Introduction The quality, reliability, and integrity of a financial
institution or service provider’s information technology (IT) affects
all aspects of its performance. An assessment of the technology risk-management
framework is necessary whether or not the institution or a third-party
service provider manages these operations. The Uniform Rating System
for Information Technology (URSIT) is an internal rating system used
by federal and state regulators to uniformly assess financial-institution
and service-provider risks introduced by IT. It also allows the regulators
to identify those insured institutions and service providers whose
information technology risk exposure or performance
requires special supervisory attention. The rating system includes
component- and composite-rating descriptions and the explicit identification
of risks and assessment factors that examiners consider in assigning
component ratings. Additionally, information technology can affect
the risks associated with financial institutions. The effect on credit,
operational, market, reputation, strategic, liquidity, interest-rate,
and compliance risks should be considered for each IT rating component.
The primary purpose of the rating system is to identify those entities
whose condition or performance of information technology functions
requires special supervisory attention. This rating system assists
examiners in making an assessment of risk and compiling examination
findings. However, the rating system does not drive the scope of an
examination. Examiners should use the rating system to help evaluate
the entity’s overall risk exposure and risk-management performance
and determine the degree of supervisory attention believed necessary
to ensure that weaknesses are addressed and that risk is properly
managed.
Overview The URSIT is based on a risk evaluation of four critical
components: audit, management, development and acquisition, and support
and delivery (AMDS). These components are used to assess the overall
performance of IT within an organization. Examiners evaluate the functions
identified within each component to assess the institution’s ability
to identify, measure, monitor and control information technology risks.
Each organization examined for IT is assigned a summary or composite
rating based on the overall results of the evaluation. The IT composite
rating and each component rating are based on a scale of 1 through
5 in ascending order of supervisory concern, 1 representing the highest
rating and least degree of concern and 5 representing the lowest rating
and highest degree of concern.
The first step in developing an IT composite rating for
an organization is the assignment of a performance rating to the individual
AMDS components. The evaluation of each of these components, their
interrelationships, and relative importance is the basis for the composite
rating. The composite rating is derived by making a qualitative summarization
of all of the AMDS components. A direct relationship exists between
the composite rating and the individual AMDS component performance
ratings. However, the composite rating is not an arithmetic average
of the individual components. An arithmetic approach does not reflect
the actual condition of IT when using a risk-focused approach. A poor
rating in one component may heavily influence the overall composite
rating for an institution. For example, if the audit function is viewed
as inadequate, the overall integrity of the IT systems is not readily
verifiable. Thus, a composite rating of less than satisfactory (3-5)
would normally be appropriate. A principal purpose of the composite
rating is to identify those financial institutions and service providers
that pose an inordinate amount of information technology risk and
merit special supervisory attention. Thus, individual risk exposures
that more explicitly affect the viability of the organization and/or
its customers should be given more weight in the composite rating.
The FFIEC recognizes that management practices, particularly
as they relate to risk management, vary considerably among financial
institutions and service bureaus, depending on their size and sophistication,
the nature and complexity of their business activities, and their
risk profile. Accordingly, the FFIEC also recognizes that for less-complex
information systems environments, detailed or highly formalized systems
and controls are not required to receive the higher composite and
component ratings.
The following two sections contain the URSIT composite-rating
definitions, the assessment factors, and definitions for the four
component ratings. These assessment factors and definitions outline
various IT functions and controls that may be evaluated as part of
the examination.
Composite Ratings1 Composite 1 Financial institutions and service providers
rated composite 1 exhibit strong performance in every respect and
generally have components rated 1 or 2. Weaknesses in IT are minor
in nature and are easily corrected during the normal course of business.
Risk-management processes provide a comprehensive program to identify
and monitor risk relative to the size, complexity, and risk profile
of the entity. Strategic plans are well defined and fully integrated
throughout the organization. This allows management to quickly adapt
to changing market, business, and technology needs of the entity.
Management identifies weaknesses promptly and takes appropriate corrective
action to resolve audit and regulatory concerns. The financial condition
of the service provider is strong and overall performance shows no
cause for supervisory concern.
Composite 2 Financial institutions
and service providers rated composite 2 exhibit safe and sound performance
but may demonstrate modest weaknesses in operating performance, monitoring,
management processes, or system development. Generally, senior management
corrects weaknesses in the normal course of business. Risk management
processes adequately identify and monitor risk relative to the size,
complexity, and risk profile of the entity. Strategic plans are defined
but may require clarification, better coordination, or improved communication
throughout the organization. As a result, management anticipates,
but responds less quickly to changes in market, business, and technological
needs of the entity. Management normally identifies weaknesses and
takes appropriate corrective action. However, greater reliance is
placed on audit and regulatory intervention to identify and resolve
concerns. The financial condition of the service provider is acceptable,
and while internal control weaknesses may exist, there are no significant
supervisory concerns. As a result, supervisory action is informal
and limited.
Composite 3 Financial institutions and service providers
rated composite 3 exhibit some degree of supervisory concern due to
a combination of weaknesses that may range from moderate to severe.
If weaknesses persist, further deterioration in the condition and
performance of the institution or service provider is likely. Risk
management processes may not effectively identify risks and may not
be appropriate for the size, complexity, or risk profile of the entity.
Strategic plans are vaguely defined and may not provide adequate direction
for IT initiatives. As a result, management often has difficulty responding
to changes in business, market, and technological needs of the entity.
Self-assessment practices are weak and are generally reactive to audit
and regulatory exceptions. Repeat concerns may exist, indicating that
management may lack the ability or willingness to resolve concerns.
The financial condition of the service provider may be weak and/or
negative trends may be evident. While financial or operational failure
is unlikely, increased supervision is necessary. Formal or informal
supervisory action may be necessary to secure corrective action.
Composite 4 Financial institutions and service providers rated composite
4 operate in an unsafe and unsound environment that may impair the
future viability of the entity. Operating weaknesses are indicative
of serious managerial deficiencies. Risk-management processes inadequately
identify and monitor risk, and practices are not appropriate given
the size, complexity, and risk profile of the entity. Strategic plans
are poorly defined and not coordinated or communicated throughout
the organization. As a result, management and the board are not committed
to, or may be incapable of ensuring that technological needs are met.
Management does not perform self-assessments and demonstrates an inability
or unwillingness to correct audit and regulatory concerns. The financial
condition of the service provider is severely impaired and/or deteriorating.
Failure of the financial institution or service provider may be likely
unless IT problems are remedied. Close supervisory attention is necessary
and, in most cases, formal enforcement action is warranted.
Composite 5 Financial institutions and service providers rated composite 5 exhibit
critically deficient operating performance and are in need of immediate
remedial action. Operational problems and serious weaknesses may exist
throughout the organization. Risk management processes are severely
deficient and provide management little or no perception of risk relative
to the size, complexity, and risk profile of the entity. Strategic
plans do not exist or are ineffective, and management and the board
provide little or no direction for IT initiatives. As a result, management
is unaware of, or inattentive to technological needs of the entity.
Management is unwilling or incapable of correcting audit and regulatory
concerns. The financial condition of the service provider is poor
and failure is highly probable due to poor operating performance or
financial instability. Ongoing supervisory attention is necessary.
Component Ratings2 Audit Financial institutions and service providers are
expected to provide independent assessments of their exposure to risks
and the quality of internal controls associated with the acquisition,
implementation, and use of information technology.
3 Audit practices should address the IT risk exposures throughout
the institution and its service provider(s) in the areas of user and
data center operations, client/server architecture, local and wide
area networks, telecommunications, information security, electronic
data interchange, systems development, and contingency planning. This
rating should reflect the adequacy of the organization’s overall IT
audit program, including the internal and external auditor’s abilities
to detect and report significant risks to management and the board
of directors on a timely basis. It should also reflect the internal
and external auditor’s capability to promote a safe, sound, and effective
operation.
The performance of audit is rated based upon an assessment
of factors such as:
- the level of independence maintained by audit and
the quality of the oversight and support provided by the board of
directors and management
- the adequacy of audit’s risk-analysis methodology
used to prioritize the allocation of audit resources and to formulate
the audit schedule
- the scope, frequency, accuracy, and timeliness of
internal and external audit reports
- the extent of audit participation in application
development, acquisition, and testing, to ensure the effectiveness
of internal controls and audit trails
- the adequacy of the overall audit plan in providing
appropriate coverage of IT risks
- the auditor’s adherence to codes of ethics and professional
audit standards
- the qualifications of the auditor, staff succession,
and continued development through training
- the existence of timely and formal follow-up and
reporting on management’s resolution of identified problems or weaknesses
- the quality and effectiveness of internal and
external audit activity as it relates to IT controls
Ratings.
1.
A
rating of 1 indicates strong audit performance. Audit independently
identifies and reports weaknesses and risks to the board of directors
or its audit committee in a thorough and timely manner. Outstanding
audit issues are monitored until resolved. Risk analysis ensures that
audit plans address all significant IT operations, procurement, and
development activities with appropriate scope and frequency. Audit
work is performed in accordance with professional auditing standards
and report content is timely, constructive, accurate, and complete.
Because audit is strong, examiners may place substantial reliance
on audit results.
2.
A
rating of 2 indicates satisfactory audit performance. Audit independently
identifies and reports weaknesses and risks to the board of directors
or audit committee, but reports may be less timely. Significant outstanding
audit issues are monitored until resolved. Risk analysis ensures that
audit plans address all significant IT operations, procurement, and
development activities; however, minor concerns may be noted with
the scope or frequency. Audit work is performed in accordance with
professional auditing standards; however, minor or infrequent problems
may arise with the timeliness, completeness and accuracy of reports.
Because audit is satisfactory, examiners may rely on audit results,
but because minor concerns exist, examiners may need to expand verification
procedures in certain situations.
3.
A
rating of 3 indicates less-than-satisfactory audit performance. Audit
identifies and reports weaknesses and risks; however, independence
may be compromised and reports presented to the board or audit committee
may be less than satisfactory in content and timeliness. Outstanding
audit issues may not be adequately monitored. Risk analysis is less
than satisfactory. As a result, the audit plan may not provide sufficient
audit scope or frequency for IT operations, procurement, and development
activities. Audit work is generally performed in accordance with professional
auditing standards; however, occasional problems may be noted with
the timeliness, completeness and/or accuracy of reports. Because audit
is less than satisfactory, examiners must use caution if they rely
on the audit results.
4.
A
rating of 4 indicates deficient audit performance. Audit may identify
weaknesses and risks but it may not independently report to the board
or audit committee and report content may be inadequate. Outstanding
audit issues may not be adequately monitored and resolved. Risk analysis
is deficient. As a result, the audit plan does not provide adequate
audit scope or frequency for IT operations, procurement, and development
activities. Audit work is often inconsistent with professional auditing
standards and the timeliness, accuracy, and completeness of reports
is unacceptable. Because audit is deficient, examiners cannot rely
on audit results.
5.
A rating of 5 indicates critically deficient audit performance.
If an audit function exists, it lacks sufficient independence and,
as a result, does not identify and report weaknesses or risks to the
board or audit committee. Outstanding audit issues are not tracked
and no follow-up is performed to monitor their resolution. Risk analysis
is critically deficient. As a result, the audit plan is ineffective
and provides inappropriate audit scope and frequency for IT operations,
procurement, and development activities. Audit work is not performed
in accordance with professional auditing standards and major deficiencies
are noted regarding the timeliness, accuracy, and completeness of
audit reports. Because audit is critically deficient, examiners cannot
rely on audit results.
Management This rating reflects the abilities of the board
and management as they apply to all aspects of IT acquisition, development,
and operations. Management practices may need to address some or all
of the following IT-related risks: strategic planning, quality assurance,
project management, risk assessment, infrastructure and architecture,
end-user computing, contract administration of third-party service
providers, organization and human resources, and regulatory and legal
compliance. Generally, directors need not be actively involved in
day-to-day operations; however, they must provide clear guidance regarding
acceptable risk-exposure levels and ensure that appropriate policies,
procedures, and practices have been established. Sound management
practices are demonstrated through active oversight by the board of
directors and management, competent personnel, sound IT plans, adequate
policies and standards, an effective control environment, and risk
monitoring. This rating should reflect the board’s and management’s
ability as it applies to all aspects of IT operations.
The performance of management and
the quality of risk management are rated based upon an assessment
of factors such as:
- the level and quality of oversight and support of
the IT activities by the board of directors and management
- the ability of management to plan for and initiate
new activities or products in response to information needs and to
address risks that may arise from changing business conditions
- the ability of management to provide information
reports necessary for informed planning and decision making in an
effective and efficient manner
- the adequacy of, and conformance with, internal policies
and controls addressing the IT operations and risks of significant
business activities
- the effectiveness of risk monitoring systems
- the timeliness of corrective action for reported
and known problems
- the level of awareness of and compliance with laws
and regulations
- the level of planning for management succession
- the ability of management to monitor the services
delivered and to measure the organization’s progress toward identified
goals in an effective and efficient manner
- the adequacy of contracts and management’s ability
to monitor relationships with third-party servicers
- the adequacy of strategic-planning and risk-management
practices to identify, measure, monitor, and control risks, including
management’s ability to perform self-assessments
- the ability of management to identify, measure, monitor,
and control risks and to address emerging information technology needs
and solutions
In addition to the above, factors such as the following
are included in the assessment of management at service providers:
- the financial condition and ongoing viability of
the entity
- the impact of external and internal trends and other
factors on the ability of the entity to support continued servicing
of client financial institutions
- the propriety of contractual terms and plans
Ratings.
1.
A
rating of 1 indicates strong performance by management and the board.
Effective risk-management practices are in place to guide IT activities,
and risks are consistently and effectively identified, measured, controlled,
and monitored. Management immediately resolves audit and regulatory
concerns to ensure sound operations. Written technology plans, policies
and procedures, and standards are thorough and properly reflect the
complexity of the IT environment. They have been formally adopted,
communicated, and enforced throughout the organization. IT systems
provide accurate, timely reports to management. These reports serve
as the basis of major decisions and as an effective performance-monitoring
tool. Outsourcing arrangements are based on comprehensive planning;
routine management supervision sustains an appropriate level of control over
vendor contracts, performance, and services provided. Management and
the board have demonstrated the ability to promptly and successfully
address existing IT problems and potential risks.
2.
A rating of 2 indicates satisfactory performance by management and
the board. Adequate risk-management practices are in place and guide
IT activities. Significant IT risks are identified, measured, monitored,
and controlled; however, risk-management processes may be less structured
or inconsistently applied and modest weaknesses exist. Management
routinely resolves audit and regulatory concerns to ensure effective
and sound operations; however, corrective actions may not always be
implemented in a timely manner. Technology plans, policies and procedures,
and standards are adequate and are formally adopted. However, minor
weaknesses may exist in management’s ability to communicate and enforce
them throughout the organization. IT systems provide quality reports
to management which serve as a basis for major decisions and a tool
for performance planning and monitoring. Isolated or temporary problems
with timeliness, accuracy or consistency of reports may exist. Outsourcing
arrangements are adequately planned and controlled by management,
and provide for a general understanding of vendor contracts, performance
standards, and services provided. Management and the board have demonstrated
the ability to address existing IT problems and risks successfully.
3.
A
rating of 3 indicates less-than-satisfactory performance by management
and the board. Risk management practices may be weak and offer limited
guidance for IT activities. Most IT risks are generally identified;
however, processes to measure and monitor risk may be flawed. As a
result, management’s ability to control risk is less than satisfactory.
Regulatory and audit concerns may be addressed, but time frames are
often excessive and the corrective action taken may be inappropriate.
Management may be unwilling or incapable of addressing deficiencies.
Technology plans, policies and procedures, and standards exist, but
may be incomplete. They may not be formally adopted, effectively communicated,
or enforced throughout the organization. IT systems provide requested
reports to management, but periodic problems with accuracy, consistency,
and timeliness lessen the reliability and usefulness of reports and
may adversely affect decision making and performance monitoring. Outsourcing
arrangements may be entered into without thorough planning. Management
may provide only cursory supervision that limits their understanding
of vendor contracts, performance standards, and services provided.
Management and the board may not be capable of addressing existing
IT problems and risks, evidenced by untimely corrective actions for
outstanding IT problems.
4.
A
rating of 4 indicates deficient performance by management and the
board. Risk-management practices are inadequate and do not provide
sufficient guidance for IT activities. Critical IT risks are not properly
identified, and processes to measure and monitor risks are deficient.
As a result, management may not be aware of and is unable to control
risks. Management may be unwilling and/or incapable of addressing
audit and regulatory deficiencies in an effective and timely manner.
Technology plans, policies and procedures, and standards are inadequate,
have not been formally adopted or effectively communicated throughout
the organization, and management does not effectively enforce them.
IT systems do not routinely provide management with accurate, consistent,
and reliable reports, thus contributing to ineffective performance
monitoring and/or flawed decision making. Outstanding arrangements
may be entered into without planning or analysis, and management may
provide little or no supervision of vendor contracts, performance
standards, or services provided. Management and the board are unable
to address existing IT problems and risks, as evidenced by ineffective
actions and longstanding IT weaknesses. Strengthening of management
and its processes is necessary. The financial condition of
the service provider may threaten its viability.
5.
A rating of 5 indicates critically deficient performance by management
and the board. Risk-management practices are severely flawed and provide
inadequate guidance for IT activities. Critical IT risks are not identified,
and processes to measure and monitor risks do not exist or are not
effective. Management’s inability to control risk may threaten the
continued viability of the institution or service provider. Management
is unable and/or unwilling to correct audit and regulatory identified
deficiencies and immediate action by the board is required to preserve
the viability of the institution or service provider. If they exist,
technology plans, policies and procedures, and standards are critically
deficient. Because of systemic problems, IT systems do not produce
management reports which are accurate, timely, or relevant. Outsourcing
arrangements may have been entered into without management planning
or analysis, resulting in significant losses to the financial institution
or ineffective vendor services. The financial condition of the service
provider presents an imminent threat to its viability.
Development and Acquisition This rating reflects an organization’s
ability to identify, acquire, install, and maintain appropriate information
technology solutions. Management practices may need to address all
or parts of the business process for implementing any kind of change
to the hardware or software used. These business processes include
an institution’s or service provider’s purchase of hardware or software,
development and programming performed by the institution or service
provider, purchase of services from independent vendors or affiliated
data centers, or a combination of these activities. The business process
is defined as all phases taken to implement a change, including researching
alternatives available, choosing an appropriate option for the organization
as a whole, and converting to the new system or integrating the new
system with existing systems. This rating reflects the adequacy of
the institution’s systems-development methodology and related risk-management
practices for acquisition and deployment of information technology.
This rating also reflects the board’s and management’s ability to
enhance and replace information technology prudently in a controlled
environment.
The performance of systems development and acquisition
and related risk-management practice is rated based upon an assessment
of factors such as:
- the level and quality of oversight and support of
systems development and acquisition activities by senior management
and the board of directors
- the adequacy of the organizational and management
structures to establish accountability and responsibility for IT systems
and technology initiatives
- the volume, nature, and extent of risk exposure to
the financial institution in the area of systems development and acquisition
- the adequacy of the institution’s Systems Development
Life Cycle (SDLC) and programming standards
- the quality of project-management programs and practices
which are followed by developers, operators, executive management/owners,
independent vendors or affiliated servicers, and end-users.
- the independence of the quality-assurance function
and the adequacy of controls over program changes
- the quality and thoroughness of system documentation
- the integrity and security of the network, system,
and application software
- the development of information technology solutions
that meet the needs of end users
- the extent of end-user involvement in the system
development process
In addition to the above, factors such as the following
are included in the assessment of development and acquisition at service
providers:
- the quality of software releases and documentation
- the adequacy of training provided to clients
Ratings.
1.
A
rating of 1 indicates strong systems development, acquisition, implementation,
and change management performance. Management and the board routinely
demonstrate successfully the ability to identify and implement appropriate
IT solutions while effectively managing risk. Project management techniques
and the SDLC are fully effective and supported by written policies,
procedures, and project controls that consistently result in timely
and efficient project completion. An independent quality-assurance
function provides strong controls over testing and program-change
management. Technology solutions consistently meet end-user needs.
No significant weaknesses or problems exist.
2.
A
rating of 2 indicates satisfactory systems-development, acquisition,
implementation, and change-management performance. Management and
the board frequently demonstrate the ability to identify and implement
appropriate IT solutions while managing risk. Project management and
the SDLC are generally effective; however, weaknesses may exist that
result in minor project delays or cost overruns. An independent quality-assurance
function provides adequate supervision of testing and program-change
management, but minor weaknesses may exist. Technology solutions meet
end-user needs. However, minor enhancements may be necessary to meet
original user expectations. Weaknesses may exist; however, they are
not significant and they are easily corrected in the normal course
of business.
3.
A rating of 3 indicates less-than-satisfactory systems development,
acquisition, implementation, and change-management performance. Management
and the board may often be unsuccessful in identifying and implementing
appropriate IT solutions; therefore, unwarranted risk exposure may
exist. Project management techniques and the SDLC are weak and may
result in frequent project delays, backlogs, or significant cost overruns.
The quality-assurance function may not be independent of the programming
function which may adversely impact the integrity of testing and program-change
management. Technology solutions generally meet end-user needs but
often require an inordinate level of change after implementation.
Because of weaknesses, significant problems may arise that could result
in disruption to operations or significant losses.
4.
A rating of 4 indicates deficient systems development, acquisition,
implementation, and change-management performance. Management and
the board may be unable to identify and implement appropriate IT solutions
and do not effectively mange risk. Project management techniques and
the SDLC are ineffective and may result in severe project delays and
cost overruns. The quality-assurance function is not fully effective
and may not provide independent or comprehensive review of testing
controls or program-change management. Technology solutions may not
meet the critical needs of the organization. Problems and significant
risks exist that require immediate action by the board and management
to preserve the soundness of the institution.
5.
A
rating of 5 indicates critically deficient systems development, acquisition,
implementation, and change-management performance. Management and
the board appear to be incapable of identifying and implementing appropriate
information technology solutions. If they exist, project management
techniques and the SDLC are critically deficient and provide little
or no direction for development of systems or technology projects.
The quality-assurance function is severely deficient or not present
and unidentified problems in testing and program-change management
have caused significant IT risks. Technology solutions do not meet
the needs of the organization. Serious problems and significant risks
exist, which raise concern for the financial institution’s or service
provider’s ongoing viability.
Support and Delivery This rating reflects an organization’s
ability to provide technology services in a secure environment. It
reflects not only the condition of IT operations but also factors
such as reliability, security, and integrity, which may affect the
quality of the information-delivery system. The factors include customer
support and training and the ability to manage problems and incidents,
operations, system performance, capacity planning, and facility and
data management. Risk-management practices should promote effective,
safe, and sound IT operations that ensure the continuity of operations
and the reliability and availability of data. The scope of this component
rating includes operational risks throughout the organization and
service providers.
The rating of IT support and delivery is based on a review
and assessment of requirements such as:
- the ability to provide a level of service that meets
the requirements of the business
- the adequacy of security policies, procedures, and
practices in all units and at all levels of the financial institution
and service providers
- the adequacy of data controls over preparation, input,
processing, and output
- the adequacy of corporate contingency planning and
business resumption for data centers, networks, service providers,
and business units
- the quality of processes or programs that monitor
capacity and performance
- the adequacy of controls and the ability to monitor
controls at service providers
- the quality of assistance provided to users, including
the ability to handle problems
- the adequacy of operating policies, procedures, and
manuals
- the quality of physical and logical security, including
the privacy of data
- the adequacy of firewall architectures and the security
of connections with public networks
In addition to the above, factors such as the following
are included in the assessment of support and delivery at service
providers:
- the adequacy of customer service provided to clients
- the ability of the entity to provide and maintain
service-level performance that meets the requirements of the client
Ratings.
1.
A
rating of 1 indicates strong IT support and delivery performance.
The organization provides technology services that are reliable and
consistent. Service levels adhere to well-defined service-level agreements
and routinely meet or exceed business requirements. A comprehensive
corporate contingency and business-resumption plan is in place. Annual
contingency-plan testing and updating is performed, and critical systems
and applications are recovered within acceptable time frames. A formal
written data-security policy and awareness program is communicated
and enforced throughout the organization. The logical and physical
security for all IT platforms is closely monitored and security incidents
and weaknesses are identified and quickly corrected. Relationships
with third-party service providers are closely monitored. IT operations
are highly reliable, and risk exposure is successfully identified
and controlled.
2.
A rating of 2 indicates satisfactory IT support and delivery performance.
The organization provides technology services that are generally reliable
and consistent; however, minor discrepancies in service levels may
occur. Service performance adheres to service agreements and meets
business requirements. A corporate contingency and business-resumption
plan is in place, but minor enhancements may be necessary. Annual
plan testing and updating is performed and minor problems may occur
when recovering systems or applications. A written data-security policy
is in place but may require improvement to ensure its adequacy. The
policy is generally enforced and communicated throughout the organization,
e.g., via a security-awareness program. The logical and physical security
for critical IT platforms is satisfactory. Systems are
monitored, and security incidents and weaknesses are identified and
resolved within reasonable time frames. Relationships with third-party
service providers are monitored. Critical IT operations are reliable
and risk exposure is reasonably identified and controlled.
3.
A rating of 3 indicates that the performance of IT support and delivery
is less than satisfactory and needs improvement. The organization
provides technology services that may not be reliable or consistent.
As a result, service levels periodically do not adhere to service-level
agreements or meet business requirements. A corporate contingency
and business-resumption plan is in place but may not be considered
comprehensive. The plan is periodically tested; however, the recovery
of critical systems and applications is frequently unsuccessful. A
data-security policy exists; however, it may not be strictly enforced
or communicated throughout the organization. The logical and physical
security for critical IT platforms is less than satisfactory. Systems
are monitored; however, security incidents and weaknesses may not
be resolved in a timely manner. Relationships with third-party service
providers may not be adequately monitored. IT operations are not acceptable
and unwarranted risk exposures exist. If not corrected, weaknesses
could cause performance degradation or disruption to operations.
4.
A
rating of 4 indicates deficient IT support and delivery performance.
The organization provides technology services that are unreliable
and inconsistent. Service-level agreements are poorly defined and
service performance usually fails to meet business requirements. A
corporate contingency and business-resumption plan may exist, but
its content is critically deficient. If contingency testing is performed,
management is typically unable to recover critical systems and applications.
A data-security policy may not exist. As a result, serious supervisory
concerns over security and the integrity of data exist. The logical
and physical security for critical IT platforms is deficient. Systems
may be monitored, but security incidents and weaknesses are not successfully
identified or resolved. Relationships with third-party service providers
are not monitored. IT operations are not reliable and significant
risk exposure exists. Degradation in performance is evident and frequent
disruption in operations has occurred.
5.
A
rating of 5 indicates critically deficient IT support and delivery
performance. The organization provides technology services that are
not reliable or consistent. Service-level agreements do not exist
and service performance does not meet business requirements. A corporate
contingency and business-resumption plan does not exist. Contingency
testing is not performed and management has not demonstrated the ability
to recover critical systems and applications. A data-security policy
does not exist, and a serious threat to the organization’s security
and data-integrity exists. The logical and physical security for critical
IT platforms is inadequate, and management does not monitor systems
for security incidents and weaknesses. Relationships with third-party
service providers are not monitored, and the viability of a service
provider may be in jeopardy. IT operations are severely deficient,
and the seriousness of weaknesses could cause failure of the financial
institution or service provider if not addressed.
Issued by the Federal Financial Institutions Examination
Council, Jan. 13, 1999; effective April 1, 1999 (SR-99-8).
