FFIEC AIO Manual

FFIEC released a new handbook replacing the previous Operations Booklet with the new Architecture, Infrastructure, and Operations (AIO) Booklet on June 30, 2021. According to the FFIEC change history log, the booklet expands the focus from just technology to an enterprise-wide and process-focused approach. Reading through it, I would certainly agree.

Personally, it brings back memories of hard lessons learned at large institutions. These lessons come from systems implementations gone wrong and siloed operations where operations and IT don’t communicate or work cohesively resulting in breakdowns, inefficiencies, and vulnerabilities.  Here are five subjects new to the AIO booklet that highlight these lessons. 

1. Shadow IT- This is where technology is brought in without the consultation or approval of IT.  With the advent of affordable cloud options, areas outside of IT could now easily circumvent IT controls and consultation. This usually surfaces with a request to IT to open a port or support the solution and quickly IT finds they don’t even know this solution exists in the environment.  To sum up the problem, how can IT support or secure something they don’t know is in their environment? Shadow IT needs to be minimized and the vendor management and the accounts payable function is a perfect vehicle to consider because it’s hard to buy a system with no funds. 
   
   
2. Enterprise Architecture- This is the first dedicated section to Enterprise Architecture in the booklet. Enterprise Architecture is the study and documentation of the institution’s systems, how they integrate, how well they meet operational requirements, etc.  The problems this discipline can fix include redundant applications and systems that don’t align with business needs among many others. The booklet calls for all large and complex institutions to have this capability, either in-house or outsourced.  Additionally, small institutions should incorporate this to an appropriate scale. 
   
   
3. Data Governance- This is totally new concept for the booklet.  As technology and institutions grow, governing what data means and the institution's way of speaking and defining calculations, concepts and acronyms becomes very important. In those larger institutions, I experienced a real-life “Tower of Babel” where acronyms, terms, and even key financial calculations were different depending on department.
   
   
4. End of Life- While not a new subject, the new manual points integrating the end of life into strategic initiatives and budget instead of just tracking and reporting the risks already incurred.  The fix is having technology debt on the front of mind when management plans for future expenses and priorities.
   
   
5. Change Management- You may be saying this was already in the Operations Booklet, however, the AIO booklet looks at this at an enterprise scale.  This means considering the upstream and downstream impacts of the change and engaging all stakeholders. Also, this means looking at architecture impacts or incompatibilities, the rate of change, third-party service providers, and support they need to provide.  Finally, to wrap all of these considerations into one cohesive process, planning and management oversight is required.  

If you have questions about the new booklet or these concepts, please reach out at support@bedelsecurity.com.