98-15231. Uniform Rating System for Information Technology  

  • [Federal Register Volume 63, Number 110 (Tuesday, June 9, 1998)]
    [Notices]
    [Pages 31468-31475]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 98-15231]
    
    
    
    [[Page 31468]]
    
    =======================================================================
    -----------------------------------------------------------------------
    
    FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
    
    
    Uniform Rating System for Information Technology
    
    AGENCY: Federal Financial Institutions Examination Council.
    
    ACTION: Notice and request for comment.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The Board of Governors of the Federal Reserve System (FRB), 
    the Federal Deposit Insurance Corporation (FDIC), the Office of the 
    Comptroller of the Currency (OCC), and the Office of Thrift Supervision 
    (OTS) (collectively referred to as the federal supervisory agencies), 
    under the auspices of the Federal Financial Institutions Examination 
    Council (FFIEC) request comment on proposed changes to the Uniform 
    Interagency Rating System for Data Processing Operations, commonly 
    referred to as the Information Systems rating system. The proposed 
    revisions change the name of the rating system to the Uniform Rating 
    System for Information Technology (URSIT) and reflect changes that have 
    occurred in the data processing services industry and in supervisory 
    policies and procedures since the rating system was first adopted in 
    1978. The proposed changes revise the numerical ratings to conform to 
    the language and tone of the Uniform Financial Institution Rating 
    System (UFIRS) rating definitions, commonly referred to as the CAMELS 
    rating system; reformat and clarify the component rating descriptions; 
    emphasize the quality of risk management processes in each of the 
    rating components; add two new component categories, Development and 
    Acquisition, and Support and Delivery as replacements for Systems 
    Development and Programming, and Operations; and explicitly identify 
    the risk types that are considered in assigning component ratings. 
    After reviewing public comments, the FFIEC intends to make appropriate 
    additional changes to the revised URSIT, if necessary, and adopt a 
    final information technology rating system.
        The term financial institution refers to those FDIC insured 
    depository institutions whose primary Federal supervisory agency is 
    represented on the FFIEC, Bank Holding Companies, Branches and Agencies 
    of Foreign Banking Organizations, and Thrifts. The term ``service 
    provider'' refers to organizations that provide data processing 
    services to financial institutions. Uninsured trust companies that are 
    chartered by the OCC, members of the Federal Reserve System, or 
    subsidiaries of registered bank holding companies or insured depository 
    institutions are also covered by this action.
    
    DATES: Comments must be received by August 10, 1998.
    
    ADDRESSES: Comments should be sent to Keith Todd, Acting Executive 
    Secretary, Federal Financial Institutions Examination Council, 2100 
    Pennsylvania Avenue, NW, Suite 200, Washington, DC 20037 (Fax number: 
    (202) 634-6556). Comments will be available for public inspection 
    during regular business hours at the above address. Appointments to 
    inspect comments are encouraged and can be arranged by calling the 
    FFIEC at (202) 634-6526.
    
    FOR FURTHER INFORMATION CONTACT:
    
    FRB: Charles Blaine Jones, Supervisory EDP Analyst, Specialized 
    Activities, (202) 452-3759, Division of Banking Supervision and 
    Regulation, Board of Governors of the Federal Reserve System, Mail Stop 
    182, 20th and C Streets, NW, Washington, DC 20551
    FDIC: Stephen A. White, Review Examiner (Information Systems), (202) 
    898-6923, Division of Supervision, Federal Deposit Insurance 
    Corporation, Room F-6010, 550 17th Street, NW, Washington, DC 20429
    OCC: Norine Richards, National Bank Examiner, (202) 874-4924, Bank 
    Technology Unit, Office of the Comptroller of the Currency, Mail Stop 
    7-9, 250 E Street, SW, Washington, D.C. 20219
    OTS: Jennifer Dickerson, Program Manager, Information System 
    Examinations, Compliance Policy, (202) 906-5631, Office of Thrift 
    Supervision, 1700 G Street, NW, Washington, D.C. 20552
    
    SUPPLEMENTARY INFORMATION:
    
    Background Information
    
        The Uniform Interagency Rating System for Data Processing 
    Operations is an internal rating system used by federal and state 
    regulators to assess uniformly financial institution and service 
    provider risks introduced by information technology and for identifying 
    those institutions and service providers requiring special supervisory 
    attention. The current rating system was adopted in 1978 by the OCC, 
    OTS, FDIC and FRB, and is commonly referred to as the IS rating system. 
    Each financial institution or service provider is assigned a composite 
    rating based on an evaluation and rating of four essential components 
    of an institution's information technology. These components address 
    the following: the adequacy of the information technology audit 
    function; the capability of information technology management; the 
    adequacy of systems development and programming, and the quality, 
    reliability, availability and integrity of information technology 
    operations. Both the composite and component ratings are assigned on a 
    ``1'' to ``5'' numerical scale. A ``1'' indicates the strongest 
    performance and management practices, and the least degree of 
    supervisory concern, while a ``5'' indicates the weakest performance 
    and management practices and, therefore, the highest degree of 
    supervisory concern.
        The composite rating reflects the overall condition of an 
    institution's or service provider's information technology function. 
    The composite ratings are used by the federal and state supervisory 
    agencies to monitor aggregate trends in the overall administration of 
    information technology.
        The IS rating system has proven to be an effective means for the 
    federal and state supervisory agencies to determine the condition of an 
    institution's or service provider's information technology function. A 
    number of changes, however, have occurred in information technology and 
    in supervisory policies and procedures since the rating system was 
    first adopted. The FFIEC's Task Force on Supervision has reviewed the 
    existing rating system in light of these industry trends. The Task 
    Force has concluded that the current rating system framework should be 
    modified to provide a more effective vehicle for summarizing 
    conclusions about the condition of an institution's or service 
    provider's information technology function. As a result, the FFIEC 
    proposes to retain the basic rating framework, and the revised rating 
    system will continue to assign a composite rating based on an 
    evaluation and rating of essential components of an institution's or 
    service provider's information technology function. However, the FFIEC 
    proposes certain enhancements to the rating system.
    
    Discussion of Proposed Changes to the Rating System
    
    1. Structure and Format
    
        The FFIEC proposes to enhance and clarify the component rating 
    descriptions by reformatting each component into three distinct 
    sections. These sections are: (a) An introductory paragraph discussing 
    in general terms the areas to be considered when rating each component; 
    (b) a bullet-style listing of the specific evaluation factors
    
    [[Page 31469]]
    
    to be considered when assigning the component rating; and, (c) a brief 
    qualitative description of the five rating grades that can be assigned 
    to a particular component.
    
    2. Alignment of Composite and Component Ratings
    
        The FFIEC proposes changes to revise the definitions of the 
    composite and component ratings to align the URSIT rating definitions 
    more closely with the language and tone of the UFIRS rating 
    definitions. For example, under the current rating system a composite 
    ``3'' rated information technology function has performance that is 
    flawed to some degree and is considered to be of below average quality, 
    while under the UFIRS a composite ``3'' rated bank or service provider 
    exhibits some degree of supervisory concern due to a combination of 
    weaknesses that may range from moderate to severe. The proposed 
    revision brings the URSIT in line with the language and tone of the 
    UFIRS.
    
    3. Component Reorganization
    
        The current rating system has four components: (1) Audit; (2) 
    Management; (3) Systems Development and Programming; and (4) 
    Operations. The FFIEC is proposing to replace the current ``Systems 
    Development and Programming'' and ``Operations'' components with two 
    new component categories, ``Development and Acquisition'', and 
    ``Support and Delivery''. The new components will address all areas 
    assessed in the current Systems Development and Programming and 
    Operations components. In addition, the new components will provide a 
    more effective framework for the risks encountered in distributed 
    processing environments and emerging technology.
    
    4. Composite Rating Definitions
    
        The FFIEC is proposing changes in the composite rating definitions 
    to parallel the changes in the component rating descriptions. Under the 
    FFIEC's proposal, the revised composite rating definitions would 
    contain an explicit reference to the quality of overall risk management 
    practices. The basic context of the existing composite rating 
    definitions is being retained. The composite rating would continue to 
    be based on a careful evaluation of an institution's or service 
    provider's ability to monitor, manage, develop, acquire, support and 
    deliver information technology services.
    
    5. Risk Management
    
        The FFIEC is proposing that the revised rating system emphasize 
    risk management processes. Changes in information technology have 
    broadened the range of products and services offered. These trends 
    reinforce the importance of institutions having sound risk management 
    processes. Accordingly, the revised rating system would contain 
    language in each of the components emphasizing the consideration of 
    processes to identify, measure, monitor, and control risks.
    
    Request for Comments
    
        The FFIEC requests comment on the proposed revisions to the URSIT 
    (``the proposal''). In particular, the FFIEC invites comments on the 
    following questions:
        1. Does the proposal capture the essential risk areas of 
    information technology?
        2. Does the proposal adequately address distributed processing 
    environments, as well as centralized processing environments?
        3. Does the proposal adequately address risks to financial 
    institutions that process their data in-house as well as to data 
    processing service providers?
        4. Are the definitions for the individual components and the 
    composite numerical ratings in the proposal consistent with the 
    language and tone of the UFIRS definitions?
        5. Are there any components which should be added to or deleted 
    from the proposal?
        6. Given the trend toward the integration of safety and soundness 
    and information technology examination functions by the federal 
    supervisory agencies, does a separate rating system for information 
    technology continue to be useful?
    
    Text of the Revised Uniform Rating System for Information 
    Technology
    
    Uniform Rating System for Information Technology
    
    Introduction
    
        The quality, reliability, and integrity of a financial 
    institution's or service provider's information technology (IT) affect 
    all aspects of its performance. An assessment of the technology risk 
    management framework is necessary whether or not the institution itself 
    or a third-party service provider manages these operations. The Uniform 
    Rating System for Information Technology (URSIT) is an internal rating 
    system used by federal and state regulators to uniformly assess 
    financial institution and service provider risks introduced by IT. It 
    also allows the regulators to identify those insured institutions and 
    service providers whose information technology risk exposure requires 
    special supervisory attention. The rating system includes component and 
    composite rating descriptions and the explicit identification of risks 
    and assessment factors that might be considered in assigning component 
    ratings. Additionally, information technology can affect the risks 
    associated with financial institutions. For each IT rating component 
    the effect on credit, operational, market, reputation, strategic, and 
    compliance risks should be considered.
        The purpose of the rating system is to identify those entities 
    whose risk exposure requires special supervisory attention. This rating 
    system assists examiners in making an assessment of risk and compiling 
    examination findings. However, the rating system does not drive the 
    scope of an examination. Examiners should use the rating system to help 
    evaluate the entity's overall risk exposure, and determine the degree 
    of supervisory attention believed necessary to ensure that weaknesses 
    are addressed and that risk is properly managed.
    
    Overview
    
        The URSIT is based on a risk evaluation of four critical 
    components: Audit, Management, Development and Acquisition, and Support 
    and Delivery (AMDS). These components, when combined, are used to 
    assess the overall performance of IT within an organization. Examiners 
    evaluate the functions identified within each component to assess the 
    institution's ability to identify, measure, monitor and control 
    information technology risks. Each organization examined for IT is 
    assigned a summary or composite rating based on the overall results of 
    the evaluation. The IT composite rating and each component rating are 
    based on a scale of ``1'' through ``5'' in ascending order of 
    supervisory concern; ``1'' representing the highest rating and least 
    degree of concern, and ``5'' representing the lowest rating and highest 
    degree of concern.
        The first step in developing an IT composite rating for an 
    organization is the assignment of a performance rating to the 
    individual AMDS components. The evaluation of each of these components, 
    their interrelationships, and relative importance is the basis for the 
    composite rating. The composite rating is derived by making a 
    qualitative summarization of all of the AMDS components. A direct 
    relationship exists between the composite rating and the individual 
    AMDS component
    
    [[Page 31470]]
    
    performance ratings. However, the composite rating is not an arithmetic 
    average of the individual components. An arithmetic approach does not 
    reflect the actual condition of IT when using a risk-focused approach. 
    A poor rating in one component may heavily influence the overall 
    composite rating for an institution. For example, if the audit function 
    is viewed as inadequate, the overall integrity of the IT systems is not 
    readily verifiable. Thus, a composite rating of less than satisfactory 
    (``3''-``5'') would normally be appropriate.
        A principal purpose of the composite rating is to identify those 
    financial institutions and service providers that pose an inordinate 
    amount of information technology risk and merit special supervisory 
    attention. Thus, individual risk exposures that more explicitly affect 
    the viability of the organization and/or its customers should be given 
    more weight in the composite rating.
        The following two sections contain the URSIT composite rating 
    definitions, the assessment factors, and definitions for the four 
    component ratings. These assessment factors and definitions outline 
    various IT functions and controls that may be evaluated as part of the 
    examination.
    
    Composite Ratings \1\
    ---------------------------------------------------------------------------
    
        \1\ The descriptive examples in the numeric composite rating 
    definitions are intended to provide guidance to examiners as they 
    evaluate the overall condition of Information Technology. Examiners 
    must use professional judgement when making this assessment and 
    assigning the numeric rating.
    ---------------------------------------------------------------------------
    
    Composite 1
    
        Financial institutions and service providers rated composite ``1'' 
    exhibit strong performance in every respect. Weaknesses in IT are minor 
    in nature and are easily corrected during the normal course of 
    business. Risk management processes provide a comprehensive program to 
    identify and monitor risk relative to the size, complexity and risk 
    profile of the entity. Strategic plans are well defined and fully 
    integrated throughout the organization. This allows management to 
    quickly adapt to changing market, business and technology needs of the 
    entity. Management identifies weaknesses promptly and takes appropriate 
    corrective action to resolve internal audit and regulatory concerns. 
    The financial condition of the service provider is strong and overall 
    performance shows no cause for supervisory concern.
    
    Composite 2
    
        Financial institutions and service providers with composite rating 
    of ``2'' exhibit safe and sound performance but may demonstrate modest 
    weaknesses in operating performance, monitoring, management processes 
    or system development. Generally, senior management corrects weaknesses 
    in the normal course of business. Risk management processes adequately 
    identify and monitor risk relative to the size, complexity and risk 
    profile of the entity. Strategic plans are defined but may require 
    clarification, better coordination or improved communication throughout 
    the organization. As a result, management anticipates, but responds 
    less quickly, to changes in market, business, and technological needs 
    of the entity. Management normally identifies weaknesses and takes 
    appropriate corrective action. However, greater reliance is placed on 
    audit and regulatory intervention to identify and resolve concerns. The 
    financial condition of the service provider is acceptable and while 
    internal control weaknesses may exist, there are no significant 
    supervisory concerns. As a result, supervisory action is limited.
    
    Composite 3
    
        Financial institutions and service providers rated composite ``3'' 
    exhibit some degree of supervisory concern due to a combination of 
    weaknesses that may range from moderate to severe. If weaknesses 
    persist further deterioration in the condition and performance of the 
    institution or service provider is likely. Risk management processes 
    may not effectively identify risks, and may not be appropriate for the 
    size, complexity, or risk profile of the entity. Strategic plans are 
    vaguely defined and may not provide adequate direction for IT 
    initiatives. As a result, management often has difficulty responding to 
    changes in business, market, and technological needs of the entity. 
    Self-assessment practices are weak and are generally reactive to audit 
    and regulatory exceptions. Repeat concerns may exist indicating that 
    management may lack the ability or willingness to resolve concerns. The 
    financial condition of the service provider may be weak and/or negative 
    trends may be evident. While financial or operational failure is 
    unlikely, increased supervision is necessary. Formal or informal 
    supervisory action may be necessary to secure corrective action.
    
    Composite 4
    
        Financial institutions and service providers rated ``4'' operate in 
    an unsafe and unsound environment that may impair the future viability 
    of the entity.
        Operating weaknesses are indicative of serious managerial 
    deficiencies. Risk management processes inadequately identify and 
    monitor risk, and practices are not appropriate given the size, 
    complexity, and risk profile of the entity. Strategic plans are poorly 
    defined and not coordinated or communicated throughout the 
    organization. As a result, management and the board are not committed 
    to, or may be incapable of insuring that technological needs are met. 
    Management does not perform self-assessments and demonstrates an 
    inability or willingness to correct audit and regulatory concerns. The 
    financial condition of the service provider is severely impaired and/or 
    deteriorating. Failure of the financial institution or service provider 
    may be likely unless IT problems are remedied. Close supervisory 
    attention is necessary and, in most cases, formal enforcement action is 
    warranted.
    
    Composite 5
    
        Financial institutions and service providers with a composite 
    rating ``5'' exhibit critically deficient operating performance and are 
    in need of immediate remedial action. Operational problems and serious 
    weaknesses may be apparent throughout the organization. Risk management 
    processes are severely deficient and provide management little or no 
    perception of risk relative to the size, complexity, and risk profile 
    of the entity. Strategic plans do not exist or are ineffective, and 
    management and the board provide little or no direction for IT 
    initiatives. As a result, management is unaware of, or inattentive to 
    technological needs of the entity. Management is incapable of 
    identifying and correcting audit and regulatory concerns. The financial 
    condition of the service provider is poor and failure is highly 
    probable due to poor operating performance or financial instability. 
    Formal enforcement action and ongoing supervision is required.
    
    Component Ratings \2\
    
    Audit
    
        Financial institutions and service providers are expected to 
    provide independent assessments of their exposure to risks and the 
    quality of
    
    [[Page 31471]]
    
    internal controls associated with the implementation and use of 
    information technology.\3\ Audit practices should address the IT risk 
    exposures throughout the institution and its service provider(s) in the 
    areas of user and data center operations, client/server architecture, 
    local and wide area networks, telecommunications, information security, 
    electronic data interchange, systems development, and contingency 
    planning. This rating should reflect the adequacy of the organizations 
    overall IT audit program, including the internal and external auditor's 
    abilities to detect and report significant risks to management and the 
    board of directors on a timely basis. It should also reflect the 
    internal and external auditor's capability to promote a safe, sound, 
    and effective operation.
    ---------------------------------------------------------------------------
    
        \2\ The descriptive examples in the numeric component rating 
    definitions are intended to provide guidance to examiners as they 
    evaluate the individual components. Examiners must use professional 
    judgement when assessing a component area and assigning a numeric 
    rating value as it is likely that examiners will encounter 
    conditions that correspond to descriptive examples in two or more 
    numeric rating value definitions.
        \3\ Financial institutions that outsource their data processing 
    operations should obtain copies of internal audit reports, SAS 70 
    reviews, and/or regulatory examination reports of their service 
    providers.
    ---------------------------------------------------------------------------
    
        The performance of audit is rated based upon an assessment of:
         The level of independence maintained by audit and the 
    quality of the oversight and support provided by the board of directors 
    and management.
         The adequacy of audit's risk analysis methodology used to 
    prioritize the allocation of audit resources and formulate the audit 
    schedule.
         The scope, frequency, accuracy, and timeliness of internal 
    and external audit reports.
         The extent of audit participation in application 
    development, acquisition, and testing, to ensure the effectiveness of 
    internal controls and audit trails.
         The adequacy of the overall audit plan in providing 
    appropriate coverage of IT risks.
         The auditors adherence to codes of ethics and professional 
    audit standards.
         The qualifications of the auditor, staff succession, and 
    continued development through training and continuing education.
         The existence of timely and formal follow-up and reporting 
    on management's resolution of identified problems or weaknesses.
         The quality and effectiveness of internal and external 
    audit activity as it relates to IT controls.
    
    Ratings
    
        1. A rating of ``1'' indicates strong audit performance. Audit 
    independently identifies and reports weaknesses and risks to the board 
    of directors or its audit committee in a thorough and timely manner. 
    Outstanding audit issues are monitored until resolved. Audit risk 
    analysis ensures that audit plans address all significant IT 
    operations, procurement, and development activities with appropriate 
    scope and frequency. Audit work is performed in accordance with 
    professional auditing standards and report content is timely, 
    consistent, accurate, and complete. Because audit is strong, examiners 
    may place substantial reliance on audit results.
        2. A rating of ``2'' indicates satisfactory audit performance. 
    Audit independently identifies and reports weaknesses and risks to the 
    board of directors or audit committee, but reports may be less timely. 
    Significant outstanding audit issues are monitored until resolved. 
    Audit risk analysis ensures that audit plans address all significant IT 
    operations, procurement, and development activities; however, minor 
    concerns may be noted with the scope or frequency. Audit work is 
    performed in accordance with professional auditing standards; however, 
    minor or infrequent problems may arise with the timeliness, 
    completeness and accuracy of reports. Because audit is satisfactory, 
    examiners may rely on audit results but because minor concerns exist, 
    examiners may need to expand verification procedures in certain 
    situations.
        3. A rating of ``3'' indicates less than satisfactory audit 
    performance. Audit identifies and reports weaknesses; however, 
    independence may be compromised and reports presented to the board or 
    audit committee may be less than satisfactory in content and 
    timeliness. Outstanding audit issues may not be adequately monitored. 
    Audit risk analysis is less than satisfactory. As a result, the audit 
    plan may not provide sufficient audit scope or frequency for IT 
    operations, procurement, and development activities. Audit work is 
    generally performed in accordance with professional auditing standards; 
    however, occasional problems may be noted with the timeliness, 
    completeness and/or accuracy of reports. Because audit is less than 
    satisfactory, examiners must use caution if they rely on the audit 
    results.
        4. A rating of ``4'' indicates deficient audit performance. Audit 
    may identify weaknesses and risks but it may not independently report 
    to the board or audit committee and report content may be inadequate. 
    Outstanding audit issues may not be adequately monitored and resolved. 
    Audit risk analysis is deficient and, as a result, the audit plan does 
    not provide adequate audit scope or frequency for IT operations, 
    procurement, and development activities. Audit work is often 
    inconsistent with professional auditing standards and the timeliness, 
    accuracy, and completeness of reports is unacceptable. Because audit is 
    deficient, examiners will not rely on audit results.
        5. A rating of ``5'' indicates critically deficient audit 
    performance. If an audit function exists, it lacks sufficient 
    independence and, as a result, does not identify and report weaknesses 
    or risks to the board or audit committee. Outstanding audit issues are 
    not collected and no follow up is performed to monitor their 
    resolution. The audit risk analysis is critically deficient. As a 
    result, the audit plan is ineffective and provides inappropriate audit 
    scope and frequency for IT operations, procurement and development 
    activities. Audit work is not performed in accordance with professional 
    auditing standards and major deficiencies are noted regarding the 
    timeliness, accuracy, and completeness of audit reports. Because audit 
    is critically deficient examiners cannot rely on audit results.
    
    Management
    
        This rating reflects the abilities of the board and management as 
    they apply to all aspects of IT development and operations. Management 
    practices may need to address some or all of the following IT-related 
    risks: strategic planning, quality assurance, project management, risk 
    assessment, infrastructure and architecture, end-user computing, 
    contract administration of third party service providers, organization 
    and human resources, regulatory and legal compliance.
        Sound management practices are demonstrated through active 
    oversight by the board of directors and management, competent 
    personnel, sound IT plans, adequate policies and standards, an 
    effective control environment, and risk monitoring. This rating should 
    reflect the board's and management's ability as it applies to all 
    aspects of IT operations.
        For service providers of financial institutions, additional risk 
    factors must be weighed in the management component rating such as the 
    service provider's financial condition, continuing viability, service 
    level performance to financial institutions, and contractual terms and 
    plans.
        The performance of management and the quality of risk management 
    are rated based upon an assessment of:
         The level and quality of oversight and support of the IT 
    activities by the board of directors and management.
         The ability of management to plan for and initiate new 
    activities or products in response to information needs and to address 
    risks that may
    
    [[Page 31472]]
    
    arise from changing business conditions.
         The ability of management to provide management 
    information reports necessary for informed planning and decision making 
    in an effective and efficient manner.
         The adequacy of, and conformance with, internal policies 
    and controls addressing the IT operations and risks of significant 
    activities.
         The effectiveness of risk monitoring systems.
         The timeliness of corrective action for reported and known 
    problems.
         The level of awareness of, and compliance with laws and 
    regulations.
         The level of planning for management succession.
         The ability of management to monitor the services 
    delivered and to measure the organization's progress toward identified 
    goals in an effective and efficient manner.
         The adequacy of contracts and management's ability to 
    monitor relationships with third-party servicers.
         The adequacy of strategic planning and risk management 
    practices to identify, measure, monitor, and control risks, including 
    management's ability to perform self-assessments.
         The ability of management to identify, measure, monitor, 
    and control risks and to address emerging information technology needs 
    and solutions of the organization.
         In addition to the above factors, the following are 
    included in the assessment of management at service providers:
         The financial condition and ongoing viability of the 
    entity.
         The impact of external and internal trends and other 
    factors on the ability of the entity to support continued servicing of 
    client financial institutions.
    Ratings
        1. A rating of ``1'' indicates strong performance by management and 
    the board. Effective risk management practices are in place to guide IT 
    activities, and risks are consistently and effectively identified, 
    measured, controlled, and monitored. Management immediately resolves 
    audit and regulatory concerns to ensure sound operations. Written 
    technology plans, policies and procedures, and standards are thorough 
    and properly reflect the complexity of the IT environment. They have 
    been formally adopted, communicated, and enforced throughout the 
    organization. IT systems provide accurate, timely reports to 
    management. These reports serve as the basis of major decisions and as 
    an effective performance-monitoring tool. Outsourcing arrangements are 
    based on comprehensive planning; routine management supervision 
    sustains an appropriate level of control over vendor contracts, 
    performance, and services provided. Management and the board have 
    demonstrated the ability to promptly and successfully address existing 
    IT problems and potential risks.
        2. A rating of ``2'' indicates satisfactory performance by 
    management and the board. Adequate risk management practices are in 
    place and guide IT activities. Significant IT risks are identified, 
    measured, monitored, and controlled, however, risk management processes 
    may be less structured or inconsistently applied and modest weaknesses 
    exist. Management routinely resolves audit and regulatory concerns to 
    ensure effective and sound operations, however, the implementation of 
    corrective actions may not always be in a timely manner. Technology 
    plans, policies and procedures, and standards are adequate and are 
    formally adopted. However, minor weaknesses may exist in management's 
    ability to communicate and enforce them throughout the organization. IT 
    systems provide quality reports to management which serve as a basis 
    for major decisions and a tool for performance planning and monitoring. 
    Isolated or temporary problems with timeliness, accuracy or consistency 
    of reports may exist. Outsourcing arrangements are adequately planned 
    and controlled by management, and provide for a general understanding 
    of vendor contracts, performance standards and services provided. 
    Management and the board have demonstrated the ability to address 
    existing IT problems and risks successfully.
        3. A rating of ``3'' indicates less than satisfactory performance 
    by management and the board. Risk management practices may be weak and 
    offer limited guidance for IT activities. Most IT risks are generally 
    identified, however, processes in place to measure and monitor risk may 
    be flawed. As a result, management's ability to control risk is less 
    than satisfactory. Regulatory and audit concerns may be addressed, but 
    time frames are often excessive and the corrective action taken may be 
    inappropriate. Management may be unwilling or incapable of addressing 
    deficiencies. Technology plans, policies and procedures, and standards 
    exist, but may be incomplete. They may not be formally adopted, 
    effectively communicated, or enforced throughout the organization. IT 
    systems provide requested reports to management, but periodic problems 
    with accuracy, consistency and timeliness lessen the reliability and 
    usefulness of reports and may adversely influence decision making and 
    performance monitoring. Outsourcing arrangements may be entered into 
    without thorough planning. Management may provide only cursory 
    supervision that limits their understanding of vendor contracts, 
    performance standards, and services provided. Management and the board 
    may not be capable of addressing existing IT problems and risks, 
    evidenced by untimely corrective actions and outstanding IT problems.
        4. A rating of ``4'' indicates deficient performance by management 
    and the board. Risk management practices are inadequate and do not 
    provide sufficient guidance for IT activities. Critical IT risks are 
    not properly identified, and processes to measure and monitor risks are 
    deficient. As a result, management may not be aware of and is unable to 
    control risks. Management may be unwilling and/or incapable of 
    addressing audit and regulatory deficiencies in an effective and timely 
    manner. Technology plans, policies and procedures, and standards are 
    inadequate, have not been formally adopted, or effectively communicated 
    throughout the organization, and management does not effectively 
    enforce them. IT systems do not routinely provide management with 
    accurate, consistent, and reliable reports, thus contributing to 
    ineffective performance monitoring and/or flawed decision making. 
    Outsourcing arrangements may be entered into without planning or 
    analysis and management may provide little or no supervision of vendor 
    contracts, performance standards, or services provided. Management and 
    the board are unable to address existing IT problems and risks, as 
    evidenced by ineffective actions and longstanding IT weaknesses. 
    Strengthening of management and its processes is necessary.
        5. A rating of ``5'' indicates critically deficient performance by 
    management and the board. Risk management practices are severely flawed 
    and provide inadequate guidance for IT activities. Critical IT risks 
    are not identified, and processes to measure and monitor risks do not 
    exist, or are not effective. Management's inability to control risk may 
    threaten the continued viability of the institution or service 
    provider. Management is unable and/or unwilling to correct audit and 
    regulatory identified deficiencies and immediate action by the board is 
    required to preserve the viability of the institution or service 
    provider. If they
    
    [[Page 31473]]
    
    exist, technology plans, policies and procedures, and standards are 
    critically deficient. Because of systemic problems, IT systems do not 
    produce management reports which are accurate, timely, or relevant. 
    Outsourcing arrangements may have been entered into without management 
    planning or analysis, resulting in significant losses to the financial 
    institution or inappropriate vendor services.
    
    Development and Acquisition
    
        Development and acquisition represent an organization's ability to 
    identify, acquire, install, and maintain appropriate information 
    technology solutions. Management practices may need to address all or 
    parts of the business process for implementing any kind of change to 
    the hardware or software used. These business processes include an 
    institution's or service provider's purchase of hardware or software, 
    development and programming performed by the institution or service 
    provider, purchase of services from independent vendors or affiliated 
    data centers, or a combination of those. The business process is 
    defined as all phases taken to implement a change including researching 
    alternatives available, choosing an appropriate option for the 
    organization as a whole, and converting to the new system, or 
    integrating the new system with existing systems. This rating reflects 
    the adequacy of the institution's systems development methodology and 
    related risk management practices for acquisition, and deployment of 
    information technology. This rating also reflects the board and 
    management's ability to enhance and replace information technology 
    prudently in a controlled environment.
        For service providers of financial institutions, additional risks 
    to the serviced institution, such as the quality of software releases, 
    and the training provided to clients, must be weighed in the 
    Development and Acquisition component rating.
        The performance of systems development and acquisition and related 
    risk management practice is rated based upon an assessment of:
         The level and quality of oversight and support of systems 
    development and acquisition activities by senior management and the 
    board of directors.
         The adequacy of the organizational and management 
    structures to establish accountability and responsibility for systems 
    initiatives.
         The volume, nature, and extent of risk exposure to the 
    financial institution in the area of systems development and 
    acquisition.
         The adequacy of the institution's Systems Development Life 
    Cycle (SDLC) and programming standards.
         The quality of project management programs and practices 
    which are followed by developers, operators, executive management/
    owners, independent vendors or affiliated servicers, and end-users.
         The independence of the quality assurance function and the 
    adequacy of controls over program changes.
         The quality and thoroughness of system documentation.
         The integrity and security of the network, system, and 
    application software.
         The development of information technology solutions that 
    meet the needs of end users.
         The extent of end user involvement in the system 
    development process.
    Ratings
        1. A rating of ``1'' indicates strong systems development, 
    acquisition, implementation, and change management performance. 
    Management and the board routinely demonstrate successfully the ability 
    to identify and implement appropriate IT solutions while effectively 
    managing risk. Project management techniques and the SDLC are fully 
    effective and supported by written policies, procedures and project 
    controls that consistently result in timely and efficient project 
    completion. An independent quality assurance function provides strong 
    controls over testing and program change management. Technology 
    solutions consistently meet end user needs. No significant weaknesses 
    or problems exist.
        2. A rating of ``2'' indicates a satisfactory systems development, 
    acquisition, implementation, and change management performance. 
    Management and the board frequently demonstrate their ability to 
    identify and implement appropriate IT solutions while managing risk. 
    Project management and the SDLC are generally effective however, 
    weaknesses may exist that result in minor project delays or cost 
    overruns. An independent quality assurance function provides adequate 
    supervision of testing and program change management, but minor 
    weaknesses may exist. Technology solutions meet end user needs. 
    However, minor enhancements may be necessary to meet original user 
    expectations. Weaknesses may exist; however, they are not significant 
    and they are easily corrected in the normal course of business.
        3. A rating of ``3'' indicates less than satisfactory systems 
    development, acquisition, implementation, and change management 
    performance. Management and the board may often be unsuccessful in 
    identifying and implementing appropriate IT solutions; therefore 
    unwarranted risk exposure may exist. Project management techniques and 
    the SDLC are weak and may result in frequent project delays, backlogs 
    or significant cost overruns. The quality assurance function may not be 
    independent of the programming function which may impact the integrity 
    of testing and program change management. Technology solutions 
    generally meet end user needs, but often require an inordinate level of 
    change after implementation. Because of weaknesses, significant 
    problems may arise that could result in disruption to operations or 
    significant losses.
        4. A rating of ``4'' indicates deficient systems development, 
    acquisition, implementation and change management performance. 
    Management and the board may be unable to identify and implement 
    appropriate IT solutions and do not effectively manage risk. Project 
    management techniques and the SDLC are ineffective and may result in 
    severe project delays and cost overruns. The quality assurance function 
    is not fully effective and may not provide independent or comprehensive 
    review of testing controls or program change management. Technology 
    solutions may not meet the critical needs of the organization. Problems 
    and significant risks exist that require immediate action by the board 
    and management to preserve the soundness of the institution.
        5. A rating of ``5'' indicates critically deficient systems 
    development, acquisition, implementation, and change management 
    performance. Management and the board appear to be incapable of 
    identifying, and implementing appropriate information technology 
    solutions. If they exist, project management techniques and the SDLC 
    are critically deficient and provide little or no direction for 
    development of systems or technology projects. The quality assurance 
    function is severely deficient or not present and unidentified problems 
    in testing and program change have caused significant IT risks. 
    Technology solutions do not meet the needs of the organization. Serious 
    problems and significant risks exist which raise concern for the 
    financial institution or service provider's ongoing viability.
    
    [[Page 31474]]
    
    Support and Delivery
    
        Support and delivery for IT represent an organization's ability to 
    provide technology services in a secure environment. This rating 
    reflects not only the condition of IT operations but also factors such 
    as reliability, security, and integrity, which may affect the quality 
    of the information delivery system. This includes customer support and 
    training, and the ability to manage problems and incidents, operations, 
    system performance, capacity planning, and facility and data 
    management. Risk management practices should promote effective, safe 
    and sound IT operations ensuring the continuity of operations and the 
    reliability and availability of data. The scope of this component 
    rating includes operational risks throughout the organization and 
    service providers.
        For service providers of financial institutions, additional risk 
    factors must be weighed in the support and delivery component rating 
    such as the level of customer service and the management of third-party 
    services.
        The rating of IT support and delivery are based on a review and 
    assessment of:
         The ability to provide a level of service that meets the 
    requirements of the business.
         The adequacy of security policies, procedures, and 
    practices in all units and at all levels of the financial institution, 
    and service providers.
         The adequacy of data controls over preparation, input, 
    processing, and output.
         The adequacy of corporate contingency planning and 
    business resumption for data centers, networks, service providers and 
    business units.
         The quality of processes or programs that monitor capacity 
    and performance.
         The adequacy of contracts and the ability to monitor 
    relationships with service providers.
         The quality of assistance provided to users including the 
    ability to handle problems.
         The adequacy of operating policies, procedures, and 
    manuals.
         The quality of physical and logical security including the 
    privacy of data.
        1. A rating of ``1'' indicates strong IT support and delivery 
    performance. The organization provides technology services that are 
    reliable and consistent. Service levels adhere to well-defined service 
    level agreements and routinely meet or exceed business requirements. A 
    comprehensive corporate contingency and business resumption plan is in 
    place. Annual contingency plan testing and updating is performed; and, 
    critical systems and applications are recovered within acceptable time 
    frames. A formal written data security policy and awareness program is 
    communicated and enforced throughout the organization. The logical and 
    physical security for all IT platforms is closely monitored and 
    security incidents and weaknesses are identified and quickly corrected. 
    Relationships with third-party service providers are closely monitored. 
    IT operations are highly reliable and risk exposure is successfully 
    identified and controlled.
        2. A rating of ``2'' indicates satisfactory IT support and delivery 
    performance. The organization provides technology services that are 
    generally reliable and consistent, however, minor discrepancies in 
    service levels may occur. Service performance adheres to service 
    agreements, and meets business requirements. A corporate contingency 
    and business resumption plan is in place, but minor enhancements may be 
    necessary. Annual plan testing and updating is performed; and, minor 
    problems may occur when recovering systems or applications. A written 
    data security policy is in place but may require improvement to ensure 
    its adequacy. The policy is generally enforced and communicated 
    throughout the organization, e.g. via a security awareness program. The 
    logical and physical security for critical IT platforms is 
    satisfactory. Systems are monitored and security incidents and 
    weaknesses are identified and resolved within reasonable time frames. 
    Relationships with third-party service providers are monitored. 
    Critical IT operations are reliable and risk exposure is reasonably 
    identified and controlled.
        3. A rating of ``3'' indicates that the performance of IT support 
    and delivery is less than satisfactory and needs improvement. The 
    organization provides technology services that may not be reliable or 
    consistent. As a result, service levels periodically do not adhere to 
    service level agreements or meet business requirements. A corporate 
    contingency and business resumption plan is in place but may not be 
    considered comprehensive. The plan is periodically tested; however, the 
    recovery of critical systems and applications is frequently 
    unsuccessful. A data security policy exists; however, it may not be 
    strictly enforced or communicated throughout the organization. The 
    logical and physical security for critical IT platforms is less than 
    satisfactory. Systems are monitored; however, security incidents and 
    weaknesses may not be resolved in a timely manner. Relationships with 
    third-party service providers may not be adequately monitored. IT 
    operations are not acceptable and unwarranted risk exposures exist. If 
    not corrected, weaknesses could cause performance degradation or 
    disruption to operations.
        4. A rating of ``4'' indicates deficient IT support and delivery 
    performance. The organization provides technology services that are 
    unreliable and inconsistent. Service level agreements are poorly 
    defined and service performance usually fails to meet business 
    requirements. A corporate contingency and business resumption plan may 
    exist, but its content is critically deficient. If testing is 
    performed, management is typically unable to recover critical systems 
    and applications. A data security policy may not exist. As a result, 
    serious supervisory concerns over security and the integrity of data 
    exist. The logical and physical security for critical IT platforms is 
    deficient. Systems may be monitored, but security incidents and 
    weaknesses are not successfully identified or resolved. Relationships 
    with third-party service providers are not monitored. IT operations are 
    not reliable and significant risk exposure exists. Degradation in 
    performance is evident and frequent disruption in operations has 
    occurred.
        5. A rating of ``5'' indicates critically deficient IT support and 
    delivery performance. The organization provides technology services 
    that are not reliable or consistent. Service level agreements do not 
    exist and service performance does not meet business requirements. A 
    corporate contingency and business resumption plan does not exist. 
    Testing is not performed and management has not demonstrated the 
    ability to recover critical systems and applications. A data security 
    policy does not exist and a serious threat to the organization's 
    security, and data integrity exists. The logical and physical security 
    for critical IT platforms is inadequate and management does not monitor 
    systems for security incidents and weaknesses. Relationships with 
    third-party service providers are not monitored and the viability of a 
    service provider may be in jeopardy. IT operations are severely 
    deficient and the seriousness of weaknesses could cause failure of the 
    financial institution or service provider, if not addressed.
    
    [End of Proposed Text of Uniform Rating System for Information 
    Technology]
    
    
    [[Page 31475]]
    
    
        Dated: June 3, 1998.
    Keith Todd,
    Acting Executive Secretary, Federal Financial Institutions Examination 
    Council.
    [FR Doc. 98-15231 Filed 6-8-98; 8:45 am]
    BILLING CODE 6210-01-P 6720-01-P 4810-33-P 6714-01-P
    
    
    

Document Information

Published:
06/09/1998
Department:
Federal Financial Institutions Examination Council
Entry Type:
Notice
Action:
Notice and request for comment.
Document Number:
98-15231
Dates:
Comments must be received by August 10, 1998.
Pages:
31468-31475 (8 pages)
PDF File:
98-15231.pdf