The FFIEC's New AIO Handbook

8/31/2021 - By Jason Keith, CIA, CISA

On June 30, 2021, the Federal Financial Institutions Examination Council (FFIEC) published the new Architecture Infrastructure and Operations (AIO) booklet, replacing the Operations booklet from July 2004. While this new booklet resembles its predecessor, there are significant new themes to evaluate.  

After reading Appendix A Examination Procedures, a few guiding themes began to surface. Three of these themes are considered below:

  1. There appears to be a general desire to formalize and document the decision-making process of the institution’s technology management process. Heightened scrutiny on the governance of technology operations makes sense considering the increasingly prominent role of technology within financial institutions. New questions with new terminology support this observation. A few examples include heightened use or the first appearance of terms like strategic planning, credible challenge, budgeting, KPI’s and Change Management.    
  2. Another theme in the exam questions is a focus on the transition from onsite networks to remote implementations. Ten questions specifically mention “cloud”. The questions approach the topic from different angles such as the decisive process for a move to the cloud, resiliency once there, management of information assets in the cloud and data protection/destruction.  Many of us are actively working on moving to a cloud-based environment, and it only makes sense that our exams are evolving to match this new risk profile. Related topics that receive additional focus are virtualization, remote access, and open-source software.  
  3. A final theme, which should come as no surprise, is related to data management. Questions in the appendix involve how we classify data, protect data, and follow the data life cycle through destruction. As data has become arguably our biggest liability and most valuable asset properly handling it is gaining increasing prominence.   


I found it helpful to visualize the booklet by considering the number of times selected topics appear within the booklet, and saw some interesting perspectives come out below.

In many cases, it makes sense that new terminology is needed when replacing a booklet originally authored 17 years ago. If around for another 17 years, this booklet may be one our best tools to forecast regulatory priorities now and into the future. Make time to digest the booklet and be prepared for some new questions in your next exam!


Contact our IT team for any questions regarding this new FFIEC booklet! 

About the Author | Jason Keith, CIA, CISA

Jason is a senior technology risk consultant at Saltmarsh, Cleaveland and Gund. He specializes in consulting highly-regulated industries such as financial institutions, healthcare organizations and the defense industrial base, providing information security assessments, vulnerability and penetration testing and other related information security compliance services. Jason has over 20 years of professional experience and has held several technology-focused leadership roles with previous organizations, including Vice President of Risk, Chief Information Officer, and Chief Operations Officer.

Related Posts