The Federal Financial Institutions Examination Council (FFIEC) issued the Architecture, Infrastructure, and Operations (AIO) booklet, which is part of the FFIEC Information Technology Examination Handbook. The booklet replaces the Operations booklet issued in July 2004.
Statement of Applicability: This Financial Institution Letter (FIL) applies to all FDIC-supervised financial institutions.
- The AIO booklet outlines principles and practices for managing architecture, infrastructure, and operations. This booklet describes principles and practices that examiners review to assess an entity’s AIO functions. The booklet also helps examiners determine whether management adequately addresses risks related to AIO and delivery of critical financial products and services.
- This booklet focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall enterprise and business structure, implementation of information technology (IT) infrastructure components, and delivery of services and value for customers.
- The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity’s programs related to AIO. The booklet focuses on assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls. Additionally discussed are, emerging technologies, such as cloud computing, micro-services, artificial intelligence, machine learning, zero trust architecture, and the Internet-of-Things.
- The change in the title of the booklet from Operations to Architecture, Infrastructure, and Operations reflects the expanded role IT plays in supporting enterprise and business operations and meeting internal and external customer expectations.
- The industry principles and frameworks included provide examiners with a durable means to assess architecture, infrastructure, and operations. The booklet issuance does not impose new requirements on examined entities.
FDIC-Supervised Institutions and their service providers
Chief Executive Officer
Chief Information Officer
Chief Information Security Officer