Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
jspears on DSK121TN23PROD with NOTICES1

and cryptographic algorithms approved for use in cryptographic technology deployments across OCC.32 All OCC
identifying data is encrypted in transit using industry standard methods. The Key Management Service KMS
Strategy dictates that all CSP endpoints support HTTPS for encrypting data in transit.33 OCC also secures connections to the endpoint service by using virtual private computer endpoints and ensures client applications are properly configured to ensure encapsulation between minimum and maximum Transport Layer Security TLS versions per OCC encryption standard. OCC will have exclusive control over the key management system; only OCC
authorized users will be able to access that data. CSP systems and staff will not have access to the OCC certificate management and/or key management system.34 OCC is responsible for the application architecture, software, configuration and use of the CSP
services, and for the maintenance of the environment, including ongoing monitoring of the application environment to achieve the appropriate security posture. To do this, OCC
follows: i Existing security design and controls; ii Cloud-specific information security controls defined in Enterprise Security Controls; and iii regulatory compliance requirements detailed in sources or information technology practices that are widely available and issued by an authoritative body that is a U.S. governmental entity or agency including NISTCSF, COBIT, and the FFIEC Guidelines.
OCC uses third-party tools for CSP
security compliance monitoring, security scanning, and reporting. Alerts and all API-level actions are gathered using both CSP provided and thirdparty monitoring tools. The CSP
provided monitoring tool is enabled by default at the organization level to monitor all CSP services activity.
Centralized logging provides near realtime analysis of events and contains information about all aspects of user and role management, detection of unauthorized, security relevant configuration changes, and inbound and outbound communication.
32 OCC has separately submitted a request for confidential treatment to the Commission regarding the Encryption Standards, which OCC has provided in confidential Exhibit 3p to File No. SROCC
2021802.
33 OCC has separately submitted a request for confidential treatment to the Commission regarding OCC Key Management Service KMS Strategy, which OCC has provided in confidential Exhibit 3q to File No. SROCC2021802.
34 Certificate management is the process of creating, monitoring, and handling digital keys certificates to encrypt communications.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

As previously discussed, OCC uses a KMS Strategy to encrypt data in transit and at rest in the Cloud. KMS is designed so that no one, including CSP
employees, can retrieve customer plaintext keys and use them. The Federal Information Processing Standards FIPS 1402 validated Host Security Modules HSMs in KMS
protect the confidentiality and integrity of OCC customer keys.35 Customer plaintext keys are never written to disk and only ever used in protected, volatile memory of the HSMs for the time needed to perform the customers requested cryptographic operation. KMS
keys are never transmitted outside of the Cloud regions in which they were created. Updates to the KMS HSM
firmware are controlled by quorumbased access control 36 that is audited and reviewed by an independent group within the CSP. This tightly controlled deployment process minimizes the risk that the security properties of the service will be changed as new software, firmware, or hardware is introduced.
With these security measures, only users granted access by OCC to the core clearing, risk management, or data management applications will be able to interact with the information contained therein.

60509

iii. Security Configuration, Provisioning, Logging, and Monitoring Automated delivery of business and security capability via the use of Infrastructure as Code and continuous integration/continuous deployment pipeline methods will permit security controls to be consistently and transparently deployed on-demand.
OCC will provision Cloud Infrastructure using pre-established system configurations that are deployed through infrastructure as code, then scanned for compliance to secure baseline configuration standards. OCC
also employs continuous configuration monitoring and periodic vulnerability scanning. OCC will continue to perform regular reviews and testing of OCC
systems running on the Cloud while relying upon information provided by the CSP through the CSPs SOC2 and Audit Symposiums. Finally, configuration, security incident, and event monitoring will rely on a blend of CSP native and third-party solutions.
OCC also plans to use tools offered by the CSP and third-parties to monitor the core clearing, risk management, and
data management applications run on the Cloud Infrastructure. OCC will track metrics, monitor log files, set alarms, and have the ability to act on changes to OCC core clearing, risk management, and data management applications and the environment in which they operate.37 The CSP will provide a dashboard to reflectgeneral health e.g., up/down status of a region but will not give additional insights into performance of services and applications which run on those services. The OCC operated centralized logging system will provide for a single frame of reference for log aggregation, access, and workflow management by ingesting the CSPs logs coming from native detective tools and OCC
instrumented controls for logging, monitoring, and vulnerability management. This instrumentation will give OCC a real-time view into the availability of Cloud services as well as the ability to track historical data. By using the enterprise monitoring tools OCC has in place, OCC will be able to integrate the availability and capacity management of Cloud into OCCs existing processes, whether hosted on the Cloud or running in the local onpremises backup, and respond to issues in a timely manner.
OCC will also use specialized thirdparty tools, as discussed above, to programmatically configure Cloud services and deploy security infrastructure. This automation of configuration and deployment will ensure Cloud services are repeatably and consistently configured securely and validated. Change detection tools providing event logs into the incident management system are also vital for reacting to and investigating unexpected changes to the environment.
Security has implemented tools for the core clearing, risk management, and data management applications and back office environments that will be hosted at the CSP; notably, the IAM system, monitoring and Security Information and Event Management SIEM
systems, the workflow system of record for incident handling, KMS, and enterprise Data Loss Prevention DLP. Most of these services can also be run on-premises in a fully Cloudindependent mode, and Security Services has identified potential alternatives for those that will be needed for isolated on-premises operations and cannot operate
35 The HSM is analogous to a safe that only OCC
has knowledge of the combination and the ability to access the keys to locks stored within.
36 A quorum-based access mechanism requires multiple users to provide credentials over a fixed period in order to obtain access.

37 OCC has separately submitted a request for confidential treatment to the Commission regarding the Draft Cloud Provider Logging and Alerting Test Environment, which OCC has provided in confidential Exhibit 3r to File No. SROCC2021
802.

PO 00000

Frm 00069

Fmt 4703

Sfmt 4703

E:FRFM02NON1.SGM

02NON1