Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Updated FFIEC IT Examination Handbook – Architecture, Infrastructure, and Operations Booklet

Summary:

The Federal Financial Institutions Examination Council (FFIEC) issued the Architecture, Infrastructure, and Operations (AIO) booklet , which is part of the FFIEC Information Technology Examination Handbook . The booklet replaces the Operations booklet issued in July 2004.

Statement of Applicability: This Financial Institution Letter (FIL) applies to all FDIC-supervised financial institutions.

Highlights:

  • The AIO booklet outlines principles and practices for managing architecture, infrastructure, and operations. This booklet describes principles and practices that examiners review to assess an entity’s AIO functions. The booklet also helps examiners determine whether management adequately addresses risks related to AIO and delivery of critical financial products and services.
  • This booklet focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall enterprise and business structure, implementation of information technology (IT) infrastructure components, and delivery of services and value for customers.
  • The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity’s programs related to AIO. The booklet focuses on assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls. Additionally discussed are, emerging technologies, such as cloud computing, micro-services, artificial intelligence, machine learning, zero trust architecture, and the Internet-of-Things.
  • The change in the title of the booklet from Operations to Architecture, Infrastructure, and Operations reflects the expanded role IT plays in supporting enterprise and business operations and meeting internal and external customer expectations.
  • The industry principles and frameworks included provide examiners with a durable means to assess architecture, infrastructure, and operations. The booklet issuance does not impose new requirements on examined entities.

Distribution:

FDIC-Supervised Institutions and their service providers

Suggested Routing:

Chief Executive Officer
Chief Information Officer
Chief Information Security Officer

Attachment(s)

Last Updated: June 30, 2021