Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices configurations,52 including by monitoring the CSPs technical, administrative, and physical security controls that support OCCs systems in the Cloud Infrastructure.
i. Internal Risk Assessments In addition to existing OCC Third Party Vendor Risk Management activities, OCCs Third Party Risk Management department TPRM will assess the operational risks of the CSP
as a critical vendor annually.
Additionally, OCC conducts a technology risk assessment, which is an evaluation of risks to OCCs critical systems, monitoring of key risk indicators KRI, risk events, security events, and key controls, and which will encompass all risks presented by the CSP, on an annual basis.53

jspears on DSK121TN23PROD with NOTICES1

ii. External Risk Assessment OCC engaged a third-party familiar with Cloud Infrastructure best practices to conduct a design effectiveness review of the OCCs proposed Cloud strategy, application architecture, and related security and resiliency controls.54 The External Risk Assessment focused on: i Cloud reference architecture, capabilities, and controls required to host applications in the Cloud; ii existing and planned resiliency capabilities to meet a two-hour recovery time objective of OCCs critical services;
and iii design of the existing and planned security controls during and after the Cloud Implementation.55
The External Risk Assessment identified strengths in OCCs planned Cloud Implementation, including that OCC incorporated several leading security practices as well as support for elastic capacity and the ability to scale effectively into its plan. The External Risk Assessment also included recommendations to supplement OCCs execution plan for the Cloud Implementation and were broadly categorized into six technical areas: i Workload isolation and networking; ii 52 Internal Audit will assess plans during the 2021 Cloud Transition Audit, and more in-depth in early 2022 when the processes are modified to operate in the Cloud.
53 This annual risk assessment is provided to the Board of Directors and the Technology Committee.
54 OCC has separately submitted a request for confidential treatment to the Commission regarding the External Risk Assessment, which OCC has provided in confidential Exhibit 3v to File No. SR
OCC2021802 and regarding OCCs response to the External Risk Assessment recommendations, which OCC has provided in confidential Exhibit 3w to File No. SROCC2021802.
55 The External Risk Assessment included five discovery workshops, thirty design review sessions, discussions with over forty-eight OCC stakeholders, and review of one hundred sixty documents ranging from strategy materials to configuration builds.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

automation and pipelines; iii data fabric and data lifecycle management;
iv platform shared services and support model; v security shared services and support model; and vi resiliency. Recommendations were categorized across two dimensions: i Program priority high, medium, or low and ii implementation action start, accelerate, or continue. A
recommendation does not necessarily mean OCC would not have implemented the recommended action absent the recommendation, as several of the recommendations were for OCC
to continue an activity it had already begun. OCC has a plan in place to address the recommendations provided in the External Risk Assessment and will track the plan to completion.
iii. Internal Audit Department Plan Related to Cloud Implementation As mentioned above, starting in 2021
and going forward, the Internal Audit Annual Plan is designed to assess important elements of the new core clearing, risk management, and data management applications roll-out. For example, the 2021 Audit Plan includes an audit on the Cloud Implementation.
This audit included an analysis of OCCs disposition of the findings in the External Risk Assessment, determined if the risks associated with findings have been adequately addressed, evaluated OCCs strategy in the event it needs to transition from the CSP at any time, evaluated the adequacy of OCCs remediation plans and timelines, and OCCs assessment of the third-party CSP
attestation report SOC. The Internal Audit Department plans to augment internal resources with co-source resources with specific expertise in Cloud-based controls and has conducted a department-wide training of Cloud auditing, with additional training to be conducted as necessary.
iv. Audit Symposium and Access Rights The CSP hosts an annual Audit Symposium, which will allow OCC to review evidence supporting the CSPs control environment. The CSP also hosts an annual Cloud security conference focused on Security, Governance, Risk and Compliance.
OCC Information Technology staff currently meets with CSP
representatives weekly to focus on technical issues related to OCCs proposed Cloud environment. In addition, OCC will be holding compliance briefings with the CSP
quarterly, wherein the CSP will provide OCC with documentation e.g., SOC 2
Report and assist OCCs preparation for the Audit Symposium. OCC

PO 00000

Frm 00073

Fmt 4703

Sfmt 4703

60513

management, including Security, Information Technology, and the Internal Audit Department, will coordinate to ensure appropriate representation during the planned briefings. TPRM will help initiate and orchestrate the annual reviews.
v. Key Risk and Key Performance Indicators OCC has also established several key risk indicators KRI and key performance indicators KPI to evaluate OCCs management of risk and the CSPs performance during the Cloud implementation and ongoing operation.56 The KRIs are approved by and regularly reported to OCCs Management Committee, Board of Directors, and the Risk Committee of the Board of Directors.
OCC has developed Cloud KPIs and socialized these KPIs internally. The KRIs already exist for core clearing, risk management, and data management applications and are aligned to overall systems availability, capacity, data integrity, and security. The CSP KPIs feed into existing KRIs and will continue to be used to evaluate the CSPs performance after the Cloud Implementation.57 KPIs will be added to monitor the performance and risks of the CSP services for which OCC has contracted. These post-Cloud Implementation KRIs and KPIs will allow OCC to assess its ongoing use of the CSP against its operational and security requirements and will demonstrate the effectiveness of risk controls and the CSPs performance against commitments in the Service Level Agreements, and will be reported on a regular basis to OCCs Management Committee, Board of Directors, and Technology and Risk Committees of the Board of Directors.58
56 These KRIs and KPIs are contained in the Cloud Implementation risk report. OCC has separately submitted a request for confidential treatment to the Commission regarding the Cloud Implementation risk report, which OCC has provided in confidential Exhibit 3k to File No. SR
OCC2021802. See supra note 26.
57 OCC has established metrics for monitoring CSP systems capacity and availability in each zone in Risk Appetite Statements and Risk Tolerance for Cloud Services which OCC has provided in confidential Exhibit 3l to File No. SROCC2021
802. Data integrity and systems incidents are monitored through OCCs Quality Standards Program and Systems Incident Program, respectively.
58 OCC has separately submitted a request for confidential treatment to the Commission regarding metrics and reporting that OCC will use to monitor the security and performance of the CSP after adoption, which OCC has provided in confidential Exhibit 3x to File No. SROCC2021802.

E:FRFM02NON1.SGM

02NON1