Back to Blog

FFIEC Releases AIO Booklet

By Finosec

September 8, 2021

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The FFIEC AIO (Architecture, Infrastructure, and Operations) is an update to the operations handbook that was released on June 30, 2021. It doubles the size of the existing operations booklet released in 2004, and provides some considerable changes in regulatory expectations. It includes some expanded guidance from the previous booklet (on items such as hardware and software inventories, and environmental controls) as well as brand new areas of guidance (including increased accountability for board and senior management, third party risk management, and evolving technologies). 

Take a few minutes to watch Finosec Co-Founder and CTO Scott McIlrath’s initial briefing on this update. 

While there is a lot to digest, take Scott’s words to heart: “Don’t panic!” This guidance can feel overwhelming, but we are here to help identify some key takeaways. First and foremost, it’s important to realize that these updates and expectations will be based on the size and complexity of your institution, and is not a “one-size-fits-all” model. Next, this update reveals the burgeoning spotlight on the alignment of goals, strategy, and objectives, data management, and resiliency as they mesh together in your cybersecurity governance. Finally, it is clear that no system or asset is an island, and the focus has shifted from individual considerations to a deeper understanding of the relationships between assets, processes, and third party service providers. 

While there will undoubtedly be more information to come, we hope this video has helped. Don’t hesitate to reach out if you have questions or concerns about this guidance, as well as how Finosec can help out. 

More from Finosec

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

The Critical Link Between Third-Party Risk Management (TPRM) and Access Management

As highlighted in a recent article from the Federal Reserve, managing third-party relationships and the access associated with those relationships is a critical component of Third-Party Risk Management (TPRM). The associated access third party vendors have to banking systems is known as Access Management and is foundational for mitigating risks associated with third-party relationships. Access Management may be easy to overlook because it does not always reside with the same person or team as TPRM; making it difficult to provide critical oversight.

With increased regulatory focus, how should institutions be thinking of Access Management? Here are five steps your institution can take today to strengthen your third-party governance.

The Critical Foundation of Managing Access to Banking Systems

The Critical Foundation of Managing Access to Banking Systems

Managing access to banking systems has become increasingly complex as financial institutions navigate legacy reporting systems, API access, and cloud solutions. These challenges, along with the risks posed by unmanaged systems, emphasize the need for maintaining a...

Talk To An Expert Now
Talk To An Expert Now 770.268.2765