Part Two – What’s new for IT operations?
- The booklet doubles the details for physical access, environmental controls, performance monitoring, backup / replication, and inventory management.
- It also adds work steps to assess a financial institution’s controls over End-Of-Life (EOL) and shadow IT assets, primarily in inventory management.
- IT Operations Managers: Use this post to check on your controls.
- We have updated DS&A’s 2022 IT Operations survey and have put a link to Part 1 of the survey on our website.
The booklet covers controls for hardware and software IT assets, including servers, network equipment, telecommunications equipment, and peripheral equipment and replaces FFIEC’s 2004 booklet, Operations.
The focus of this post, the second in the series, is on what the booklet says about controls in a typical data center operation, i.e., IT operations controls. The data center may be on bank premises, maybe in a server room or closet, or at a third-party location, at a co-location facility, or in the cloud.
The booklet includes an examination program containing eighteen objectives with accompanying work steps, that is designed to assist an examiner determine how a financial institution meets each objective.
Environmental controls.
Objective 13, work steps 9a thru 9d cover heating, ventilation, and air conditioning (HVAC) systems, smoke and fire mitigation systems, water detection controls, dirty power protection, and alternative power sources (e.g., batteries and generators). The steps include over fifty assessment criteria. Additional criteria in the AIO booklet not in the 2004 booklet are:
- HVAC system alarms and notification of significant temperature changes.
- Inspections of facilities for potential fire hazards.
- Water detection systems in areas near the data center or server room (e.g., in bathrooms, storage rooms, break rooms).
- Steps to protect computer equipment from “dirty power (e.g., power lines where outages, voltage spikes, or drop-outs occur).
- Processes to power down equipment in an orderly manner.
Objective 14, work step 1d, also covers environment controls including smoke, water, and power detection and mitigation devices and systems, as well as fire suppression systems.
Physical access controls.
Objective 13, work step 9e provides guidance on assessing physical access controls, including card key access, visitor logs, camera surveillance, and alarm systems. Additional criteria in the AIO booklet that are not in the 2004 booklet are:
- List of approved individuals with authorized physical access to the IT infrastructure facilities.
- Validation of access authorizations before granting access to restricted spaces.
- Logs of individuals that access restricted spaces (not just visitors).
- Regular reviews of access lists and removal of unnecessary access.
- Alternative physical access processes if electronic controls fail.
Objective 14, work step 1d, also covers physical access controls including use of security zones limiting access within restricted spaces and use of devices to restrict and log access to the site.
The 2004 booklet did cover this area quite extensively. Criteria that are in the 2004 booklet but are not in the AIO booklet are:
- The operations center is in a sound building with limited numbers of windows and external access points. COBIT2019 refers to “…construct[ing] IT facilities to minimize and mitigate susceptibility to environmental threats (e.g., theft, air, fire, smoke, water, vibration, terror, vandalism, chemicals, explosives).” (DSS01.04 Manage the environment.)
- Management appropriately trains employees regarding [physical] security policies and procedures. See COBIT2019: “Conduct regular physical security awareness training”. (DSS05.05 Manage physical access to IT assets.)
- Perimeter securities measures (e.g., exterior lighting, gates, fences, and video surveillance) are adequate. See COBIT2019: “Restrict access to sensitive IT infrastructure by establishing perimeter restrictions, such as fences, walls, and security devices on interior and exterior doors.” (DSS05.05 Manage physical access to IT assets.)
- Guards (armed or unarmed) are present, trained, licensed, and subjected to background checks.
- Written procedures for approving and logging the receipt and removal of equipment from the premises. See COBIT2019 “Establish procedures to govern the receipt, use, removal and disposal of special forms and output devices into, within and out of the enterprise.” (DSS05.06 Manage sensitive documents and output devices.)
- Written procedures for preventing removal of information assets from the facility. See previous item.
DS&A has kept these criteria in our 2022 IT Operations controls survey.
Performance monitoring and reporting.
Two objectives in the AIO booklet cover this.
Objective 17, work steps 1 and 2 describe nineteen criteria for IT operations performance monitoring and reporting, and reference Key Performance Indicators (KPIs) and Service Level Agreements (SLAs). The steps do not go into detail about what metrics are recommended; the 2004 booklet does.
Objective 15, work step 6 describes capacity management controls and includes four criteria related to capacity monitoring:
- Routine assessment of capacity against baselines to ensure adequate performance.
- Analysis of capacity trends (e.g., increasing capacity usage) to understand capacity usage.
- Periodic analysis of projected versus actual capacity.
- Evaluation of third-party service providers’ performance in combination with internal performance to determine whether capacity can meet existing and future demands.
The work steps in the 2004 booklet refer to MIS reports and specific metrics (Objective 5). They also refer to capacity monitoring tools but do not cover the criteria in the AIO booklet.
Objective 16, work step 1, in the AIO booklet, covers monitoring of IT services, including Service Level Agreements (SLA) and Operational Level Agreements (OLA). However, the focus is on measuring a financial institution’s activities to assist IT management to plan, design, and deliver services to the bank operations areas.
Backup /replication.
Most assessment criteria for backup and replication controls are in Objective 15 in the booklet, which is about business continuity. Work step 4a lists ten criteria for assessing backup and replication controls; work step 4b applies the same criteria to third-party backup/replication service providers.
Specific criteria in work step 4a that are not in the 2004 booklet are:
- Procedures to verify adherence to backup schedules.
- Capability to restore operations to a previous trusted state.
- Virtual Machine (VM) versioning, replication, and life cycle policies for backup processes.
- Data encryption and access controls to protect backup or replicated data from unauthorized access, destruction, or corruption.
Backup up of systems documentation is referred to in Objective 5; Objective 12 includes a criterion that a financial institution should include provisions for backup and/or replication in system designs.
The 2004 booklet did cover backup and includes a criterion not covered in the AIO booklet, to “Evaluate the timeliness of off-site rotation of back-up media.”
Inventory management.
The AIO booklet covers this control area in five work steps, two pages, in Objective 4. Work steps 1 and 2 focus on policies, procedures, and practices to create and maintain a complete, up-to-date, IT asset inventory. Two of the criteria refer to specific data elements in the inventory (e.g., active/inactive, at End of Life/To be replaced, near end of life, end of life date). Work step 5 adds a data element to identify whether the asset is authorized or not.
Work step 3 reviews ways to create, maintain, and ensure the accuracy of the inventory. Various alternatives methods are described in the booklet, including informal methods (e.g., physical inspection, barcoding, spreadsheets, and automated asset discovery systems).
The booklet cautions that automated methods may not identify all the IT assets connected to the network; management may need to manually track certain types of devices (page 23).
Shadow IT.
Work step 5 (we’ll come back to step 4) covers shadow IT, defined as “unauthorized hardware and other devices, software, or services operating in an entity’s IT environment”. The booklet describes how shadow IT can be identified by comparing the inventory to a list of approved assets.
This is the FFIEC’s first use of the term “shadow IT.” Guidance from the FFIEC, ISACA, and NIST refers to unauthorized devices. For example, the FFIEC’s Cybersecurity Assessment Tool (“Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software”, D3.DC.Ev.B.3), and ISACA’s COBIT2019 (“Verify and review integrity of the configuration repository / Report and review all deviations for approved corrections or action to remove any unauthorized assets”, BAI10.05).
EOL IT assets.
Objective 4, work step 4 contains work steps and criteria for managing EOL IT assets, including:
- Reviewing EOL time frames for existing assets to determine accuracy and relevance.
- Developing replacement plans for assets nearing obsolescence.
- Developing plans for maintaining IT assets beyond EOL, if necessary.
- Incorporating EOL considerations in strategic planning.
- Planning for obsolescence during initial project stages (e.g., during requests for proposals or proofs of concept).
- Addressing EOL IT assets in contract provisions with its third-party service providers.
Other control areas.
The booklet also adds work steps and criteria to assess hardening, data storage/capacity planning, event logging, change control, incident response, and use of standard configurations.
More information
We have updated DS&A’s 2022 IT Operations survey and have put a link to Part 1 of the survey on our website.