On June 30th, 2021, the Federal Financial Institutions Examination Council (FFIEC) released the Architecture, Infrastructure, and Operations (AIO) Handbook as part of its IT Examination Handbooks series. This new booklet replaced the previous Operations booklet, last updated in 2004.

Given the age of the replaced booklet, an update was certainly due. The FDIC offered these highlights of the booklet in its FIL-47-2021.

• The AIO booklet outlines principles and practices for managing architecture, infrastructure, and operations. This booklet describes principles and practices that examiners review to assess an entity’s AIO functions. The booklet also helps examiners determine whether management adequately addresses risks related to AIO and the delivery of critical financial products and services.
• This booklet focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall enterprise and business structure, implementation of information technology (IT) infrastructure components, and delivery of services and value for customers.
• The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity’s programs related to AIO. The booklet focuses on assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls. Additionally discussed are, emerging technologies, such as cloud computing, micro-services, artificial intelligence, machine learning, zero trust architecture, and the Internet-of-Things.
• The change in the title of the booklet from Operations to Architecture, Infrastructure, and Operations reflects the expanded role IT plays in supporting enterprise and business operations and meeting internal and external customer expectations.
• The industry principles and frameworks included provide examiners with a durable means to assess architecture, infrastructure, and operations. The booklet issuance does not impose new requirements on examined entities.

The Purpose of the Update

If we took these highlights at face value, then wouldn’t the last bullet point above indicate that there were no new requirements imposed on examined entities? If so, why did the booklet go from roughly 80 to 160 pages? Why update?

Perhaps a better statement would have been “the booklet issuance does not impose new requirements on examined entities that haven’t yet otherwise been imposed and seeks to clarify where some recommendations may have originated.” Anyone who has recently read the handbooks will appreciate the updated layout to fit the scheme of other booklets released in the last five years. The big picture? The old Operations booklet had 37 pages of actual guidance, whereas the new AIO booklet contains 98. The new booklet includes the following major sections:

1. Architecture, Infrastructure, and Operations Governance
2. Common AIO Risk Management Topics
3. Architecture
4. Infrastructure
5. Operations
6. Evolving Technologies

For the sake of this blog, we’ll limit our discussion to the first and second topics since SBS’ primary focus is on governance and risk management. However, we encourage our readers to dive into the handbook in greater detail if you work directly in IT operations. For example, in the “Evolving Technologies” section, the handbook discussed zero trust architecture, a new topic in security that’s reminiscent of cybersecurity in 2014.

Architecture, Infrastructure, and Operations (AIO) Governance

In the very first few paragraphs of the handbook, it suggests implementing a process, such as a life cycle approach, to manage technology and support AIO-related risks. This seems appropriate since asset life cycle recommendations have been made in recent exams. Additionally, it provides the following figure to illustrate this approach.

Figure 1: Example of Life Cycle Approach for Governing AIO Risk

A most welcome mention is added for IT strategic planning. The booklet states, “The board and senior management should evaluate whether the IT strategic plans align with the enterprise-wide business and strategic plan, as well as established priorities.” This is a powerful statement because, all too often, IT strategic plans are developed in a vacuum because the actual strategic plans are kept secret, making it impossible to alight initiatives from the enterprise-wide strategic plan with projects in the IT strategic plan.

An interesting addition is an entire subsection on enterprise risk management (ERM). The booklet states, “Management should implement an ERM structure that incorporates the functions of AIO. ERM should include a consistent and current review of the entity’s products, processes, applications, infrastructure, interconnectivity, and other related risks to business operations. Depending on the entity’s size and complexity, AIO may be incorporated into ERM in a less formal manner. For more information on ERM, refer to the IT Handbook’s “Management” booklet.” Curiously enough, when referencing the Management booklet “enterprise risk management” is only mentioned once in the examination procedures.

New to this booklet are two new roles, the chief architect and the chief data officer. Both positions would generally report to a chief information officer (CIO) or chief technology officer (CTO). The booklet does suggest that in smaller, less complex institutions, these roles would likely be combined with other roles such as the CIO or CTO.

Common AIO Risk Management Topics

This section is intended to discuss specific risk management topics that are common across all three topics: architecture, infrastructure, and operations. It’s broken down into the following subsections:

• Data Governance and Data Management
• IT Asset Management
• IT and Business Environment Representations
• Managing Change in AIO
• Oversight of Third-Party Service Providers
• Resilience
• Remote access
• Personally Owned Devices
• File Exchange

On data classification and data management, the booklet describes a process in which all organizations, regardless of size and complexity, have business line managers (or business process owners) participate in data classification, recovery standards, and control identification. Data classification standards should be based on the confidentiality, integrity, and availability as well as value of the data to the entity. The results of data classification should be used by management for implementing controls to safeguard data. HINT: If you’re using the SBS IT risk assessment, you’re already doing this.

Expect greater scrutiny concerning the topic of asset management. The new handbook goes into fairly substantial detail with regards to hardware and software asset inventories and what a good inventory should include. Also added are expectations on IT asset end-of-life (EOL) management. The added information on EOL management is pretty straightforward, but expect the need to have a policy, and accompanying procedure for ensuring EOL management is baked into your overall asset management program and strategic plans.

The “IT and Business Environment Representations” section details expectations for network diagrams, data flow diagrams, business process flow diagrams, and business process narratives. Thankfully an example has finally been provided for the expectation for these items. Keep in mind, the handbook does state that the depth of the diagrams depends on size and complexity. Therefore, it’s unlikely that smaller organizations are going to be held to the same standard.

On the topics of diagrams, the handbook states, “While various representations may be used for different purposes, management should coordinate the development of representations among stakeholders. This coordination allows management to obtain a holistic view of the entity’s IT environment and understand how it supports business processes. The diagrams and narratives should be aligned with each other and across lines of business. For example, if the business flow diagram refers to a particular function or application, other diagrams and narratives should use similar naming conventions to refer to that function for reference purpose.”

So, ensure business process owners are involved in the creation of your various data flow or process flow diagrams. Below are examples provided in the handbook.

Figure 2: Example of a Data Flow Diagram

Figure 3: Example of a Process Flow Diagram

Oversight of third-party service providers is mentioned regarding outsourcing AIO activities. Ensure your ongoing vendor management program includes an evaluation of service level agreements (SLAs) and that vendors providing AIO types of services are living up to the required SLAs. On reviews of independent audit reports, the handbook states, “Management should review independent audit or other assurance reports demonstrating the third-party service provider’s ability to meet the entity’s AIO needs and provide services in a safe and sound manner. Management should report to the board on the effectiveness of any AIO activities performed by third-party service providers and any issues uncovered through the entity’s third-party risk management processes.” Therefore, you should ensure, at minimum, that a SOC 2 Type 2 report is provided by your vendor and reviewed by you for any critical vendor providing AIO activities for your institution. It’s also important to ensure that the results of those reviews are being presented to the board.

Additional sections "Resilience," "Remote Access," "Personally Owned Devices," and "File Exchange" don’t necessarily provide any new general expectations. Rather they provide insight into what is actually expected from institutions when considering such topics. NOTE: the handbook regularly references the National Institute of Standards and Technology (NIST).

Finally

We encourage you to download and read the handbook, including the sections not discussed directly in this blog. While the FDIC FIL states that there are no new added expectations to regulated entities, this updated handbook provides greater clarity on various items previously required or recommended that may not have had ample documentation to support. 

Written by: Cody Delzer, CISA, CDPSE 
SVP IS Consultant / Regional Director - SBS CyberSecurity, LLC 

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

• {Solution} TRAC: Make better decisions and easily perform four major components of vendor management: risk assessment, selection, review, and contract management.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.