Data Recovery time is a critical part of meeting the FFIEC IT exam for financial institutions.

The Business Impact Analysis was a section added to the FFIEC (Federal Financial Institutions Examination Council) Business Continuity Planning Booklet in 2008. The Business Continuity Planning Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook.

According to the FFIEC, a business impact analysis (BIA) is the first step in the business continuity planning process and should include the:

• Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis;
• Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes;
• Identification of the legal and regulatory requirements for the institution’s business functions and processes;
• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes; and
• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path

The last two points are of special importance. Being able to recover your data is not the whole issue. Being able to recover your data in a time frame that meets business objectives is critical.

As we have stated in our post Don’t Forget These Things When Data Backup And Recovery Processes Are Being Developed, a major part of the backup and recovery process is the physical network. To name just a few of the factors that impact the infrastructure design would be the frequency of the backups, the required time for the restore to be completed for effectiveness, the medium the data resides, the proximity of the backup location to the original site, etc. Networks may be under-powered to meet data backup and recovery requirements.

Recovery depends on more issues than just recovering from a catastrophic event. Data backup and recovery strategies must also meet company policies regarding regulatory requirements, data breaches, ability to respond to court orders, and more. This requires coordinated strategies and testing. Data Backup strategies must be planned and tested to assure all company requirements regarding data retention and recovery are met.

Outsourcing data backup processes is an approach that can be considered to have expert guidance from Data Backup specialist that know their field. Outsourcing to an American managed service provider is often the preferred choice; especially if the data can remain within the control of the company and only the backup and recovery procedures are performed remotely by the data backup and recovery MSP.

To discuss data backup and recovery processes further, as they apply to regulatory requirements, contact Salvus Data Consultants. Salvus uses Tivoli Storage Management (TSM) remotely to manage Data backup and recovery while you maintain control of your data.