The OGO Blog

What are the FFIEC Backups and Data Vaulting Requirements?

Credit Union internet backup

Keeping up with the multitude of options available for backups/data vaulting can be a challenge for even the most tech savvy Credit Union CIO. Not only are there different strategies (3-2-1, Full, Differential, Incremental, Mirroring, etc.) but other things like your existing infrastructure, location of storage options and RTO/RPO’s make this an especially difficult strategy to get right.

Sometimes the best place to start is at the beginning – determining what is required and building out from there with your specific Credit Union’s goals in mind. The FFIEC IT Handbook was developed to give financial institutions this type of leverage/knowledge to build solid IT foundations. Let’s look at what the FFIEC backup guidelines are and how you can use them to chart your way to DR success. ( For reference, use the following link to access the FFIEC Handbook Appendix G. )

Backup Facilities

  • Recovery Site should be tested annually or when significant changes occur (everything in the FFIEC Handbook essentially begins with “should” – as an IT Professional, it helps to read this as “MUST” and sometimes even “As a MINIMUM you must”).
  • Have greater protection (controls) than production facility
  • Should mirror operational functionality – Whoa, that’s a whole separate blog topic but essentially this say areas such as if it’s critical for operations, it’s critical for recovery and your plan needs to address immediate activation of those services at the back-up site.
  • Should have geographic diversity – not on same power grid or within same strike zone

Backup and Storage Strategies

  • Should be based on your Business Impact Analysis (BIA) – criticality of the software and data files to the Credit Union’s operations.
  • Ranking of criticality should be based on risk assessment
    • The loss of these files would significantly impair the institution’s operations;
    • The files are being used to manage corporate assets or to make decisions regarding their use;
    • The files contain updated security and operating system configurations that would be necessary to resume operations in a secure manner;
    • The loss of the files would result in lost revenue; and
    • Any inaccuracy or data loss would result in significant impact on the institution (including reputation) or its customers.
  • Strategies such as electronic vaulting (data vaulting), journaling, replication, disk shadowing and mirroring are often employed to ensure the alternate site is operational at all times for immediate resumption of operations.

Data File Backup (Transactional Data Files)

  • Must be able to generate a recovery file that reflects all transactions up to the point of the service disruption.
  • The creations and rotation of core processing data backups should occur at least daily, more frequently if the volume of processing or online transaction activity warrants.

Of course the FFIEC has much more to say on this critical topic and if you haven’t already done so, bookmark the FFIEC IT Handbook now and begin a review asap. For more specific information regarding your current strategies, reach out to OGO today and we will gladly assist with your backup planning. Our Replicator and new CU Control solutions put the complexity of adhering to guidelines into your past and let you focus on creating innovative value to your Credit Union.


Why Should We Use Data Vaulting Instead of Tapes?

eBOOK – Backup And Recovery Strategies

Should I Move My Backups To The Cloud?

Credit Union Compliance and Credit Union Risk Management