FFIEC and Your Backup Storage Operations

The Bocada Team | February 12, 2019

Do you know if your backup procedures can weather an audit from the Federal Financial Institutions Examination Council (FFIEC)? Or, do you feel good about your FFIEC compliance…but dread the distraction that proving compliance always creates for you and your team?

As an interagency council comprised of five US banking regulators, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board of Governors, and the National Credit Union Administration (NCUA), the FFIEC is the central authority overseeing financial institution data practices in the United States. This means that any financial institution either based in the US or doing business in the country will be accountable to FFIEC guidelines

The FFIEC’s robust and thorough guidelines around IT operations, business continuity planning and disaster recovery preparedness truly set it apart from other regulatory bodies. While organizations must have a clear process in place for addressing regulations, it is equally important that compliance verification processes do not derail existing oversight and data protection activities.


Through the IT Handbook, the FFIEC has developed several key guidelines that have a clear impact on backup data storage and data protection activities. Guidelines that are burdensome to manage without systemic measures in place to address them.

Operations: Risk Mitigation & Control Implementation, Performance Monitoring

What It Says “Performance monitoring and management involves measuring operational activities, analyzing the resulting metrics, and comparing them to internally established standards and industry benchmarks to assess the effectiveness and efficiency of existing operations…Diminished system or personnel performance not only affects customer satisfaction, but can also result in noncompliance with contractual SLAs that could result in monetary penalties…If economically practicable, management should automate monitoring and reporting processes.”

What It Means For Backup These guidelines make it critical for enterprise organizations to have a standardized way to monitor their backup environments, report on backup performance-to-goal and, whenever possible automate these activities.

To determine if your environment is complies with these guidelines, ask yourself if you have:

  • An automated way to monitor and report on backup activities across cloud and on-prem environments;
  • An efficient approach to tracking backup success rates to SLA goals; and
  • Timely ways to be notified of in-progress backups that have a potential to fail.

Operations: Risk Monitoring & Reporting, Capacity Planning

What It Says “Capacity planning involves the use of baseline performance data to model and project future needs…Management should monitor technology resources for capacity planning including platform processing speed, core storage for each platform’s central processing unit, data storage…”

What It Means For Backup Moving beyond just backup activities and reporting, these guidelines set standards for backup storage capacity and for implementing efforts to stay ahead of capacity shortages.

To determine if your environment complies with these guidelines, ask yourself if you have:

  • Reporting to keep your team ahead of storage issues that could prevent successful backups; and
  • Timely data on storage utilization to optimize backup server usage and maximize capacity.

Business Continuity Planning: Testing Policy

What It Says “An enterprise-wide business continuity testing policy should be established by the board and senior management and should set expectations for business lines and support functions to follow in implementing testing strategies and test plans…In-house institutions often send their backup media to a recovery site to be processed by the back-up service provider’s employees. This is not a sufficient test of an institution’s BCP and is considered ineffective because financial institution employees are not directly involved in the testing process.”

What It Means For Backup With these guidelines, the FFIEC is developing a protocol for data restoration testing that ensures comprehensive testing across an organization’s entire backup environment.

To determine if your environment complies with these guidelines, ask yourself if you have:

  • A way to test backup performance across your entire enterprise, including geographies, departments, backup applications, cloud/on-prem and all business units;
  • Indefinite historical backup activity records; and
  • A process for isolating where backup data resides, regardless of whether it’s on tape, disk or the cloud.

Business Continuity Planning: Updating Business Continuity Plan and Test Program

What It Says “Test owners, typically business line or support management, should assign responsibility for resolution of material business continuity problems identified during testing and should track issues to ensure that they are effectively addressed in a timely manner….Test results and issues should be periodically analyzed to determine whether problems encountered during testing could be traced to a common source, such as inadequate change control procedures.”

What It Means For Backup These guidelines make it clear that it’s not enough to oversee backup performance. On top of that, organizations must have protocols in place for audit documentation and troubleshooting backup failures in a timely fashion and isolating any systemic issues behind that failure.  

To determine if your environment complies with these guidelines, ask yourself if you have:

  • A way to quickly and effectively upload support tickets to assure tracking and drive faster backup failure resolution;
  • Alerting to proactively raise awareness of any critical backup job failures;
  • Tools to help visualize and isolate failure trend patterns; and
  • A process for permanently annotating backup job records with information about any remediation processes taken.


The FFIEC IT Handbook guidelines offer value to end customers by ensuring that financial data and information is fully protected. However, in doing so, it adds a great deal of complexity and operational overhead to already time-pressed backup and storage teams.

For enterprises looking to properly and efficiently address FFIEC guidelines in ever-growing data environments, automating backup data orchestration and compliance reporting is a great approach. Automation tools offer effective ways to minimize compliance-oriented labor hours while protecting backup operations. When considering tools to automate your FFIEC compliance backup activities, consider only those that:

  • Consolidate backup performance monitoring under a single pane
  • Enable reporting across your entire suite of backup applications
  • Work across cloud and on-prem backup destinations
  • Allow for reporting across business functions, business units, and geographies
  • Automate daily, weekly and monthly compliance and SLA reporting
  • Integrate with your ticketing systems
  • Include alerting features and CMDB analysis for proactive troubleshooting
  • Include automated storage and capacity trend reporting

If you’re looking to streamline your FFIEC backup compliance activities, we encourage you to schedule time for a live demonstration of Bocada’s data protection reporting and monitoring capabilities. When tested in your native backup environment, you will see immediate time savings by staying on top of FFIEC data storage and backup compliance activities.