On June 30, 2021, the Federal Financial Institutions Examination Council (FFIEC) released a new Architecture, Infrastructure, and Operations (AIO) booklet, as part of their IT Examination Handbook. This new booklet supersedes and replaces the previous Operations (OPS) booklet, incorporating and expanding on information technology topics in the context of enterprise goals and objectives.
In this article, we will discuss the following:
- What is AIO?
- What's new in the AIO booklet?
- What are the themes of the AIO Booklet?
What is AIO?
AIO is comprised of three elements: Architecture, Infrastructure, and Operations. The FFIEC provides the following definitions for each.
- Architecture is "the manner in which the strategic design of the hardware and software infrastructure components are organized and integrated to achieve and support the entity's business objectives."
- Infrastructure is "the physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity."
- Operations is "the performance of activities comprising methods, principles, processes, procedures, and services that support business functions."
In simpler terms:
- Architecture is about strategy. What do you want to accomplish?
- Infrastructure is about equipment. What tools do you need to get there?
- Operations is about processes. How do you plan to accomplish it?
Each element works together to ensure the success of not only the IT function within an organization, but the business, as a whole.
What's new in the AIO booklet?
Excluding some subheadings in the table of contents and a few sentences here and there, the AIO booklet initially appears to be a complete revision of the OPS booklet.
That said, just because the booklet is new doesn't mean the concepts are. The new AIO booklet is perhaps the most interconnected of all the IT examination booklets, with numerous references to each of the following. The number of times each booklet is explicitly referenced is in parentheses.
- Information Security (30)
- Business Continuity Management (12)
- Development and Acquisition (12)
- Outsourcing Technology Services (12)
- Management (6)
The booklet also directly mentions or references guidance published by other agencies, including NIST (200+) and ISACA (24). Additional agencies and organizations with a few mentions in the booklet include AICPA, CIS, ISO/IEC, FS-ISAC, OWASP, and US-CERT.
Due to the volume of references to other sources in this 164-page document, the FFIEC seems to be taking an intentional position to standardize new AIO guidance with existing industry standards and frameworks, focusing their attention on putting it into the financial industry context.
What are the themes of the AIO Booklet?
Every good piece of literature includes several themes repeated throughout the story. The FFIEC's new AIO booklet is no different. Following are eight of the more frequently discussed themes of the booklet.
- Purposes of technology. The booklet routinely reminds readers that the purpose and function of IT is to "meet the strategic and business objectives of the enterprise." Sometimes they switch it around, so the quote reads "business and strategic plan objectives," while other times it just reads "business objectives." Regardless of the terminology, the point is clear: IT is one part of a bigger picture and should be managed as such.
- Size and complexity. Perhaps one of the most helpful aspects of the booklet was a return to an obvious focus on the size and complexity of an organization. These references typically look something like, "Smaller or less complex entities [abc], while larger or more complex entities [xyz]." By providing these examples, the FFIEC introduces some breathing room, recognizing that effective AIO management is not one-size-fits-all and should be tailored to the environment.
- "Management should..." These two words are found together more than 290 times in the booklet. While responsibility can be delegated, ultimate responsibility ("accountability," if you will) lies with the management of an organization. The booklet makes recommendations for certain roles which need to be filled (either formally or informally) to ensure the success of an AIO function. These management roles include the roles of a Chief Architect, Chief Data Officer, and several other C-level roles which are described in the Management booklet.
- "Shared responsibility." Due to its broad nature, AIO depends on everyone to be successful. The FFIEC began using the term "shared responsibility" to describe these relationships. For example, "vulnerability and patch management are shared responsibilities among an entity's operations and information security personnel." By shining a light on these areas of possible confusion and delegating ultimate responsibility to management, it is clear the booklet intends to clean up some of these loose ends.
- "Confidentiality, integrity, and availability." These terms are no longer reserved strictly for the Information Security booklet, finding their home more than 30 times in the new AIO booklet. For the last several years, there has been an industry push towards ensuring independence among IT, cybersecurity, and information security. While a certain level of divergence is necessary, it seems this booklet is pulling the concepts back together again. IT cannot achieve its goals without cybersecurity and information security. As such, the booklet encourages the CIA triad's integration in AIO from the start, not added on or built in later as an afterthought.
- "Shadow IT." From humble beginnings in the Information Security booklet, shadow IT (a.k.a., "unauthorized technology," "unauthorized assets," "unauthorized devices," etc.) has created quite a name for itself in the new AIO booklet. With more than 40 mentions, the concept of shadow IT is one with pressing considerations for financial institutions. Each device used for business purposes (institution-owned or otherwise) is another entry point for vulnerabilities and, unless properly managed, can introduce significant risk to the organization.
- "Third parties." Gone are the days of relegating third parties to their own section of a booklet; third-party considerations now are the heart of the booklet. Third parties are a part of our everyday lives and as such, they are foundational to our organization's AIO. From cloud service providers to managed security service providers and everyone in-between, AIO is largely dependent on the success of its third-party service providers and the booklet makes sure its readers are well-aware of that fact.
- "Cloud computing." Bringing it all together, perhaps more than any other topic, the booklet heavily leans into "the cloud." With more than 230 mentions, topics surrounding cloud shared responsibilities, third-party involvement, and risk mitigation steal the show. Tandem's 2021 State of Cybersecurity in the Financial Institution Industry Report found that 44% of institutions plan to increase their budget for cloud services in the coming year. As more and more organizations move their AIO to the cloud, our security and technology practices must keep pace.
These eight themes just scratch the surface of the new AIO booklet. While it does not necessarily contain any "new regulations," it is designed for an industry that is looking forward to future challenges and opportunities. It reinforces and standardizes language from other sources and will be a valuable reference guide on all things AIO.
What Now?
If you are looking for next steps, we would encourage you to read the booklet for yourself and see how the concepts would apply to your organization. You can download the booklet on the FFIEC's IT Examination Handbook InfoBase website (https://ithandbook.ffiec.gov/) or by using the direct links below.
For further details about the AIO booklet, the booklet's examination procedures, and what changes will be made to Tandem in response, watch our webinar which we hosted on August 31, 2021. Fill out the form and get immediate access to the webinar recording at https://go.tandem.app/ffiec-aio-webinar/.
