FDIC compliance and disaster recovery
Takeaway: If you are an IT professional for a member institution of the FDIC, there are some pretty stringent guidelines for disaster recovery preparation. Make sure you know the questions auditors will be asking when it's your turn to be grilled.
Rounding out our discussions of regulatory compliance and disaster recovery (DR), we'll take a look this week at the Federal Deposit Insurance Corporation (FDIC) and what regulations it sets forth for banks and similar financial institutions when it comes to DR planning.
The FDIC is a government agency responsible for the oversight of banking and lending institutions to ensure that in the event of a crisis, depositors' monies can be returned to them on demand. Essentially, this means that if all else fails, the FDIC will insure each depositor for up to a specified amount of cash—the amount posted at the bank and in all contracts and other written instruments. Until recently, the FDIC has been very lax on even offering guidance on DR for member institutions, but it has changed its tune considerably.
Current regulations still maintain that DR plans must be in place and functional before insurance can be issued, and it must be proven to remain intact in order for each FDIC audit to be passed. However, the criteria for what will make a successful DR plan has become much more involved over the past several years.
For example, FDIC examinations now routinely question bank employees about what solutions are in place for backup and recovery of sensitive data—such as account information. They also grill management about what technology has changed since the last audit, how the board of directors has been kept up-to-date on this technology, and how it will be protected. All of this means that your role as an IT worker becomes a lot more visible, since management must answer these questions. Here are the primary questions you will be asked regarding DR by an FDIC auditor, according to the FDIC's "Information Technology Examination Officer's Questionnaire:"
- Do you have an organization-wide disaster recovery and business continuity program (Y/N)? If yes, please provide the name of your coordinator:
- Are disaster recovery and business continuity plans based upon a business impact analyses (Y/N)? If yes, do the plans identify recovery and processing priorities (Y/N)?
- Is disaster recovery and business continuity included in your risk assessment (Y/N)?
- Do you have formal agreements for an alternate processing site and equipment should the need arise to relocate operations (Y/N)?
- Do business continuity plans address procedures and priorities for returning to permanent and normal operations (Y/N)?
- Do you maintain offsite backups of critical information (Y/N)? If yes, is the process formally documented and audited (Y/N)?
- Do you have procedures for testing backup media at an offsite location (Y/N)?
- Have disaster recovery/business continuity plans been tested (Y/N)? If yes, please identify the system(s) tested, the corresponding test date, and the date reported to the Board.
IT security is also scrutinized during your regulatory audits. FDIC examiners are instructed to ask about access control for data systems and the security protocols that you have in place at the physical plant and across the network; in addition, auditors may demand an outline of your network topology for review. This means that you're going to be working very closely with compliance officers from your company in order to provide this information and interpret the results.
The FDIC only regulates banking and similar institutions, but the lessons learned from these regulations can offer a firm base for DR planning in many other fields. Even if you don't have an FDIC auditor banging on your door, the questions they ask can be a very valid aid in securing your own organization.
To see the other recent articles on DR and compliance, check out the Disaster Recovery archive page.
White Papers, Webcasts, and Downloads
- The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
- Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Ever wonder why your company isn't saving more from its server virtualization? Making a few small changes could dramatically increase your efficiency. Download Now
- The Scalable Enterprise: VMware ESX Server on the Dell PowerEdge 6650 Dell This paper introduces the server virtualization software, VMware ESX ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Thinking of virtualizing the servers at your company? Use this step-by-step guide to determine when's the best time to make your big move. Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
