Compliance Blog

In case you missed it, there is an update to regulatory guidance that is important for credit union staff in charge of meeting NCUA’s expectations in terms of cybersecurity risk management. While we are not IT experts here on NAFCU’s regulatory compliance team, these updates catch our attention as cybersecurity is a perennial supervisory priority at NCUA and FFIEC guidance represents the regulator’s expectations during exams. On June 28, 2021 the Federal Financial Institutions Examination Council (FFIEC) retired its Operations Booklet and replaced it with a much longer Architecture, Infrastructure, and Operations (AIO) Booklet in its Information Technology (IT) Examination Handbook.

The retired Operations Booklet was originally published in 2004, and IT risks have changed significantly in that time. The Operations Booklet was only about 80 pages in length – its replacement is double, clocking in at 164 pages. According to the FFIEC, the AIO Booklet is designed to focus on principles-based, enterprise-wide and process-oriented approaches to consider the design of technology within the credit union’s overall business structure. The FFIEC maintains a change log which identified the following sections as new.

Architecture

This is the first part of the AIO Booklet and specifically addresses governance and enterprise risk management. There is also a section dedicated to specific roles and responsibilities such as IT operations management, and discusses IT operations personnel’s responsibilities. Other issues addressed include data governance, data management, IT asset management, oversight of third-party service providers and remote access.

Infrastructure

The section dedicated to infrastructure begins on page 49 and addresses hardware issues like the credit union’s network and telecommunications. Software types and hosting are discussed, and this section also discusses environmental controls like heating, ventilation, air conditioning, smoke & fire, water and power.

Evolving Technologies

Starting on page 87, the AIO Booklet sets forth expectations for managing evolving technologies. Cloud service and risk considerations for cloud computing are covered, as well as artificial intelligence, machine learning, and “internet of things” meaning the collection of technologies that allow information to be sent and received from various “smart” devices.

Appendix A of the AIO Booklet has exam procedures which can indicate how an examiner will evaluate a credit union’s Architecture, Infrastructure and Operations. There are seventeen specific exam objectives, here are several examples:

• Determining the appropriate scope and objectives for the exam, which includes reviewing past reports like exams, internal & external audit reports, and the credit union’s overall risk assessment and profile
• Management promotes and provides effective governance of AIO functions through defined responsibilities, accountability and adequate resources
• Management understands the common risks and mitigating controls related to data governance and data management
• Management implements appropriate processes to track, manage and report on the credit union’s information and technology assets
• Management fosters effective management of change across the AIO functions
• Management maintains effective oversight of the entity’s third-party service providers responsible for activities related to AIO functions
• Management has appropriate AIO processes for managing remote access

The AIO Booklet ends with a glossary, which can be particularly helpful for those without IT expertise who are helping to ensure the credit union is meeting NCUA’s expectations in this area.