning. OCC also has oversight as a code owner for the OCC infrastructure security containers and will have final review and approval for related changes and code merges before deployment of secure containers into production.
Finally, OCC will periodically conduct static code scanning and perform vulnerability scanning for external dependencies prior to deployment in production, along with manual penetration testing of the provided application code. In addition, OCC will perform routine scans of Compute resources with the existing enterprise scanning tools. Any identified vulnerabilities will be reviewed for severity, prioritized, and logged for remediation tracking in upcoming development releases.
OCC will create a user acceptance plan prior to promoting code to production. This user acceptance plan will include tests of all major functions, processes, and interfacing systems, as well as security tests. Through acceptance tests, OCC users will be able to simulate complete application functionality of the live environment.
The change will move to the next stage of the OCC delivery model only after satisfying the criteria for this phase.40
OCC plans to use microservices in its use of the Cloud. OCC has internal projects that will address change 40 The user acceptance plan represents only one aspect of the overall change management program at the OCC.

PO 00000

Frm 00070

Fmt 4703

Sfmt 4703

management of the various microservices. In particular, OCC runs a suite of supporting services that enable building, running, scaling, and monitoring of OCCs business applications in the Cloud in an automated, resilient, and secure manner. The application platform relies on various CSP and third-party tools for different components, including Infrastructure as a Service, Infrastructure as Code, CI/CD, Container as a Service, Continuous Delivery, and Platform Monitoring. For example, OCC
will use a third-party tool for managing containers and a different third-party tool for distributing containers and workloads to assist with platform automation. Security measures for planned production microservices are already incorporated within the overall security architecture and Enterprise Security Standards.41
With respect to software development in the Cloud, OCC has established a closed Virtual Private Cloud nonproduction environment that allows OCC to develop, test, and integrate new capabilities, including those related to security enhancements, while preventing direct external access to the development environment and tightly controlling on-premises access from OCC to the non-production environment. This OCC Virtual Private Cloud non-production environment hosted in the Cloud focuses on the foundational security, operations, and infrastructure requirements with the intent to take lessons learned to implement into future production. OCC
developed and maintains a Cloud Reference Architecture that defines necessary capabilities and controls required to securely host core clearing, risk management, and data management applications on the CSP. The minimum foundational security requirements are based on the NIST CSF and CIS
benchmarks and include the design and implementation requirements of a secure Cloud account structure within a multi-region Cloud environment. OCC
maintains enterprise security requirements that provide structure for current and future development. As the Virtual Private Cloud environment is further developed and expanded, there is a comprehensive process to identify any incremental risks and develop and 41 The minimal security control architecture reflects awareness of the need to consider data storage and management outside of containers, configuration management to prevent unintended container interactions, and routine monitoring and replacement of containers when appropriate.

E:FRFM02NON1.SGM

02NON1