3109 Federal Register / Vol. 64, No. 12 / Wednesday, January 20, 1999 /
Notices FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
Uniform Rating System for Information
Technology
Introduction
The quality, reliability, and integrity of a financial institution or
service provider's information technology (IT) affects all aspects of its
performance. An assessment of the technology risk management framework is
necessary whether or not the institution or a third-party service provider
manages these operations. The Uniform Rating System for Information
Technology (URSIT) is an internal rating system used by federal and state
regulators to uniformly assess financial institution and service provider
risks introduced by IT. It also allows the regulators to identify those
insured institutions and service providers whose information technology
risk exposure or performance requires special supervisory attention. The
rating system includes component and composite rating descriptions and the
explicit identification of risks and assessment factors that examiners
consider in assigning component ratings. Additionally, information
technology can affect the risks associated with financial institutions.
The effect on credit, operational, market, reputation, strategic,
liquidity, interest rate, and compliance risks should be considered for
each IT rating component.
The primary purpose of the rating system is to identify those entities
whose condition or performance of information technology functions
requires special supervisory attention. This rating system assists
examiners in making an assessment of risk and compiling examination
findings. However, the rating system does not drive the scope of an
examination. Examiners should use the rating system to help evaluate the
entity's overall risk exposure and risk management performance, and
determine the degree of supervisory attention believed necessary to ensure
that weaknesses are addressed and that risk is properly managed.
Overview
The URSIT is based on a risk evaluation of four critical components:
Audit, Management, Development and Acquisition, and Support and Delivery
(AMDS). These components are used to assess the overall performance of IT
within an organization. Examiners evaluate the functions identified within
each component to assess the institution's ability to identify, measure,
monitor and control information technology risks. Each organization
examined for IT is assigned a summary or composite rating based on the
overall results of the evaluation. The IT composite rating and each
component rating are based on a scale of ''1'' through ''5'' in ascending
order of supervisory concern; ''1'' representing the highest rating and
least degree of concern, and ''5'' representing the lowest rating and
highest degree of concern.
The first step in developing an IT composite rating for an organization
is the assignment of a performance rating to the individual AMDS
components. The evaluation of each of these components, their
interrelationships, and relative importance is the basis for the composite
rating. The composite rating is derived by making a qualitative
summarization of all of the AMDS components. A direct relationship exists
between the composite rating and the individual AMDS component performance
ratings. However, the composite rating is not an arithmetic average of the
individual components. An arithmetic approach does not reflect the actual
condition of IT when using a risk-focused approach. A poor rating in one
component may heavily influence the overall composite rating for an
institution. For example, if the audit function is viewed as inadequate,
the overall integrity of the IT systems is not readily verifiable. Thus, a
composite rating of less than satisfactory (''3''-''5'') would normally be
appropriate.
A principal purpose of the composite rating is to identify those
financial institutions and service providers that pose an inordinate
amount of information technology risk and merit special supervisory
attention. Thus, individual risk exposures that more explicitly affect the
viability of the organization and/or its customers should be given more
weight in the composite rating.
The FFIEC recognizes that management practices, particularly as they
relate to risk management, vary considerably among financial institutions
and service bureaus depending on their size and sophistication, the nature
and complexity of their business activities and their risk profile.
Accordingly, the FFIEC also recognizes that for less complex information
systems environments, detailed or highly formalized systems and controls
are not required to receive the higher composite and component ratings.
The following two sections contain the URSIT composite rating
definitions, the assessment factors, and definitions for the four
component ratings. These assessment factors and definitions outline
various IT functions and controls that may be evaluated as part of the
examination.
Composite Ratings
Composite 1
Financial institutions and service providers rated composite ''1''
exhibit strong performance in every respect and generally have components
rated 1 or 2. Weaknesses in IT are minor in nature and are easily
corrected during the normal course of business. Risk management processes
provide a comprehensive program to identify and monitor risk relative to
the size, complexity and risk profile of the entity. Strategic plans are
well defined and fully integrated throughout the organization. This allows
management to quickly adapt to changing market, business and technology
needs of the entity. Management identifies weaknesses promptly and takes
appropriate corrective action to resolve audit and regulatory concerns.
The financial condition of the service provider is strong and overall
performance shows no cause for supervisory concern.
Composite 2
Financial institutions and service providers rated composite ''2''
exhibit safe and sound performance but may demonstrate modest weaknesses
in operating performance, monitoring, management processes or system
development. Generally, senior management corrects weaknesses in the
normal course of business. Risk management processes adequately identify
and monitor risk relative to the size, complexity and risk profile of the
entity. Strategic plans are defined but may require clarification, better
coordination or improved communication throughout the organization. As a
result, management anticipates, but responds less quickly to changes in
market, business, and technological needs of the entity. Management
normally identifies weaknesses and takes appropriate corrective action.
However, greater reliance is placed on audit and regulatory intervention
to identify and resolve concerns. The financial condition of the service
provider is acceptable and while internal control weaknesses may exist,
there are no significant supervisory concerns. As a result, supervisory
action is informal and limited.
Composite 3
Financial institutions and service providers rated composite ''3''
exhibit some degree of supervisory concern due to a combination of
weaknesses that may range from moderate to severe. If weaknesses persist,
further deterioration in the condition and performance of the institution
or service provider is likely. Risk management processes may not
effectively identify risks and may not be appropriate for the size,
complexity, or risk profile of the entity. Strategic plans are vaguely
defined and may not provide adequate direction for IT initiatives. As a
result, management often has difficulty responding to changes in business,
market, and technological needs of the entity. Self-assessment practices
are weak and are generally reactive to audit and regulatory exceptions.
Repeat concerns may exist, indicating that management may lack the ability
or willingness to resolve concerns. The financial condition of the service
provider may be weak and/or negative trends may be evident. While
financial or operational failure is unlikely, increased supervision is
necessary. Formal or informal supervisory action may be necessary to
secure corrective action.
Composite 4
Financial institutions and service providers rated composite ''4''
operate in an unsafe and unsound environment that may impair the future
viability of the entity. Operating weaknesses are indicative of serious
managerial deficiencies. Risk management processes inadequately identify
and monitor risk, and practices are not appropriate given the size,
complexity, and risk profile of the entity. Strategic plans are poorly
defined and not coordinated or communicated throughout the organization.
As a result, management and the board are not committed to, or may be
incapable of ensuring that technological needs are met. Management does
not perform self-assessments and demonstrates an inability or
unwillingness to correct audit and regulatory concerns. The financial
condition of the service provider is severely impaired and/or
deteriorating. Failure of the financial institution or service provider
may be likely unless IT problems are remedied. Close supervisory attention
is necessary and, in most cases, formal enforcement action is warranted.
Composite 5
Financial institutions and service providers rated composite ''5''
exhibit critically deficient operating performance and are in need of
immediate remedial action. Operational problems and serious weaknesses may
exist throughout the organization. Risk management processes are severely
deficient and provide management little or no perception of risk relative
to the size, complexity, and risk profile of the entity. Strategic plans
do not exist or are ineffective, and management and the board provide
little or no direction for IT initiatives. As a result, management is
unaware of, or inattentive to technological needs of the entity.
Management is unwilling or incapable of correcting audit and regulatory
concerns. The financial condition of the service provider is poor and
failure is highly probable due to poor operating performance or financial
instability. Ongoing supervisory attention is necessary.
Component Ratings
Audit
Financial institutions and service providers are expected to provide
independent assessments of their exposure to risks and the quality of
internal controls associated with the acquisition, implementation and use
of information technology. Audit practices should address the IT risk
exposures throughout the institution and its service provider(s) in the
areas of user and data center operations, client/server architecture,
local and wide area networks, telecommunications, information security,
electronic data interchange, systems development, and contingency
planning. This rating should reflect the adequacy of the organization's
overall IT audit program, including the internal and external auditor's
abilities to detect and report significant risks to management and the
board of directors on a timely basis. It should also reflect the internal
and external auditor's capability to promote a safe, sound, and effective
operation.
The performance of audit is rated based upon an assessment of factors
such as:
1. The level of independence maintained by audit and the quality of the
oversight and support provided by the board of directors and
management.
2. The adequacy of audit's risk analysis methodology used to prioritize
the allocation of audit resources and to formulate the audit
schedule.
3. The scope, frequency, accuracy, and timeliness of internal and external
audit reports. The extent of audit participation in application
development, acquisition, and testing, to ensure the effectiveness of
internal controls and audit trails.
4. The adequacy of the overall audit plan in providing appropriate
coverage of IT risks. The auditor's adherence to codes of ethics and
professional audit standards.
5. The qualifications of the auditor, staff succession, and continued
development through training.
6. The existence of timely and formal follow-up and reporting on
management's resolution of identified problems or weaknesses.
7. The quality and effectiveness of internal and external audit activity
as it relates to IT controls.
Ratings
1. A rating of ''1'' indicates strong audit performance. Audit
independently identifies and reports weaknesses and risks to the board of
directors or its audit committee in a thorough and timely manner.
Outstanding audit issues are monitored until resolved. Risk analysis
ensures that audit plans address all significant IT operations,
procurement, and development activities with appropriate scope and
frequency. Audit work is performed in accordance with professional
auditing standards and report content is timely, constructive, accurate,
and complete. Because audit is strong, examiners may place substantial
reliance on audit results.
2. A rating of ''2'' indicates satisfactory audit performance. Audit
independently identifies and reports weaknesses and risks to the board of
directors or audit committee, but reports may be less timely. Significant
outstanding audit issues are monitored until resolved. Risk analysis
ensures that audit plans address all significant IT operations,
procurement, and development activities; however, minor concerns may be
noted with the scope or frequency. Audit work is performed in accordance
with professional auditing standards; however, minor or infrequent
problems may arise with the timeliness, completeness and accuracy of
reports. Because audit is satisfactory, examiners may rely on audit
results but because minor concerns exist, examiners may need to expand
verification procedures in certain situations.
3. A rating of ''3'' indicates less than satisfactory audit
performance. Audit identifies and reports weaknesses and risks; however,
independence may be compromised and reports presented to the board or
audit committee may be less than satisfactory in content and timeliness.
Outstanding audit issues may not be adequately monitored. Risk analysis is
less than satisfactory. As a result, the audit plan may not provide
sufficient audit scope or frequency for IT operations, procurement, and
development activities. Audit work is generally performed in accordance
with professional auditing standards; however, occasional problems may be
noted with the timeliness, completeness and/or accuracy of reports.
Because audit is less than satisfactory, examiners must use caution if
they rely on the audit results.
4. A rating of ''4'' indicates deficient audit performance. Audit may
identify weaknesses and risks but it may not independently report to the
board or audit committee and report content may be inadequate. Outstanding
audit issues may not be adequately monitored and resolved. Risk analysis
is deficient. As a result, the audit plan does not provide adequate audit
scope or frequency for IT operations, procurement, and development
activities. Audit work is often inconsistent with professional auditing
standards and the timeliness, accuracy, and completeness of reports is
unacceptable. Because audit is deficient, examiners cannot rely on audit
results.
5. A rating of ''5'' indicates critically deficient audit performance.
If an audit function exists, it lacks sufficient independence and, as a
result, does not identify and report weaknesses or risks to the board or
audit committee. Outstanding audit issues are not tracked and no follow-up
is performed to monitor their resolution. Risk analysis is critically
deficient. As a result, the audit plan is ineffective and provides
inappropriate audit scope and frequency for IT operations, procurement and
development activities. Audit work is not performed in accordance with
professional auditing standards and major deficiencies are noted regarding
the timeliness, accuracy, and completeness of audit reports. Because audit
is critically deficient examiners cannot rely on audit results.
Management
This rating reflects the abilities of the board and management as they
apply to all aspects of IT acquisition, development, and operations.
Management practices may need to address some or all of the following
IT-related risks: strategic planning, quality assurance, project
management, risk assessment, infrastructure and architecture, end-user
computing, contract administration of third party service providers,
organization and human resources, regulatory and legal compliance.
Generally, directors need not be actively involved in day-to-day
operations; however, they must provide clear guidance regarding acceptable
risk exposure levels and ensure that appropriate policies, procedures, and
practices have been established. Sound management practices are
demonstrated through active oversight by the board of directors and
management, competent personnel, sound IT plans, adequate policies and
standards, an effective control environment, and risk monitoring. This
rating should reflect the board's and management's ability as it applies
to all aspects of IT operations.
The performance of management and the quality of risk management are
rated based upon an assessment of factors such as:
1. The level and quality of oversight and support of the IT activities
by the board of directors and management.
2. The ability of management to plan for and initiate new activities or
products in response to information needs and to address risks that may
arise from changing business conditions.
3. The ability of management to provide information reports necessary for
informed planning and decision making in an effective and efficient
manner.
4. The adequacy of, and conformance with, internal policies and controls
addressing the IT operations and risks of significant business
activities.
5. The effectiveness of risk monitoring systems. The timeliness of
corrective action for reported and known problems.
6. The level of awareness of and compliance with laws and
regulations. The level of planning for management succession.
7. The ability of management to monitor the services delivered and to
measure the organization's progress toward identified goals in an
effective and efficient manner.
8. The adequacy of contracts and management's ability to monitor
relationships with third-party servicers.
9. The adequacy of strategic planning and risk management practices to
identify, measure, monitor, and control risks, including management's
ability to perform self-assessments.
10. The ability of management to identify, measure, monitor, and control
risks and to address emerging information technology needs and solutions.
In addition to the above, factors such as the following are included in
the assessment of management at service providers: b The financial
condition and ongoing viability of the entity.
1. The impact of external and internal trends and other factors on the
ability of the entity to support continued servicing of client financial
institutions.
2. The propriety of contractual terms and plans.
Ratings
1. A rating of ''1'' indicates strong performance by management and the
board. Effective risk management practices are in place to guide IT
activities, and risks are consistently and effectively identified,
measured, controlled, and monitored. Management immediately resolves audit
and regulatory concerns to ensure sound operations. Written technology
plans, policies and procedures, and standards are thorough and properly
reflect the complexity of the IT environment. They have been formally
adopted, communicated, and enforced throughout the organization. IT
systems provide accurate, timely reports to management. These reports
serve as the basis of major decisions and as an effective
performance-monitoring tool. Outsourcing arrangements are based on
comprehensive planning; routine management supervision sustains an
appropriate level of control over vendor contracts, performance, and
services provided. Management and the board have demonstrated the ability
to promptly and successfully address existing IT problems and potential
risks.
2. A rating of ''2'' indicates satisfactory performance by management
and the board. Adequate risk management practices are in place and guide
IT activities. Significant IT risks are identified, measured, monitored,
and controlled; however, risk management processes may be less structured
or inconsistently applied and modest weaknesses exist. Management
routinely resolves audit and regulatory concerns to ensure effective and
sound operations, however, corrective actions may not always be
implemented in a timely manner. Technology plans, policies and procedures,
and standards are adequate and are formally adopted. However, minor
weaknesses may exist in management's ability to communicate and enforce
them throughout the organization. IT systems provide quality reports to
management which serve as a basis for major decisions and a tool for
performance planning and monitoring. Isolated or temporary problems with
timeliness, accuracy or consistency of reports may exist. Outsourcing
arrangements are adequately planned and controlled by management, and
provide for a general understanding of vendor contracts, performance
standards and services provided. Management and the board have
demonstrated the ability to address existing IT problems and risks
successfully.
3. A rating of ''3'' indicates less than satisfactory performance by
management and the board. Risk management practices may be weak and offer
limited guidance for IT activities. Most IT risks are generally
identified; however, processes to measure and monitor risk may be flawed.
As a result, management's ability to control risk is less than
satisfactory. Regulatory and audit concerns may be addressed, but time
frames are often excessive and the corrective action taken may be
inappropriate. Management may be unwilling or incapable of addressing
deficiencies. Technology plans, policies and procedures, and standards
exist, but may be incomplete. They may not be formally adopted,
effectively communicated, or enforced throughout the organization. IT
systems provide requested reports to management, but periodic problems
with accuracy, consistency and timeliness lessen the reliability and
usefulness of reports and may adversely affect decision making and
performance monitoring. Outsourcing arrangements may be entered into
without thorough planning. Management may provide only cursory supervision
that limits their understanding of vendor contracts, performance
standards, and services provided. Management and the board may not be
capable of addressing existing IT problems and risks, evidenced by
untimely corrective actions for outstanding IT problems.
4. A rating of ''4'' indicates deficient performance by management and
the board. Risk management practices are inadequate and do not provide
sufficient guidance for IT activities. Critical IT risk are not properly
identified, and processes to measure and monitor risks are deficient. As a
result, management may not be aware of and is unable to control risks.
Management may be unwilling and/or incapable of addressing audit and
regulatory deficiencies in an effective and timely manner. Technology
plans, policies and procedures, and standards are inadequate, have not
been formally adopted, or effectively communicated throughout the
organization, and management does not effectively enforce them. IT systems
do not routinely provide management with accurate, consistent, and
reliable reports, thus contributing to ineffective performance monitoring
and/or flawed decision making. Outstanding arrangements may be entered
into without planning or analysis, and management may provide little or no
supervision of vendor contracts, performance standards, or services
provided. Management and the board are unable to address existing IT
problems and risks, as evidenced by ineffective actions and longstanding
IT weaknesses. Strengthening of management and its processes is necessary.
The financial condition of the service provider may threaten its
viability.
5. A rating of ''5'' indicates critically deficient performance by
management and the board. Risk management practices are severely flawed
and provide inadequate guidance for IT activities. Critical IT risks are
not identified, and processes to measure and monitor risks do not exist,
or are not effective. Management's inability to control risk may threaten
the continued viability of the institution or service provider. Management
is unable and/or unwilling to correct audit and regulatory identified
deficiencies and immediate action by the board is required to preserve the
viability of the institution or service provider. If they exist,
technology plans, policies and procedures, and standards are critically
deficient. Because of systemic problems, IT systems do not produce
management reports which are accurate, timely, or relevant. Outsourcing
arrangements may have been entered into without management planning or
analysis, resulting in significant losses to the financial institution or
ineffective vendor services. The financial condition of the service
provider presents an imminent threat to its viability.
Development and Acquisition
This rating reflects an organization's ability to identify, acquire,
install, and maintain appropriate information technology solutions.
Management practices may need to address all or parts of the business
process for implementing any kind of change to the hardware or software
used. These business processes include an institution's or service
provider's purchase of hardware or software, development and programming
performed by the institution or service provider, purchase of services
from independent vendors or affiliated data centers, or a combination of
these activities. The business process is defined as all phases taken to
implement a change including researching alternatives available, choosing
an appropriate option for the organization as a whole, and converting to
the new system, or integrating the new system with existing systems. This
rating reflects the adequacy of the institution's systems development
methodology and related risk management practices for acquisition and
deployment of information technology. This rating also reflects the boards
and management's ability to enhance and replace information technology
prudently in a controlled environment.
The performance of systems development and acquisition and related risk
management practice is rated based upon an assessment of factors such as:
1. The level and quality of oversight and support of systems
development and acquisition activities by senior management and the board
of directors.
2. The adequacy of the organizational and management structures to
establish accountability and responsibility for IT systems and technology
initiatives.
3. The volume, nature, and extent of risk exposure to the financial
institution in the area of systems development and acquisition.
4. The adequacy of the institution's Systems Development Life Cycle (SDLC)
and programming standards.
5. The quality of project management programs and practices which are
followed by developers, operators, executive management/owners,
independent vendors or affiliated servicers, and end-users.
6. The independence of the quality assurance function and the adequacy of
controls over program changes.
7. The quality and thoroughness of system documentation.
8. The integrity and security of the network, system, and application
software.
9. The development of information technology solutions that meet the needs
of end users.
10. The extent of end user involvement in the system development process.
In addition to the above, factors such as the following are included in
the assessment of development and acquisition at service providers:
1. The quality of software releases and documentation.
2. The adequacy of training provided to clients.
Ratings
1. A rating of ''1'' indicates strong systems development, acquisition,
implementation, and change management performance. Management and the
board routinely demonstrate successfully the ability to identify and
implement appropriate IT solutions while effectively managing risk.
Project management techniques and the SDLC are fully effective and
supported by written policies, procedures and project controls that
consistently result in timely and efficient project completion. An
independent quality assurance function provides strong controls over
testing and program change management. Technology solutions consistently
meet end user needs. No significant weaknesses or problems exist.
2. A rating of ''2'' indicates satisfactory systems development,
acquisition, implementation, and change management performance. Management
and the board frequently demonstrate the ability to identify and implement
appropriate IT solutions while managing risk. Project management and the
SDLC are generally effective; however, weaknesses may exist that result in
minor project delays or cost overruns. An independent quality assurance
function provides adequate supervision of testing and program change
management, but minor weaknesses may exist. Technology solutions meet end
user needs. However, minor enhancements may be necessary to meet original
user expectations. Weaknesses may exist; however, they are not significant
and they are easily corrected in the normal course of business.
3. A rating of ''3'' indicates less than satisfactory systems
development, acquisition, implementation, and change management
performance. Management and the board may often be unsuccessful in
identifying and implementing appropriate IT solutions; therefore,
unwarranted risk exposure may exist. Project management techniques and the
SDLC are weak and may result in frequent project delays, backlogs or
significant cost overruns. The quality assurance function may not be
independent of the programming function which may adversely impact the
integrity of testing and program change management. Technology solutions
generally meet end user needs, but often require an inordinate level of
change after implementation. Because of weaknesses, significant problems
may arise that could result in disruption to operations or significant
losses.
4. A rating of ''4'' indicates deficient systems development,
acquisition, implementation and change management performance. Management
and the board may be unable to identify and implement appropriate IT
solutions and do not effectively mange risk. Project management techniques
and the SDLC are ineffective and may result in severe project delays and
cost overruns. The quality assurance function is not fully effective and
may not provide independent or comprehensive review of testing controls or
program change management. Technology solutions may not meet the critical
needs of the organization. Problems and significant risks exist that
require immediate action by the board and management to preserve the
soundness of the institution.
5. A rating of ''5'' indicates critically deficient systems
development, acquisition, implementation, and change management
performance. Management and the board appear to be incapable of
identifying, and implementing appropriate information technology
solutions. If they exist, project management techniques and the SDLC are
critically deficient and provide little or no direction for development of
systems or technology projects. The quality assurance function is severely
deficient or not present and unidentified problems in testing and program
change management have caused significant IT risks. Technology solutions
do not meet the needs of the organization. Serious problems and
significant risks exist which raise concern for the financial
institution's or service providers' ongoing viability.
Support and Delivery
This rating reflects an organization's ability to provide technology
services in a secure environment. It reflects not only the condition of IT
operations but also factors such as reliability, security, and integrity,
which may affect the quality of the information delivery system. The
factors include customer support and training, and the ability to manage
problems and incidents, operations, system performance, capacity planning,
and facility and data management. Risk management practices should promote
effective, safe and sound IT operations that ensure the continuity of
operations and the reliability and availability of data. The scope of this
component rating includes operational risks throughout the organization
and service providers.
The rating of IT support and delivery is based on a review and
assessment of requirements such as:
1. The ability to provide a level of service that meets the
requirements of the business.
2. The adequacy of security policies, procedures, and practices in all
units and at all levels of the financial institution and service
providers.
3. The adequacy of data controls over preparation, input, processing, and
output.
4. The adequacy of corporate contingency planning and business resumption
for data centers, networks, service providers and business units.
5. The quality of processes or programs that monitor capacity and
performance.
6. The adequacy of controls and the ability to monitor controls at service
providers.
7. The quality of assistance provided to users, including the ability to
handle problems.
8. The adequacy of operating policies, procedures, and manuals.
9. The quality of physical and logical security, including the privacy of
data.
10. The adequacy of firewall architectures and the security of connections
with public networks.
In addition to the above, factors such as the following are included in
the assessment of support and delivery at service providers:
1. The adequacy of customer service provided to clients. 2. The ability
of the entity to provide and maintain service level performance that meets
the requirements of the client.
1. A rating of ''1'' indicates strong IT support and delivery
performance. The organization provides technology services that are
reliable and consistent. Service levels adhere to well-defined service
level agreements and routinely meet or exceed business requirements. A
comprehensive corporate contingency and business resumption plan is in
place. Annual contingency plan testing and updating is performed; and,
critical systems and applications are recovered within acceptable time
frames. A formal written data security policy and awareness program is
communicated and enforced throughout the organization. The logical and
physical security for all IT platforms is closely monitored and security
incidents and weaknesses are identified and quickly corrected.
Relationships with third-party service providers are closely monitored. IT
operations are highly reliable, and risk exposure is successfully
identified and controlled.
2. A rating of ''2'' indicates satisfactory IT support and delivery
performance. The organization provides technology services that are
generally reliable and consistent, however, minor discrepancies in service
levels may occur. Service performance adheres to service agreements and
meets business requirements. A corporate contingency and business
resumption plan is in place, but minor enhancements may be necessary.
Annual plan testing and updating is performed and minor problems may occur
when recovering systems or applications. A written data security policy is
in place but may require improvement to ensure its adequacy. The policy is
generally enforced and communicated throughout the organization, e.g. via
a security awareness program. The logical and physical security for
critical IT platforms is satisfactory. Systems are monitored, and security
incidents and weaknesses are identified and resolved within reasonable
time frames. Relationships with third-party service providers are
monitored. Critical IT operations are reliable and risk exposure is
reasonably identified and controlled.
3. A rating of ''3'' indicates that the performance of IT support and
delivery is less than satisfactory and needs improvement. The organization
provides technology services that may not be reliable or consistent. As a
result, service levels periodically do not adhere to service level
agreements or meet business requirements. A corporate contingency and
business resumption plan is in place but may not be considered
comprehensive. The plan is periodically tested; however, the recovery of
critical systems and applications is frequently unsuccessful. A data
security policy exists; however, it may not be strictly enforced or
communicated throughout the organization. The logical and physical
security for critical IT platforms is less than satisfactory. Systems are
monitored; however, security incidents and weaknesses may not be resolved
in a timely manner. Relationships with third-party service providers may
not be adequately monitored. IT operations are not acceptable and
unwarranted risk exposures exist. If not corrected, weaknesses could cause
performance degradation or disruption to operations.
4. A rating of ''4'' indicates deficient IT support and delivery
performance. The organization provides technology services that are
unreliable and inconsistent. Service level agreements are poorly defined
and service performance usually fails to meet business requirements. A
corporate contingency and business resumption plan may exist, but its
content is critically deficient. If contingency testing is performed,
management is typically unable to recover critical systems and
applications. A data security policy may not exist. As a result, serious
supervisory concerns over security and the integrity of data exist. The
logical and physical security for critical IT platforms is deficient.
Systems may be monitored, but security incidents and weaknesses are not
successfully identified or resolved. Relationships with third-party
service providers are not monitored. IT operations are not reliable and
significant risk exposure exists. Degradation in performance is evident
and frequent disruption in operations has occurred.
5. A rating of ''5'' indicates critically deficient IT support and
delivery performance. The organization provides technology services that
are not reliable or consistent. Service level agreements do not exist and
service performance does not meet business requirements. A corporate
contingency and business resumption plan does not exist. Contingency
testing is not performed and management has not demonstrated the ability
to recover critical systems and applications. A data security policy does
not exist, and a serious threat to the organization's security and data
integrity exists. The logical and physical security for critical IT
platforms is inadequate, and management does not monitor systems for
security incidents and weaknesses. Relationships with third-party service
providers are not monitored, and the viability of a service provider may
be in jeopardy. IT operations are severely deficient, and the seriousness
of weaknesses could cause failure of the financial institution or service
provider if not addressed. Dated: January 13, 1999. Keith J. Todd,
Executive Secretary, Federal Financial Institutions Examination Council.
[FR Doc. 99-1175 Filed 1-19-99; 8:45 am] BILLING CODE 6210-01-P,
6720-01-P, 6714-01-P and 4810-33-P |