The Federal Financial Institutions Evaluation Council (FFIEC) is a governmental body that provides interagency regulatory guidance for financial institutions. This provides a consistent framework for different regulatory bodies, and applies to the OCC, Federal Reserve, CSRB, and others. In June 2021, following large cyber attacks on the United States and the resulting Executive order on Cyber security, the FFIEC released the largest update in guidance in over a decade to help financial auditors assess financial institutions. It is an update to the 2004 Operations book, and links the different processes of Architecture, Infrastructure, and Operations (AIO) into a cohesive framework for auditors to assess. In this booklet the FFIEC discusses the principles and practices for IT and operations, as well as processes for addressing risk respective to IT systems. It also spells out management oversight of IT systems, to include governance, and provides principles for auditors to address.
Sweeping in scope, the AIO guide is very detailed on guidance for different technologies. While its more prescriptive than prior booklets, this leads to simplicity through clarity on what is expected of an organization. This blog is intended to provide a summary to cover a few aspects of this booklet, while providing reference for additional information. Its audience is technology executives and leaders who do not need to be regulatory experts, but who are affected by the regulations, and should have a better awareness. The booklet carves out responsibilities for different roles within an organization, from board and senior manager responsibilities, to chief architect and operations management responsibilities. Some of these roles include:
This blog even as summary is quite long. There simply is a ton of information in the AIO guide (100 pages) that would be relevant to different groups in IT leadership. I will summarize key points and extrapolate on the requirements, and provide links back into the guide where additional information may be available. Some key points in the guidance:
An example of the guidance to examiners, for all of these items, can be useful to groups who want to ensure their are conformant to specifics of an evaluation.
The FFIEC AIO guide defines certain functions as having risk management aspects in all components of the lifecycle, architecture, infrastructure AND operations. These common risk management topics are classified into the below domains.
There is a fair amount of coverage for each of these Risk Management Topics within the AIO guide but here is a summary of key points for leadership awareness.
Data governance and data managementinclude a number of exam criteria which are common for a data centric approach. Exam criteria include data identification and classification, controls for safeguarding data (both digital and physical), discovery and monitoring of new and existing data sources and changes, security of databases and management tools, and processes for patching and managing databases.
ITAMis IT asset management and includes processes to track, manage, and report on information and technology assets. Exam criteria include policies and standards, hardware and software inventories, processes in place to address and manage end of life and technically obsolete equipment, and processes to prevent and manage unapproved technology (shadow IT).
IT and Business Environment Representationsis validation of documentation which is the representation of the organization's IT infrastructure. It includes network diagrams, data flow diagrams, business process flow and narratives. It would include all physical and virtual technology assets, including locations and versions. It would also include all interconnectivity and process flows between lines of business and third parties, as well as locations of sensitive data.
Managing change in AIO and change managementensures that management has a change management process in place, and that any IT system or service is supported by an orderly and documented process. There are aspects of change management that would be strategic and the process should include appropriate request and review aspects. It should seek to ensure the integrity of the infrastructure and consistency of documentation.
Oversight of third-party service providersare processes that are in place to ensure appropriate levels of governance apply to third parties, with regards to service level agreements and appropriate data management policies.
Resiliencevalidates that processes are in place to ensure that hardware and software assets, as well as business processes, have appropriate controls in place to maintain confidentiality, integrity, and availability of the institutions information systems. It deals with business continuity and mitigating disruptions whether internally or externally driven.
Remote-accesscovers the policies and procedures in place for communicating through the entities perimeter for internal and external third party access. It includes tunneling (VPN), portals for client devices, direct application access, and remote desktop services.
Personally owned devicesare the practices for allowing personal devices, should they be allowed, in the infrastructure while maintaining appropriate security and segmentation.
File Exchangecovers the risk considerations in file exchange and covers how an organization exchanges files, whether it be via attachments to email, file sharing services, or other means. Some examples of risk considerations includes the protocols used for the file exchange, the data storage and retention of files, integrity of the data, as well as managing shadow IT and handling data leakage.
Architecture topics are specific to the architecture domain for assessment. It incorporates aspects such as how an organization manages its as is architecture, as well as aligns towards a to-be state. This includes the processes for how an architecture group assesses and plans for future enterprise IT needs. Through this process the architecture group is evaluated to ensure the documentation of architecture plans and design objectives is properly accomplished within an organization. This includes planning for and managing technology obsolescence, end of life of technologies, and architectural shifts. The architecture must be flexible to account for these shifts in infrastructure and technology such that the implementation and operations groups can be successful. Additional topics include architecting for and managing shadow IT, and the design of the IT architecture expanding from in house and including virtualization and cloud strategies.
Some aspects the evaluators will look at include:
Infrastructure topics include all aspects of managing an infrastructure to include people, process, and technology. Key processes that are evaluated include infrastructure management processes, ensuring supportive contractual arrangements, security, and change control processes. It also looks to ensure appropriate controls are in place to address planned scalability and interoperability of software, and associated software controls. In recent years there has been a growing focus on managing and maintaining open source software to include understanding function and validating integrity and provenance of open source software used. This means an organization needs to attest to the controls in place to validate the source of software used in an organization. Third party commercialized open source would push some of these requirements to the provider of the software, but the organization needs to ensure contractually that the provider is doing this.
Some additional aspects that are important in the infrastructure domain include:
Operations topics are the most extensively covered topics in the AIO guide. It is broken out into multiple domains including operational controls, operational processes, support and monitoring. This is because the execution of all transactions and activity is done through the day to day execution of the plan. While the selection of a lock is important, ensuring that it is actually being locked is critical and the FFIEC spends an appropriate amount of effort on ensuring the day to day activities are subject to a high level of rigor appropriate with the financial systems they support.
Banking and financial institutions have developed stronger operational controls as the core of their business is around managed risk. This expands beyond strictly technology assets but includes the facilities and access, as well as the personnel used to support the systems. A majority of security incidents are due to insider risk, which typically isn't malfeasance but human mistakes or social engineering. The FFIEC does not overlook these areas and seeks to ensure appropriate controls are in place to reduce these risks. Areas of operational controls in the AIO guide include:
There is a fair amount of consideration that goes into operational processes for a financial institution, the regular care, maintaining, and hygiene of the critical infrastructure is fundamental to deterministic availability. The AIO guide spends an appropriate amount of focus in this area, specifically around the following domains:
Service and support processes are evaluated to ensure adequate processes and controls are in place to adequately support the infrastructure. This includes ensuring effective planning around support of infrastructure as part of service management, to include SLA's and contractual provisions. It goes on the evaluate the operational support processes, controls, and reporting mechanisms in place. It also includes provisions for event management, incident management, and problem management as well as the associated documentation to track these.
Management should develop processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. In ITIL this is referred to as continual service improvement. There should be a feedback loop such that an organization has an adaptive immune system that can learn and improve over time. There should be processes in place such that operational controls develop over time, and also provide feedback to architecture for inclusion into architectural considerations.
Examiners are keyed to review for the following:
Cloud Computing:Cloud computing is a lengthy topic given the impacts on all aspects of architecture, infrastructure, and operations. Within IT organizations the concept is well understood and includes private, public, and hybrid cloud. There are multiple considerations to take into account to include shared responsibility, ensuring data controls are accounted for, and access controls are in place.
Zero Trust Architecture:Zero Trust is a shift from traditional "Castle style" security architectures where there was an internal trusted zone and a focus on a strong perimeter. The challenge with his model is similar to traditional castles, once the plague gets in, everything was exposed to lateral movement. Through not inherently trusting devices within the perimeter and treating them as untrusted by default, stronger controls can be put into place to contain and constrain a security incident. These include domains like segmentation and contextual access control.
Microservices: Microservices and container based architectures can offer IT benefits but create a number of challenges in managing. Some of these challenges include the sheer number of services and interdependencies/interconnectedness and difficulty in defining the perimeter, coupled with limitations in existing controls leads the FFIEC to define that all microservices should be treated as non-trustworthy at this time.
Artificial Intelligence and Machine Learning: There are a lot of capabilities in the data driven world for which computational heuristics and advanced systems must be used simply to manage the sheer amount of data generated. For this machine learning and artificial intelligence have shown unique strengths in helping financial systems determine fraudulent behavior and cybersecurity risk identification. However, there are concerns mostly around handing and managing the vast amount of data stored today, and access to it. There is also challenges with a lack of transparency to some users in the process, and the risk of false positives (and negatives), that institutions must address.
Internet of Things:This section applies to IoT based devices which include the proliferation of building management systems. These will become more pronounced and operationally required to meet upcoming sustainability requirements governments are adopted. There are numerous different risk challenges with these devices to include the software stack and lack of existing IT controls intrinsic and patching concerns. There is a proliferation in type, access method, OS version and cloud requirements that result in a segmentation requirement for protecting core IT infrastructure.
The FFIEC AIO guide is well documented and there is guidance for evaluators which an organization can be aware of when evaluating their internal systems. At 100 pages, but adequately classified into sections, it is to exhaustive for every person in leadership to understand the nuances. The goals of this blog were to provide a high level view of the guidance, and a reference for leadership to get additional information if there are any questions. The next blog will discuss some technologies that can help scale and address some of these challenges.