Overview of the Changes to the FFIEC Operations Booklet

In June 2021 the Federal Financial Institutions Examination Council (FFIEC) made sweeping changes to the Operations booklet in its IT Examination Handbook. The FFIEC desired it to be more focused on principle-based, enterprise-wide, process-oriented approaches that consider the design of technology within the overall business structure and in the context of enterprise goals and objective. To achieve these goals, the FFIEC reorganized the Operations booklet to include three major sections: Architecture, Infrastructure, and Operations. Further, the booklet is more aligned with applicable guidance from the National Institute of Standards and Technology (NIST).

Below are brief descriptions of the major sections within the new booklet that provide the subject matter and context for examiners of financial institutions’ operations.

Architecture

Architecture is about the strategy of the business and what it wants to accomplish. Before designing a system’s foundations, management needs to clearly define this goal and any strategic initiatives, considering both the enterprise’s needs as well as the needs of individual business units. Once these are established, the IT architecture must be planned and designed with these initiatives in mind, if they are to be achieved successfully.

Infrastructure

Infrastructure refers to the tools needed to achieve the planned IT architecture; including the products and services necessary to provide and maintain ongoing operations to support business activity. It includes hardware, network and telecommunications equipment, software, and IT environmental and physical access elements that allow for a financial institution to function on a daily basis. IT infrastructure can be managed by the financial institution or by an external third-party service, like a cloud service provider.

Operations

Operations is the performance of activities to accomplish the defined mission and goal; comprising of principles, processes, and procedures that support business functions. It includes the management of technology assets, as well as the daily activities that ensure transactions are completed accurately and information is delivered to support the entity’s overall business processes.

What Does This Mean for Financial Institutions?

While the core concept of evaluating IT Operations will be similar, the scope of any related examination will grow as technology and systems used by the entity become more complex and possibly extend to cloud computing. Specifically, the following identifies areas in each major section of the booklet that an examiner will include in their scope.

Within Architecture, an examiner will evaluate whether the entity has the following in place:

  • IT governance processes and procedures, including a process for the continued assessment of the entity’s future IT needs, including considerations for cloud computing and cybersecurity;
  • Documentation of the architecture plan, including policies, standards and procedures; and
  • Documentation of the design of the IT architecture, including a description of the entity’s current state.

Within Infrastructure, an examiner will evaluate whether the entity has the following in place:

  • Processes to identify, track, and monitor infrastructure components;
  • Sufficient resources with infrastructure knowledge, skills, and expertise;
  • Configuration management and change control processes over hardware;
  • Security and monitoring processes to analyze hardware components and detect anomalous activity;
  • Adequate use of software controls; and
  • Environmental and physical access controls.

Within Operations, an examiner will evaluate whether the entity has the following in place:

  • IT operational controls, including defined boundaries, identity and access management, and personnel controls;
  • IT operational processes, including those for configuration management, vulnerability and patch management, backup and replication, log management, and disposal of data and media;
  • Processes for service and support, including vendor management and event, incident, and problem management, including any related to cybersecurity;
  • Processes for ongoing monitoring and evaluation, including monitoring and reporting, self-assessments, and continuous improvement; and
  • Controls surrounding evolving technologies, including cloud computing, artificial intelligence, micro services, and any internet of things devices.

What Now? 

As you approach preparing for an IT Operations examination under this new guidance, we would encourage you to read the booklet to find more information on these concepts. You can download the booklet on the FFIEC’s IT Examination Handbook InfoBase website (https://ithandbook.ffiec.gov/).

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.