The FFIEC AIO (Architecture, Infrastructure, and Operations) is an update to the operations handbook that was released on June 30, 2021. It doubles the size of the existing operations booklet released in 2004, and provides some considerable changes in regulatory expectations. It includes some expanded guidance from the previous booklet (on items such as hardware and software inventories, and environmental controls) as well as brand new areas of guidance (including increased accountability for board and senior management, third party risk management, and evolving technologies).
Take a few minutes to watch FINOSEC Co-Founder and CTO Scott McIlrath’s initial briefing on this update.
While there is a lot to digest, take Scott’s words to heart: “Don’t panic!” This guidance can feel overwhelming, but we are here to help identify some key takeaways. First and foremost, it’s important to realize that these updates and expectations will be based on the size and complexity of your institution, and is not a “one-size-fits-all” model. Next, this update reveals the burgeoning spotlight on the alignment of goals, strategy, and objectives, data management, and resiliency as they mesh together in your cybersecurity governance. Finally, it is clear that no system or asset is an island, and the focus has shifted from individual considerations to a deeper understanding of the relationships between assets, processes, and third party service providers.
While there will undoubtedly be more information to come, we hope this video has helped. Don’t hesitate to reach out if you have questions or concerns about this guidance, as well as how FINOSEC can help out.