What’s new in the FFIEC’s Architecture, Infrastructure, and Operations Booklet?

IT Controls, IT Management, IT Operations Manager, Network Manager, Telecommunications Manager / 10 minutes of reading

Part One – Overview

  • The booklet replaces the 2004 Operations booklet. It is twice the size of the 2004 booklet (164 pages versus 85 pages) and consists primarily of sections on control principles and practices (97 pages) and Examination Procedures (32 pages).
  • The two new IT functions not previously covered in FFIEC booklets are in the title: Architecture and Infrastructure.
  • DS&A counts nearly 700 control features in the Examination Procedures. About two-thirds relate to data center and Network Operations Center (NOC) controls.
  • Shadow IT and End-Of-Life (EOL) IT asset management are two new control areas.
  • The booklet describes different controls for each of nine software types, including open-source software and Application Programming Interfaces (APIs).
  • The booklet’s architecture and non-data center/NOC infrastructure controls overlap with controls described in the FFIEC’s Management, Audit, and Development and Acquisition booklets.
  • For IT Operations and Network/Telecoms Managers: Please read this article and then read the follow-up article on new IT ops and new network/telecoms controls in the booklet.
  • For CIOs and other IT line managers: You will need to be involved in any risk assessments or audits based on the booklet to provide information about architecture controls and controls outside the data center/NOC.

The FFIEC published the Architecture, Infrastructure, and Operations booklet in June 2021. It is one of the FFIEC’s IT Examination Handbook series and replaces the FFIEC’s Operations booklet issued in 2004. At 164 pages, it is twice the size of the 2004 booklet (85 pages) and consists primarily of sections on control principles and practices (97 pages) and Examination Procedures (32 pages).

 

DS&A counts nearly 700 control features in the Examination Procedures. That beats the FFIEC’s Cybersecurity Assessment Tool (494 Declarative Statements), but our analysis shows that about 30 percent of the line items in the AIO booklet are in the CAT. And most of those are covered in the Baseline, Evolving, and Intermediate control maturity levels in the CAT, which means the CAT considers them appropriate for financial institutions with Least to Moderate inherent risk, i.e., reasonable for most financial institutions. We identified another 15 percent of the booklet’s control features in other FFIEC booklets, primarily the Information Security booklet.

 

The two “new” areas (i.e., those not in previous FFIEC booklets) are in the title: Architecture and Infrastructure. The title change “reflects the overall importance of an entity’s architecture, infrastructure, and operations (AIO).” Here are the booklet’s definitions:

  • IT Architecture. “The manner in which the strategic design of the hardware and software infrastructure components (e.g., devices, systems, and networks) are organized and integrated to achieve and support the entity’s business objectives.”
  • IT Infrastructure. “A subset of infrastructure that includes hardware, network and telecommunications, software, IT environmental controls (e.g., power, cooling, and ventilation), and physical access.”

Plus, for comparison, here is the definition of Operations from the AIO booklet:

  • IT Operations. “The performance of activities comprising methods, principles, processes, procedures, and services that support business functions.”  The booklet defines Operations Management as “The process of overseeing the methods, activities, or performance of practical work, and application of principles, processes, procedures, and services of an entity, utilizing business resources.”

 

IT Architecture

 

The Architecture section in the AIO booklet states: “Management should design, apply, and align its IT architecture to meet the strategic and business objectives of the enterprise.” The keywords here are “design IT architecture” and the key player for providing information for an assessment of this area is the Chief Architect, who “typically reports directly to the CIO or other senior management and often works with the CIO to do the following:

  • Develop IT architecture policy and terminology.
  • Oversee IT architecture product development, use, and refinement.
  • Serve as owner of the IT architecture repository.”

 

There is a separate Architecture section in the booklet’s Examination Procedures. We count about 60 control features in it. We added most of them to our online survey for CIOs – they can be pulled out and sent to the Chief Architect or Chief Technology Officer as necessary. Twenty control features went to surveys for other managers: the Development Manager for application selection criteria and design, the Applications Support Manager for an inventory of legacy systems and analysis of gaps, and the CISO for security architecture.

 

We count 35 architecture-related controls in other parts of the Examination Procedures. Mainly these cover board and executive oversight and data governance; we have added them to our CIO survey.

 

From a risk assessment or audit perspective, the IT Operations manager is probably not the person to go to for information about architecture controls – more likely, the CIO and other IT line managers are.

 

IT Infrastructure

 

The booklet’s introduction to the Infrastructure section states: “Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel.”  The keywords here are “implement infrastructure.”

 

The booklet defines financial institution infrastructure as “the physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity and includes the maintenance of physical facilities.” The booklet goes on to state, “The focus of this booklet is on IT infrastructure, which is a subset of infrastructure and includes hardware, network and telecommunications, software, IT environmental controls (e.g., power, heating, ventilation, and air conditioning [HVAC]), and physical access.”

 

The key players for an assessment of this area are, of course, the IT Operations Manager, for controls covering servers, storage solutions, and entity-supported devices (desktops, laptops, mobile device, and personally owned devices), and the Network / Telecom Operations Manager, for controls covering “routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.”

 

DS&A counts 140 control features in the booklet’s Infrastructure section in the Examination Procedures. We added about 40 of these to our online survey for IT Operations Managers and our survey for Network / Telecom Operations Managers. In addition, we added another 40 of these 140 Infrastructure control features to the Network / Telecom Operations Manager survey.

 

About 60 control features fall under other responsibility areas. For example, for:

  • The Applications/Desktop Support Manager for tracking software IT assets and maintaining internally-developed software.
  • The CISO, for management of access to operating system, productivity, and other enterprise software.
  • The Business Resilience/Continuity Manager for infrastructure continuity plans and plan testing.

There are infrastructure-related control features in other parts of the Examination Procedures. We have added them primarily to the IT Operations Manager survey and the Network / Telecom Operations Manager survey (see our separate post for IT ops).

 

To cover infrastructure-related controls in other parts of the Examination Procedures we added to surveys for:

  • The CIO/CTO, for oversight of all infrastructure-related activities, in-house and outsourced, and for ensuring the infrastructure supports strategic objectives.
  • The CRO, for review of risks associated with the infrastructure.
  • The IT Auditor for infrastructure testing, e.g., review of penetration testing and vulnerability assessments.
  • The Business Continuity Manager for reviewing the infrastructure to ensure it supports varying levels of resilience depending on the criticality of the systems and software.

 

Operations

 

DS&A counts about 450 control features in the Examination Procedures related to data center or Network Operations Center (NOC) controls. Approximately 50 of these relate to environmental controls (e.g., HVAC, smoke/water detection, fire suppression, physical access). Nearly all of these were in the 2004 Booklet.

 

Additional environmental control features in the AIO booklet that are not in the 2004 booklet include:

  • Water detection systems in areas near the data center or server room (e.g., bathrooms, storage rooms, break rooms).
  • Steps to protect computer equipment from “dirty power (e.g., power lines where outages, voltage spikes, or drop-outs occur).
  • Processes to power down equipment in an orderly manner.
  • Logs of individuals that access restricted spaces (i.e., not just visitors).
  • Regular reviews of (physical) access lists and removal of unnecessary access (i.e., not just logical access).
  • Alternative physical access processes if electronic controls fail.
  • Guards (armed or unarmed) are present, trained, licensed, and subjected to background checks.
  • Written procedures for approving and logging the receipt and removal of equipment from the premises.

You can find more information about additional environmental control features in our post titled IT operations controls in the FFIEC Architecture, Infrastructure, and Operations Booklet.

 

We count 15 control features in the Examination Procedures that cover inventory management. These apply to all types of IT assets, including, per the definition in the booklet, “hardware, software, mobile devices, virtual and cloud assets, physical assets (e.g., cabinets, locks, and hard copy information assets), digital information assets (e.g., data), and third-party managed assets.”

 

Inventory management control features in the booklet which are not previously covered in FFIEC booklets include:

  • Including specific data elements in the inventory (e.g., active/inactive, at End of Life/To be replaced, near End of Life, and End of Life date).
  • Including a data element in the inventory to identify whether the asset is authorized or not (i.e., shadow IT assets – see below).
  • Using various methods for identifying IT assets, including informal methods (e.g., physical inspection, barcoding, spreadsheets, and automated asset discovery systems). The booklet cautions that automated processes may not identify all IT devices connected to the network; management may need to track specific types of devices manually.

 

Datacenter operations

 

The AIO booklet covers the monitoring of IT services, including Service Level Agreements (SLA) and Operational Level Agreements (OLA). We count ten control features that focus on measuring IT support services to bank operations. The 2004 Operations booklet did refer to MIS reports and specific metrics but did not cover SLA/OLA-oriented control features.

 

We count another ten control features covering backup and replication. An eleventh item applies the same criteria to third-party backup/replication service providers. Backup and replication features in the AIO booklet that were not in the 2004 booklet include:

  • Capability to restore operations to a previous trusted state.
  • Virtual Machine (VM) versioning, replication, and life cycle policies to be applied in backup processes.
  • Data encryption and access controls to protect backup or replicated data from unauthorized access, destruction, or corruption.
  • Backup up of systems documentation.

 

The AIO booklet also adds control features covering hardening, data storage/capacity planning, event logging, change control, incident response, and use of standard configurations. Read our post titled IT operations controls in the FFIEC Architecture, Infrastructure, and Operations Booklet for more detail.

 

Network / Telecoms Operations

 

Many of the control features in the booklet that apply to network and telecom operations also appear in the FFIEC’s Information Security booklet (2016) or the FFIEC’s Cybersecurity Assessment Tool (2015). Please stand by for a more in-depth analysis in our upcoming post: Network and telecoms controls in the FFIEC’s Architecture, Infrastructure, and Operations Booklet.

 

Shadow IT and End-Of-Life (EOL) IT asset management

 

The AIO booklet covers two IT asset control areas not previously covered in the FFIEC booklets:

 

  • Shadow IT. The booklet defines shadow IT as “unauthorized hardware and other devices, software, or services operating in an entity’s IT environment.” The body of the AIO booklet includes one-and-a-half pages on shadow IT.

The booklet lists shadow IT controls in a work step about tracking, managing, and reporting on information and technology assets. The step directs the examiner to “Determine whether management understands and communicates the risks of shadow IT to entity personnel. Additionally, determine whether internal audit evaluates management’s processes to monitor, identify, and remove unapproved devices, software, or services.”

 

Shadow IT is also mentioned in a work step about IT architecture design objectives: the examiner is directed to “determine whether management Includes considerations for avoiding the potential for shadow IT and the capability to monitor and alert for its use.”

 

The FFIEC’s Cybersecurity Assessment Tool refers to “unauthorized devices,” as in “[The financial institution has implemented] processes to monitor for the presence of unauthorized users, devices, connections, and software,” and “[The financial institution has implemented] controls to prevent the unauthorized addition of new connections.”

 

  • End-Of-Life (EOL) IT asset management. The booklet defines EOL as “a time frame usually defined by a technology vendor to describe when an asset has reached the end of its useful life cycle and when the vendor will no longer maintain and support the asset or continue to sell or license it.”

The AIO booklet contains a one-page section on IT Asset End-Of-Life. Examination Procedures for maintaining an inventory of IT assets and planning for obsolescence also mention EOL.

 

The FFIEC’s CAT includes the number of EOL systems a financial institution has as one of the 39 Inherent Risk Profile metrics. The CAT’s control framework mentions EOL in two items, one about proactive management (e.g., replacement) of EOL systems and the other about performing risk assessments that include the risk of using EOL systems. These two requirements are at the Evolving level of the CAT’s controls framework (Level 2, out of five levels) and apply to all but the smallest financial institutions.

 

The 2004 Operations booklet does not mention EOL.

 

Thank you

 

This has been a quick summary of some items I noticed in the AIO booklet. I will have more observations to make after I update the DS&A IT Risk Assessment controls surveys. Thank you.

 

 

 

 

Scroll to Top