Controls means the safeguards or countermeasures employed by the security-based swap execution facility to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its data and information, and to enable the security-based swap execution facility to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the security-based swap execution facility's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the security-based swap execution facility to meet the requirements of this section.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to security-based swap execution facility operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the security-based swap execution facility's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the security-based swap execution facility's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Security incident means a cybersecurity or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the security-based swap execution facility's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff, and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a security-based swap execution facility's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a security-based swap execution facility's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
17 C.F.R. §242.830