FFIEC Issues New Booklet on IT Architecture, Infrastructure, Operations

The Federal Financial Institutions Examination Council today issued a new booklet providing guidance to help examiners assess the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations.

The new booklet, “Architecture, Infrastructure, and Operations,” replaces the “Operations” booklet issued in July 2004 and provides examiners with fundamental examination expectations regarding architecture and infrastructure planning, governance and risk management, and operations of regulated entities. It also provides examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.

The new booklet also aligns with the NIST Cyber Security Framework, an enhancement to the IT Handbook that the American Bankers Association has been advocating for since the release of the NIST CSF in 2014. The OCC said the change in the title of the booklet from “Operations” reflects the expanded role IT now plays in supporting enterprise and business operations and meeting internal and external customer expectations.