Rounding out our discussions of regulatory compliance and disaster recovery (DR), we'll take a look this week at the Federal Deposit Insurance Corporation (FDIC) and what regulations it sets forth for banks and similar financial institutions when it comes to DR planning.
The FDIC is a government agency responsible for the oversight of banking and lending institutions to ensure that in the event of a crisis, depositors' monies can be returned to them on demand. Essentially, this means that if all else fails, the FDIC will insure each depositor for up to a specified amount of cash—the amount posted at the bank and in all contracts and other written instruments. Until recently, the FDIC has been very lax on even offering guidance on DR for member institutions, but it has changed its tune considerably.
Current regulations still maintain that DR plans must be in place and functional before insurance can be issued, and it must be proven to remain intact in order for each FDIC audit to be passed. However, the criteria for what will make a successful DR plan has become much more involved over the past several years.
For example, FDIC examinations now routinely question bank employees about what solutions are in place for backup and recovery of sensitive data—such as account information. They also grill management about what technology has changed since the last audit, how the board of directors has been kept up-to-date on this technology, and how it will be protected. All of this means that your role as an IT worker becomes a lot more visible, since management must answer these questions. Here are the primary questions you will be asked regarding DR by an FDIC auditor, according to the FDIC's "Information Technology Examination Officer's Questionnaire:"
- Do you have an organization-wide disaster recovery and business continuity program (Y/N)? If yes, please provide the name of your coordinator:
- Are disaster recovery and business continuity plans based upon a business impact analyses (Y/N)? If yes, do the plans identify recovery and processing priorities (Y/N)?
- Is disaster recovery and business continuity included in your risk assessment (Y/N)?
- Do you have formal agreements for an alternate processing site and equipment should the need arise to relocate operations (Y/N)?
- Do business continuity plans address procedures and priorities for returning to permanent and normal operations (Y/N)?
- Do you maintain offsite backups of critical information (Y/N)? If yes, is the process formally documented and audited (Y/N)?
- Do you have procedures for testing backup media at an offsite location (Y/N)?
- Have disaster recovery/business continuity plans been tested (Y/N)? If yes, please identify the system(s) tested, the corresponding test date, and the date reported to the Board.
IT security is also scrutinized during your regulatory audits. FDIC examiners are instructed to ask about access control for data systems and the security protocols that you have in place at the physical plant and across the network; in addition, auditors may demand an outline of your network topology for review. This means that you're going to be working very closely with compliance officers from your company in order to provide this information and interpret the results.
The FDIC only regulates banking and similar institutions, but the lessons learned from these regulations can offer a firm base for DR planning in many other fields. Even if you don't have an FDIC auditor banging on your door, the questions they ask can be a very valid aid in securing your own organization.
To see the other recent articles on DR and compliance, check out the Disaster Recovery archive page.