Fulfilling FFIEC Backup Compliance Obligations

The Bocada Team | January 12, 2022

As an interagency council, the Federal Financial Institutions Examination Council (FFIEC) works to create standards for governing and overseeing financial institutions across the United States. Comprised of five banking regulators, including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA), the FFIEC is the central authority overseeing financial institution data practices, writing rules and providing regulatory guidance around IT operations, business continuity planning and disaster recovery preparedness for financial organizations.

Bocada’s centralized backup monitoring automation software provides banks and other financial institutions with an optimized way to ensure, and demonstrate FFIEC backup compliance. By consolidating hybrid-cloud backup reporting into a single dashboard, Bocada gives compliance, data protection and storage teams a core tool to satisfy FFIEC requirements.

FFIEC Operations: Risk Monitoring & Reporting, Capacity Planning

According to FFIEC, “Capacity planning involves the use of baseline performance data to model and project future needs…Management should monitor technology resources for capacity planning including platform processing speed, core storage for each platform’s central processing unit, data storage…”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Capacity trends reporting keeps teams ahead of storage issues that can prevent successful backup activities.
  • Storage utilization reporting helps optimize backup server usage and free up unused capacity.

FFIEC Operations: Risk Mitigation & Control Implementation, Performance Monitoring

According to FFIEC, “Performance monitoring and management involves measuring operational activities, analyzing the resulting metrics, and comparing them to internally established standards and industry benchmarks to assess the effectiveness and efficiency of existing operations…Diminished system or personnel performance not only affects customer satisfaction, but can also result in noncompliance with contractual SLAs that could result in monetary penalties…If economically practicable, management should automate monitoring and reporting processes.”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Bocada acts as a data governance orchestration and automation tool to simplify monitoring and reporting of backup activities.
  • Built-in SLA compliance reporting simplifies demonstrating adherence to backup success rates, retention policy enforcement and other necessary backup activities.
  • Automated backup performance reporting identifies failed backups, enabling tailored troubleshooting so data is always protected and restorable.
  • In-progress backup job reporting across hybrid-cloud environments allows processors to proactively address issues that could harm data restoration.
  • VM Analysis Reports allow enterprises to identify machines that are not being protected by their backup software so that non-backup issues can be corrected.
  • Automated compliance report creation, scheduling and distribution offers a recurring governance process for reviewing backup fidelity and sharing compliance status with internal and external auditors.

FFIEC Operations: Risk Mitigation & Control Implementation, Storage/Backup

According to FFIEC, “…In the event of a disruption, management should not have to reconstruct data from more than one business day…”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Reporting on full, partial, and incremental backups ensures data is being backed up at the necessary time intervals.

FFIEC Business Continuity Planning: Testing Policy

According to FFIEC, “An enterprise-wide business continuity testing policy should be established by the board and senior management and should set expectations for business lines and support functions to follow in implementing testing strategies and test plans… In-house institutions often send their backup media to a recovery site to be processed by the back-up service provider’s employees. This is not a sufficient test of an institution’s BCP and is considered ineffective because financial institution employees are not directly involved in the testing process.”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Bocada pulls and normalizes data from over twenty backup products across geographies, departments, and business units, allowing for a true enterprise-wide view of backup recency and storage locations.
  • Bocada retains historical backup activity records indefinitely, assuring banks have a record of where and when data was backed up as well as the storage medium (e.g. tape, disk, or cloud).

FFIEC Business Continuity Planning: Updating Business Continuity Plan and Test Program

According to FFIEC, “Test owners, typically business line or support management, should assign responsibility for resolution of material business continuity problems identified during testing and should track issues to ensure that they are effectively addressed in a timely manner….Test results and issues should be periodically analyzed to determine whether problems encountered during testing could be traced to a common source, such as inadequate change control procedures.”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Ticketing systems integration allows for automated creation of service tickets and faster notification and resolution.
  • Built-in critical failure alerting enables processors to address data backup failures quickly so that valuable data is protected.
  • Historical annotations make it easy to audit steps taken to fix backup failures to protect data security

FFIEC Development & Acquisition: Development Procedures, Disposal Phase

According to FFIEC, “…Organizations should maintain archived data in accordance with applicable record retention requirements. It should also archive system documentation in case it becomes necessary to reinstall a system into production. Management should destroy data by overwriting old information or degaussing (demagnetizing) disks and tapes.”

Bocada supports FFIEC backup compliance through the following capabilities:

  • Data retention policy reporting provides audit trails to verify data is kept for as long as needed and was purged when required.
  • Bocada offers reporting across media types—including tape, disk and cloud—enabling auditors to review stored information from legacy to emerging storage devices and ensure that archived data is fully disposed of.

Ready to Assess Your FFIEC backup compliance readiness?

Request of demo of Bocada’s automated backup monitoring and reporting solution. Bocada consolidates data from cloud, on-prem, and endpoint backup applications, as well as storage devices, under a single console. This centralized view of backup health supports organizations’ needs to get ahead of FFIEC backup compliance obligations.

FFIEC Backup Compliance