FFIEC IT Handbook - Architecture, Infrastructure, and Operations Booklet Updated

Architecture, Infrastructure, and Operations

The "Architecture, Infrastructure, and Operations" booklet is one in a series of booklets that compose the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook). This booklet focuses on enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services and value for customers.

Go to Introduction Download Booklet Download IT WorkProgram

Booklet Contents
- Introduction
- I Architecture, Infrastructure, and Operations
- II Architecture, Infrastructure, and Operations Governance
- II.A Board and Senior Management Responsibilities
- II.A.1 Strategic Planning
- II.A.2 Enterprise Risk Management
- II.B Other Roles and Responsibilities
- II.B.1 IT Management Responsibilities
- II.B.1(a) Chief Architect
- II.B.1(b) Chief Data Officer
- II.B.1(c) IT Operations Management
- II.B.2 IT Operations Personnel Responsibilities
- II.C Policies, Standards, and Procedures
- II.D Internal Audit, Independent Reviews, and Certification Processes
- II.E Communication
- II.F Board and Senior Management Reporting
- III Common AIO Risk Management Topics
- III.A Data Governance and Data Management
- III.A.1 Data Identification and Classification
- III.A.2 Database Management
- III.A.2(a) Database Security
- III.A.3 Non-Production Environments
- III.A.4 Data Analytics
- III.B IT Asset Management
- III.B.1 Technology Asset Inventory
- III.B.1(a) Hardware Inventory
- III.B.1(b) Software Inventory
- III.B.2 IT Asset End-of-Life
- III.B.3 Shadow IT
- III.C IT and Business Environment Representations
- III.C.1 Network Diagrams
- III.C.2 Data Flow Diagrams
- III.C.3 Business Process Diagrams and Narratives
- III.D Managing Change in AIO
- III.D.1 Change Management
- III.D.2 Transitioning From Strategic Change Management to Day-to-Day Operations
- III.E Oversight of Third-Party Service Providers
- III.F Resilience
- III.G Remote Access
- III.H Personally Owned Devices
- III.I File Exchange
- IV Architecture
- IV.A Architecture Plan
- IV.B Design Objectives
- IV.C IT Architecture Design
- IV.D Enterprise Architecture
- V Infrastructure
- V.A Hardware
- V.B Network and Telecommunications
- V.B.1 Network
- V.B.2 Telecommunications
- V.B.2(a) Voice Communications
- V.B.2(b) Data Communications
- V.C Software
- V.C.1 Internally and Externally Developed Software
- V.C.2 Software Types
- V.C.2(a) Open Source Software
- V.C.2(b) Mainframe Security Software
- V.C.2(c) Application Programming Interfaces
- V.C.3 Software Hosting
- V.D Environmental Controls
- V.D.1 Heating, Ventilation, and Air Conditioning
- V.D.2 Smoke and Fire
- V.D.3 Water
- V.D.4 Power
- V.E Physical Access Controls
- VI Operations
- VI.A Operational Controls
- VI.A.1 Operating Centers
- VI.A.2 Authorization Boundary
- VI.A.3 Identity and Access Management
- VI.A.4 Personnel Controls
- VI.B IT Operational Processes
- VI.B.1 Maintenance
- VI.B.2 Configuration Management
- VI.B.3 Vulnerability and Patch Management
- VI.B.3(a) Vulnerability Management
- VI.B.3(b) Patch Management
- VI.B.4 Backup and Replication Processes
- VI.B.5 Scheduling
- VI.B.6 Capacity Management
- VI.B.7 Log Management
- VI.B.8 Disposal of Data and Media
- VI.C Service and Support Processes
- VI.C.1 Service Management
- VI.C.2 Operational Support
- VI.C.3 IT Support
- VI.C.4 Event, Incident, and Problem Management
- VI.D Ongoing Monitoring and Evaluation Processes
- VI.D.1 Monitoring and Reporting
- VI.D.2 IT and Operations Key Performance Indicators
- VI.D.3 Control Self-Assessments
- VI.D.4 Continuous Improvement
- VII Evolving Technologies
- VII.A Cloud Computing
- VII.A.1 Essential Characteristics
- VII.A.2 Cloud Service Models
- VII.A.3 Cloud Deployment Models
- VII.A.4 Shared Responsibilities
- VII.A.5 Risk Considerations for Cloud Computing
- VII.A.5(a) Access Control Considerations
- VII.B Zero Trust Architecture
- VII.C Microservices
- VII.D Artificial Intelligence and Machine Learning
- VII.E Internet of Things
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Abbreviations
- Appendix D: References