87. Without limitation, ADRs and AFRs seeking useful guidance for Confidential Information segregation can look to the data segregation standards contained in the National Institute of Standards and Technology (“NIST”) Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (April 2013) (“NIST Document”), available at http://nvlpubs.nist.gov/istpubs/pecialPublications/IST.SP.800-53r4.pdf. The NIST Document also references international security standards in Appendix H (International Information Security Standards). See also the Federal Information Security Management Act of 2002, as amended (“FISMA”), 44 U.S.C. 3541. As the Commission has previously noted in a different context, FISMA “is a source of cybersecurity best practices and also establishes legal requirements for federal government agencies . . . .” System Safeguards Testing Requirements, 80 FR 80139, 80142 Dec. 23, 2015) (“Registered Entity Cyber NPRM”). The Commission adopted final rules based on the Registered Entity Cyber NPRM. See System Safeguards Testing Requirements, 81 FR 64271 (Sept. 19, 2016) (“Final Registered Entity Cyber Rules”).
88. This should include cybersecurity measures. As the Commission detailed in a different context in the Final Registered Entity Cyber Rules, “cyber threats to the financial sector continue to expand.” See id. at 64272. See also System Safeguards Testing Requirements for Derivatives Clearing Organizations, 80 FR 80113, 80114-80115 (Dec. 23, 2015) (describing escalating and evolving cybersecurity threats); Registered Entity Cyber NPRM at 80140-80141 (describing, inter alia, the then-current cybersecurity threat environment).
89. One basic principle of data security is that only those with a need to access data to perform their work should be granted access to such data. See, e.g.,Framework for Improving Critical Infrastructure Cybersecurity at 23 (Feb. 12, 2014), available at http://www.nist.gov/yberframework/pload/ybersecurity-framework-021214.pdf (characterizing the “Protect” element of a core cybersecurity framework as one where “[a]ccess to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.”).