gap analysis it rating system
TRANSCRIPT
-
7/21/2019 Gap Analysis IT Rating System
1/22
COMPOSITE R
-
7/21/2019 Gap Analysis IT Rating System
2/22
-
7/21/2019 Gap Analysis IT Rating System
3/22
-
7/21/2019 Gap Analysis IT Rating System
4/22
TING
4 (STRONG)
BSFIs IT risk management system shows no cause for supervisory concern
Strategic plans are well-dened and aligned with business strategy
!hile internal control weaknesses may e"ist# there are no signicant concerns
Supervisory action is informal and limited
!eakness noted are minor in nature and can be easily corrected during the normalcourse of business
$anagement is proactive in identifying potential weaknesses and promptly takesaction
%udit and regulatory concerns were timely# appropriately and substantiallyaddressed
$anagement is able to &uickly adapt to changing market# business# technologicaland security needs of the BSFI
'isk management program# processes and practices are formally approved#enterprise-wide# comprehensive and able to ade&uately identify measure# monitor
and control BSFIs risk e"posures
(rgani)ational information and cyber-security practices are regularly updated withchanges in the threat and technology landscape and# at the same time# the BSFIpromoted information sharing with partners to improve cyber-security management
%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is strong
*enerally# all or most of its component ratings are + with no component ratingbelow ,
BSFIs rated composite ,. e"hibit satisfactory performance with low to moderateweaknesses
$anagement normally identies weaknesses and takes appropriate correctiveactions in the normal course of business
Strategic plans are dened but may re&uire clarication# better coordination orimproved communication throughout the organi)ation
$anagement anticipates# but responds less &uickly to changes in market#business# technological and security needs of the BSFI
'isk management processes ade&uately identify# measure control and monitorrisks relative to IT risk prole
(rgani)ational information and cyber-security practices are regularly updated withchanges in the threat and technology landscape
%ssessment of controls# operating and nancial condition of the BSFI/s technologyservice provider is acceptable
-
7/21/2019 Gap Analysis IT Rating System
5/22
2 (LESS THAN SATISFACTORY)
*enerally# all or most of its component ratings are 0
1 (DEFICIENT)
Failure of the BSFI is unlikely unless IT problems are remedied
*enerally# all or most of its component ratings are , with no component ratingbelow 0
BSFIs rated composite 0. e"hibit less than satisfactory performance due to a
combination of weaknesses that may range from moderate to severe
If weaknesses persist# further deterioration in the condition and performance ofthe BSF is likely
Increased supervision is necessary and a combination of formal and informalsupervisory actions to be necessary to secure corrective action
'epeat concerns may e"ist# indicating that management lacks the ability orwillingness to resolve concerns
Self-assessment practices are weak and are generally reactive to audit andregulatory e"ceptions
Strategic 1lans are vaguely dened and may not provide ade&uate direction for IT
initiatives $anagement e"periences di2culty responding to changes in business# market#technological and security needs of the BSFI
'isk management practices are formally approved but are not implemented orlinked to an enterprise-wide policy
'isk management processes and practices do not e3ectively identify and measurerisks and may be inappropriate relative to BSFIs risk prole
Implemented controls and monitoring activities are not linked to a formal riskassessment process
(rgani)ational information and cyber security practices are not responsive to
changes in the threat and technology landscape
%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is weak and4or derogatory information is noted from other clients
BSFIs rated composite 5. indicate a decient environment that may impair thefuture viability of the BSFI re&uiring immediate remedial action
Serious operational problems and weaknesses may e"ist throughout theorgani)ation
(ngoing supervisory action is necessary and formal enforcement action iswarranted
Self-assessment practices are absent and management is unwilling or incapable ofcorrecting audit and regulatory concerns
Strategic plans are poorly dened or non-e"istent and the Board and Senior$anagement have little or no direction for IT initiatives
-
7/21/2019 Gap Analysis IT Rating System
6/22
$anagement is unaware of or inattentive to technological and security needs ofthe BSFI
'isk $anagement practices are not formali)ed and risk is managed in an ad hocand sometimes reactive manner
'isk $anagement processes and practices are absent or inade&uate in identifying#measuring# monitoring and controlling BSFIs risk e"posures
$aintenance and updating of organi)ational information and cyber-securitypractices are non-e"istent
%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is poor or not performed
-
7/21/2019 Gap Analysis IT Rating System
7/22
IT Oversi
-
7/21/2019 Gap Analysis IT Rating System
8/22
-
7/21/2019 Gap Analysis IT Rating System
9/22
h !"# O$er!i%"s M!"!ge&e"
4 (STRONG)
Sta3 level and competency are su2cient
6onsistent application of said controls is also evident
3 (SATISFACTORY)
Sta3 level and competency generally meet business needs
Indicates strong support structure# processes and practices for IT oversight andoperations management
(rgani)ational structure is well-dened and formally adopted allowing the Boardto be regularly informed of IT performance and set appropriate direction for ITactivities
$IS provides the Board and Senior $anagement accurate# timely andcomprehensive information to enable prudent and reasonable business decisions
$IS supports monitoring of the institution/s activities as well as a means forinformation dissemination at various levels of the organi)ation
%de&uate internal controls# operating procedures# safeguards# and auditcoverage of $IS-related activities are in place
Formally adopted IT strategic plan# policies# procedures# and standards arethorough and re7ective of the comple"ity of the IT environment These arecommunicated and enforced throughout the organi)ation
%de&uate resources are allocated to hire and train employees to achieve a levelof e"pertise necessary to meet business ob8ectives
Succession and transition strategies are formally adopted# well-dened# andreadily implementable
'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankingfully conform to BS1/s re&uirements
Support structure# processes and practices for IT oversight and operationsmanagement
(rgani)ational Structure is dened and formally adopted allowing the Board toremain informed of IT performance and set direction for ma8or IT activities
$IS provides the Board and Senior $anagement accurate and timely informationto support key business decisions
$IS also provides means for monitoring ma8or activities as well as informationdissemination
Internal controls# operating procedures# safeguards and audit coverage of $IS-related activities are in place but may e"hibit modest weaknesses
Formally adopted IT strategic plan# policies# procedures# and standards areade&uate ;owever# minor weaknesses may e"ist in management/s ability tocommunicated and enforce them throughout the organi)ation
-
7/21/2019 Gap Analysis IT Rating System
10/22
$inor gaps are noted in employee hiring and training process
2 (LESS THAN SATISFACTORY)
(rgani)ational structure is informal
The Board is occasionally informed of IT performance
IT strategic plan# policies and procedures e"ist# but may be incomplete
Signicant gaps are noted in employee hiring and training process
Succession and transition strategies are informal
1 (DEFICIENT)
(rgani)ational structure and oversight of IT is decient or lacking
Sta3 level and competency do not meet business needs
;iring and training processes are absent or decient
Succession and transition strategies are non-e"istent or trivial
Succession and transition strategies are formally adopted but may not be readilyimplantable
'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankinggenerally conform to BS1/s re&uirements
Support structure# processes and practices for IT oversight and operationsmanagement
$IS provides the Board and Senior $anagement information as basis for decisionmaking but reports may be incomplete# delayed or contain signicant inaccuracies
The plan may not be formally adopted# e3ectively communicated# or enforcedthroughout the organi)ation
Sta3 level and competency are less than what is needed to meet businessre&uirements
'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankingare inade&uate to conform to BS1/s re&uirements
Support structure# processes and practices for IT oversight and operationsmanagement
$IS is lacking or is grossly inaccurate which may mislead the Board and Senior$anagement when making decisions and setting direction
IT strategic plan# policies# procedures# and standards have not been formallyadopted or are decient These are not e3ectively communicated and enforcedthroughout the organi)ation
There are few no controls in place for IT (perations# 9endor $anagement and:lectronic Banking
Implementation of the re&uired controls as prescribed in the BS1 guidelines isvery minimal
-
7/21/2019 Gap Analysis IT Rating System
11/22
IT Ris' M
-
7/21/2019 Gap Analysis IT Rating System
12/22
-
7/21/2019 Gap Analysis IT Rating System
13/22
"!ge&e"
4 (STRONG)
6ost-benet discussions for risk response are regularly conducted
3 (SATISFACTORY)
-
7/21/2019 Gap Analysis IT Rating System
14/22
1eriodic risk assessment activities have signicant scope limitations
There is very little or no cost-benet discussions for risk response
1 (DEFICIENT)
'isk assessment activities are lacking or performed only on an ad hoc basis
'isk response is absent or does little to manage IT risk to an acceptable level
The Board recogni)es the need for IT risk management and issues generalguidance ;owever# responsibility and accountability is informal or unclear
Inventory of identied IT-related risks and controls provides limited view of the
IT risk prole as it may be inconsistently prepared and4or not consolidated
-
7/21/2019 Gap Analysis IT Rating System
15/22
I"%r&!i%" Se*ri+
+ >ST'(?*@
, >S%TISF%6T('A@
:"isting controls and practices generally conform to BS1 guidelines
0 >:SS T;%? S%TISF%6T('A@
Information Security oversight# supporting structure# practices and
controls e"ceed what is considered necessary given the BSFI/s riskprole
(rgani)ation is able to adapt to changes in the security landscape ascontinuous improvement is embedded in the process
The BSFI promotes information sharing collaboration with partners tomanage industry-wide and cyber-security risks
:"isting controls and practices fully conform to BS1 guidelines and areconsistently implementedsecurity risks are proactively managed
Information Security oversight# supporting structure# practices andcontrols meet what is considered necessary given the BSFI/s risk prole
(rgani)ation is regularly updated of changes in the technology andthreat landscape
BSFI understand its dependencies with partners to enable collaboration
on certain industry-wide and cyber-security risks
:mployees understand their roles and responsibilities and are keptabreast of developments on information security
Information Security (versight# supporting structure# practices andcontrols do not meet what is considered necessary given the BSFI/s risk
prole (rgani)ation is aware of the risks but an enterprise-wide approach isnot established
BSFI is aware of its role in the industry but has not formali)ed itscapabilities to interact and share information to its partners to managecertain industry-wide and cyber-security risks
:"isting controls and practices are generally not compliant with BS1guidelines
-
7/21/2019 Gap Analysis IT Rating System
16/22
5 >C:FI6I:?T@
:mployees are not aware of information security risks
'oles and responsibilities in managing security risks within theorgani)ation are dened but are not known among its employees :mployees have limited awareness of information security risks
Information security oversight# supporting structure# practices andcontrols are decient# in a material way# to meet what is considerednecessary given the BSFI/s risk prole
%pproach to managing security risk is not formali)ed and may be doneonly in an ad hoc or reactive manner
BSFI is not capable to participate in information sharing with partners inthe industry
'oles and responsibilities in managing security risks within the
organi)ation are not dened
-
7/21/2019 Gap Analysis IT Rating System
17/22
Deve,%$&e" !"# A-*isii%"
4 (STRONG)
1ro8ects undertaken consistently meet end-user needs
Techni&ues and practices are e3ective and formali)ed
?o signicant weaknesses or problems e"ist
3 (SATISFACTORY)
2 (LESS THAN SATISFACTORY)
BSFI/s pro8ect management methodology# controls and related risk
management practices e"ceed what is considered necessary given the BSFI/srisk prole
$anagement regularly e"hibits ability to identify and implement IT solutionsin a controlled environment
1ro8ect controls are evident and consistently result in timely# e2cient ande3ective pro8ect completion
Independent &uality control4&uality assurance procedures for all signicant IT-related activities ensure cost-e3ective value delivery and continuous
improvement through on-going monitoring
BSFI/s pro8ect management methodology# controls and related riskmanagement practices meet what is considered necessary given the BSFI/s riskprole
$anagement e"hibits ability to identify and implement IT solutions in acontrolled environment
1ro8ects undertaken meet end-user needs though minor enhancements maybe necessary to meet original user e"pectations
1ro8ect controls# techni&ues and practices are generally e3ective but withweaknesses that may result in minor pro8ect delays or cost overruns
Independent &uality control4&uality assurance procedures for key IT activitiesare regularly conducted to support value delivery and improvement e3orts
!eaknesses may e"ist but they are easily corrected in the normal course ofbusiness
BSFI/s pro8ect management methodology# controls and related riskmanagement practices do not meet what is considered necessary given theBSFI/s risk prole
$anagement is not consistently able to identify and implement IT solutions#which may result in unwarranted risk e"posure
-
7/21/2019 Gap Analysis IT Rating System
18/22
1ro8ects undertaken generally meet end-user needs though often re&uirechanges and workarounds prior to or after implementation
Fre&uent pro8ect delays or cost overruns e"ist as a result of weak pro8ectmanagement controls# techni&ues and practices
Independent &uality control4&uality assurance procedures are limited in scope
and may not ade&uately support value delivery and improvement e3orts $oderate to severe weakness are present that may result in signicantproblems or losses in the future
BSFI/s pro8ect management methodology# controls and related riskmanagement practices are decient# in a material way# to meet what isconsidered necessary given the BSFI/s risk prole
$anagement is not able to identify and implement IT solutions and maintain
pro8ect controls to manage risk 1ro8ects do not meet re&uirements and needs of the BSFI# which result inunderused# unsecured or unreliable systems
Severe pro8ect delays and cost overruns are e"perienced by the BSFI due topoor or absence of pro8ect management controls# techni&ues and practices
Independent &uality control4&uality assurance procedures are decient orlacking
-
7/21/2019 Gap Analysis IT Rating System
19/22
.*si"ess C%"i"*i+
4 (STRONG)
BSFI is able to e"hibit capability to recover within business re&uirements
3 (SATISFACTORY)
BSFI is able to e"hibit capability to recover within business re&uirements
2 (LESS THAN SATISFACTORY)
Business 6ontinuity Strategy and practices e"ceed what is considered
necessary given the BSFI/s risk prole Board and Senior $anagement proactively monitor and are activelyinvolved in ensuring resiliency of BSFI operations
Tests are regularly performed covering various scenarios includingcomponent failure up to total shutdown or inaccessibility of the primarydata center
Back-up and recovery strategies# recovery time ob8ective# recovery pointob8ective# technology recovery plans and other related documents are
regularly reviewed and updated to align with changes in the businessenvironment
1articipation from all employees is evident in ensuring risks areproactively managed
Business 6ontinuity strategy and practices meet what is considerednecessary given the BSFI/s risk prole
Board and Senior $anagement are actively involved in ensuring resiliencyof the BSFI operations
Tests are periodically performed covering various scenarios includingcomponent failure up to total shutdown or inaccessibility of the primarydata center with minor problems encountered during systems orapplications recovery
'eview and update of back-up recovery strategies# recovery timeob8ective# recovery point ob8ective# technology recovery plans and otherrelated documents are done periodically
:mployees understand their roles and responsibilities and are keptabreast of developments on business continuity
Business 6ontinuity Strategy and practices do not meet what isconsidered necessary given the BSFI/s risk prole
-
7/21/2019 Gap Analysis IT Rating System
20/22
1 (DEFICIENT)
:mployees are not aware of business continuity risks
Board and Senior $anagement are regularly updated on the status ofdi3erent initiatives but are not actively involved in ensuring resiliency ofBSFI operations
BSFI is not able to ade&uately e"hibit capability to recover within businessre&uirements due to inade&uate tests performed
1eriodic tests are performed but may be limited in scope or that recoveryof critical systems and applications is fre&uently unsuccessful
'eview and update of back-up and recovery strategies# recovery timeob8ective# recovery point ob8ective# technology recovery plans and otherrelated documents are done as needed or not updated
'oles and responsibilities in managing business continuity risks within theorgani)ation are dened but are not known among its employees
Business 6ontinuity Strategy and practices are decient# in a materialway to meet what is considered necessary given the BSFI/s risk prole
Board and Senior $anagement are not informed of activities and notinvolved in ensuring resiliency of BSFI operations
'ecovery and back-up strategies are not tied up with businessre&uirements or there are none in place
Tests are not performed or typically unable to recover critical systems andapplications
Back-up and recovery strategies# recovery time ob8ective# recovery pointob8ective# technology recovery plans and other related documents are non-e"istent or no longer updated
'oles and responsibilities in ensuring availability and continuity ofoperations within the organi)ation are not dened
-
7/21/2019 Gap Analysis IT Rating System
21/22
IT A*#i !"# C%&$,i!"e
4 (STRONG)
IT audit and compliance processes and activities are strong
(utstanding Issues are monitored until resolved
3 (SATISFACTORY) IT audit and compliance processes and activities are satisfactory
$a8or issues are monitored until resolved
2 (LESS THAN SATISFACTORY)
%udit independence may be compromised
%udit plan does not provide su2cient scope4fre&uency for key IT areas
$onitoring of outstanding audit issues is inade&uate
1 (DEFICIENT)
IT audit and compliance processes and activities are decient
'isks and weaknesses are independently identied and reported to theBoard and %udit 6ommittee in a timely manner
1olicy compliance process is well-dened It provides timely andcomprehensive information to the Board and Senior $anagement on newissuances and emerging risks that may necessitate appropriate action orcorresponding policy change4update
'isks and weaknesses are independently identied and reported to theBoard and %udit 6ommittee but reports may be less timely
1olicy compliance process is dened and provides ade&uate informationto the Board and Senior $anagement on new issuances and emergingrisks that may necessitate appropriate action or corresponding policychange4update
IT audit and compliance processes and activities are less thansatisfactory
'eports presented to the Board and %udit 6ommittee are less thansatisfactory in content and timeliness
1olicy compliance process is informal and provides limited informationto the Board and Senior $anagement on new issuances and emergingrisks that may necessitate appropriate action or corresponding policychange4update
-
7/21/2019 Gap Analysis IT Rating System
22/22
%udit lacks independence
%udit plan is ine3ective due to inappropriate audit scope4fre&uency
$onitoring of outstanding audit issues is lacking
1olicy compliance process Is decient or absent
'isks and weaknesses are not reported to the Board and %udit6ommittee