A Closer Look at the I in AIO
Happy Monday, compliance friends! We know how much you all love a good series, so here you go!
A couple of weeks ago we blogged about the Federal Financial Institutions Examination Council’s (FFIEC) recently issued Architecture, Infrastructure, and Operations (AIO) booklet. Shortly after, we published a blog to take a closer look at what architecture means and FFIEC’s expectations for managing risk associated with architecture. Today’s blog will discuss the infrastructure portion of the booklet and outline a few forms of risk management suggested by the FFIEC.
As explained in the previous blog, “architecture describes how credit unions design the use of hardware and software to achieve their business goals.” Infrastructure is the hardware, software, and other elements that should fit into the strategic architectural design laid out by the credit union. The booklet explains, “IT infrastructure includes hardware, network and telecommunications, software, IT environmental controls (e.g., power and HVAC), and physical access that allow for an enterprise IT environment’s operation and management.”
Below are the essential components of a credit union’s IT infrastructure and tips on how management can keep each component safe and secure.
Hardware. Hardware can be described as the physical element of an IT system. The booklet encourages management to keep an accurate and up-to-date inventory of all hardware and ensure it is kept secure. A credit union may want to ensure it has policies and procedures for monitoring the use of active hardware and safely disposing of older hardware.
Network. This element is used to send data through interconnected components, such as hubs and switches, load balancers, routers, and servers. Management may want to ensure networks are configured to match the complexity and risk tolerance of the credit union’s overall IT system. The booklet also notes, “To reduce exposure to potential vulnerabilities and failures arising from unused services, management should implement appropriate network configuration management and change control processes.”
Telecommunications. This element includes both voice communications and data communications. Credit unions should anticipate traffic needs in order to implement systems sufficient to facilitate internal and external communication. The booklet suggests that management should implement monitoring systems to ensure the sufficiency of telecommunications tools, and use back-up systems (such as hard-wired communications lines and alternative providers).
Software. Whether to internally develop software will depend on the expertise and need of a credit union. A credit union may need to assess how much capacity it has to maintain and update certain software, and when it would be more valuable to use software developed externally. When using externally developed software, a credit union will also need to decide when to use commercial off the shelf software or custom software created for a particular function. The booklet also goes into detail about different software types, such as security software, enterprise software, and core processing software. The booklet describes maintenance, testing, and controlling access for each type of software.
Environmental Controls. These crucial controls can be described as “strategies designed to detect and prevent against natural, mechanical, and man-made risks and threats to the entity’s buildings and facilities and the affected personnel and infrastructure within them.” Environmental controls protect the credit union against serous damage to property and staff and include HVAC systems, smoke and fire detectors, water, and power. A credit union may want to ensure its policies, procedures and maintenance plans are sufficient so that environmental elements are properly monitored and managed. Today, there are plenty of options for internal monitoring of environmental factors, through both on-site and remote access. Management may also consider the options for third-party monitoring. When implementing any environmental control element, the credit union should weigh the advantages and disadvantages of each option and determine the most appropriate systems for its operations.
Physical access controls. Unauthorized access to a credit union’s facilities, physical assets, or technology assets can affect the confidentiality and use of important information. Implementing physical access controls may include validating authorizations before granting access to sensitive work areas, monitoring alarms and surveillance equipment, reviewing access lists regularly, and removing access for those who no longer need it.
Credit unions looking to review and update their procedures around information security should review the entire FFIEC Architecture, Infrastructure, and Operations (AIO) booklet.
About the Author
Loran Jackson joined NAFCU as Regulatory Compliance Counsel in April 2019 and was named Senior Regulatory Compliance Counsel in February 2021. In her role, she provides daily compliance assistance to member credit unions on a variety of topics. She also writes articles for NAFCU publications and presents at NAFCU conferences