Lack of Comprehensive Network Infrastructure Documentation
Severity Level: Priority 2 Category: Infrastructure / Compliance
Description: The bank lacks up-to-date, comprehensive network infrastructure documentation for all branches. There is no detailed network map covering all branches, including core and third-party connections, disaster recovery locations, data flows (e.g., MS365, cloud storage), and equipment details (e.g., external IPs, firewalls, switches, servers, workstations, printers, access points, VLANs, port forwarding, fax lines, HVAC, solar, postage machines). This gap complicates troubleshooting and increases downtime risk.
Impact:
- Extended outages and downtime due to inefficient troubleshooting processes.
- Non-compliance with FFIEC guidelines for maintaining accurate network documentation, risking audit findings.
- Increased operational costs and potential service disruptions across branches.
FFIEC Reference:
- FFIEC IT Examination Handbook, Operations (July 2004):
- "Institutions should maintain accurate and up-to-date network diagrams to support operations and troubleshooting." (p. 22)
- "Comprehensive documentation is critical for effective disaster recovery and incident response." (p. 24)
Recommendations:
- Develop a comprehensive network map, including an overall network page (branches, core, third-party connections, disaster recovery location) and a data flow page (MS365, cloud storage).
- For each branch, document external IPs, firewalls, switches, servers, workstation summaries, printers, access points, port forwarding, VLANs, fax lines, and other network devices (e.g., HVAC, solar, postage).
- Assign responsibility to IT staff to maintain and update documentation at least annually.