FFIEC Architecture, Infrastructure, and Operations Booklet - WST

On Wednesday, June 30, the FFIEC released a significantly updated operations booklet called the Architecture, Infrastructure, and Operations Booklet. This new AIO Booklet replaces the Operations Booklet within the FFIEC IT Handbook. In cursory review, the new booklet appears to be a major revision from the previous version released in 2004 and will undoubtedly impact future examinations and audits for all financial institutions.

Some items of particular interest are the addition of the “Evolving Technologies” section, which adds focus on Cloud Computing, Zero Trust Architecture, and Microservices. There are also updates to the “IT Management Responsibilities” section.

Also, there are new statements regarding log management, primarily the impact of large log and event streams and the common inability of most institutions’ IT staff to keep up with and interpret that information without automation or third-party services.

…and those are just some of the changes! This new booklet appears to cover modern technologies and associated information security risks at a depth which we at 10-D Security have been anticipating for quite some time.

Look out for more WSTs and a blog post in the near future regarding the new AIO Booklet contents as we digest it internally and incorporate its new elements into our audits and assessments.

In the meantime, we encourage management, information security, and IT operations staff at financial institutions to read through this new booklet and chat with us about any opinions, interpretations, comments, or concerns that may come up. Your thoughts on this guidance and other regulatory documentation helps to shape our work programs for appropriate scaling of size and complexity that our community financial institution clients expect.

Additionally, if you’d like to do some comparisons, the old FFIEC Operations Booklet is still available in PDF form from the FFIEC and on the Wayback Machine Internet archive as it appeared in the past (for now).

https://ithandbook.ffiec.gov/media/394443/ffiec_itbooklet_operations_2004.pdf https://web.archive.org/web/20210318000157/https:/ithandbook.ffiec.gov/it-booklets/operations.aspx

Authored by: Mike Smith, AWS-CCP and Kyle J. Stelly, CISSP, PCIP