gap analysis it rating system

7/21/2019 Gap Analysis IT Rating System

1/22

COMPOSITE R


2/22


3/22


4/22

TING

4 (STRONG)

BSFIs IT risk management system shows no cause for supervisory concern

Strategic plans are well-dened and aligned with business strategy

!hile internal control weaknesses may e"ist# there are no signicant concerns

Supervisory action is informal and limited

!eakness noted are minor in nature and can be easily corrected during the normalcourse of business

$anagement is proactive in identifying potential weaknesses and promptly takesaction

%udit and regulatory concerns were timely# appropriately and substantiallyaddressed

$anagement is able to &uickly adapt to changing market# business# technologicaland security needs of the BSFI

'isk management program# processes and practices are formally approved#enterprise-wide# comprehensive and able to ade&uately identify measure# monitor

and control BSFIs risk e"posures

(rgani)ational information and cyber-security practices are regularly updated withchanges in the threat and technology landscape and# at the same time# the BSFIpromoted information sharing with partners to improve cyber-security management

%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is strong

*enerally# all or most of its component ratings are + with no component ratingbelow ,

BSFIs rated composite ,. e"hibit satisfactory performance with low to moderateweaknesses

$anagement normally identies weaknesses and takes appropriate correctiveactions in the normal course of business

Strategic plans are dened but may re&uire clarication# better coordination orimproved communication throughout the organi)ation

$anagement anticipates# but responds less &uickly to changes in market#business# technological and security needs of the BSFI

'isk management processes ade&uately identify# measure control and monitorrisks relative to IT risk prole

(rgani)ational information and cyber-security practices are regularly updated withchanges in the threat and technology landscape

%ssessment of controls# operating and nancial condition of the BSFI/s technologyservice provider is acceptable


5/22

2 (LESS THAN SATISFACTORY)

*enerally# all or most of its component ratings are 0

1 (DEFICIENT)

Failure of the BSFI is unlikely unless IT problems are remedied

*enerally# all or most of its component ratings are , with no component ratingbelow 0

BSFIs rated composite 0. e"hibit less than satisfactory performance due to a

combination of weaknesses that may range from moderate to severe

If weaknesses persist# further deterioration in the condition and performance ofthe BSF is likely

Increased supervision is necessary and a combination of formal and informalsupervisory actions to be necessary to secure corrective action

'epeat concerns may e"ist# indicating that management lacks the ability orwillingness to resolve concerns

Self-assessment practices are weak and are generally reactive to audit andregulatory e"ceptions

Strategic 1lans are vaguely dened and may not provide ade&uate direction for IT

initiatives $anagement e"periences di2culty responding to changes in business# market#technological and security needs of the BSFI

'isk management practices are formally approved but are not implemented orlinked to an enterprise-wide policy

'isk management processes and practices do not e3ectively identify and measurerisks and may be inappropriate relative to BSFIs risk prole

Implemented controls and monitoring activities are not linked to a formal riskassessment process

(rgani)ational information and cyber security practices are not responsive to

changes in the threat and technology landscape

%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is weak and4or derogatory information is noted from other clients

BSFIs rated composite 5. indicate a decient environment that may impair thefuture viability of the BSFI re&uiring immediate remedial action

Serious operational problems and weaknesses may e"ist throughout theorgani)ation

(ngoing supervisory action is necessary and formal enforcement action iswarranted

Self-assessment practices are absent and management is unwilling or incapable ofcorrecting audit and regulatory concerns

Strategic plans are poorly dened or non-e"istent and the Board and Senior$anagement have little or no direction for IT initiatives


6/22

$anagement is unaware of or inattentive to technological and security needs ofthe BSFI

'isk $anagement practices are not formali)ed and risk is managed in an ad hocand sometimes reactive manner

'isk $anagement processes and practices are absent or inade&uate in identifying#measuring# monitoring and controlling BSFIs risk e"posures

$aintenance and updating of organi)ational information and cyber-securitypractices are non-e"istent

%ssessment of controls# operating and nancial condition of the BSFIs technologyservice provider is poor or not performed


7/22

IT Oversi


8/22


9/22

h !"# O$er!i%"s M!"!ge&e"

4 (STRONG)

Sta3 level and competency are su2cient

6onsistent application of said controls is also evident

3 (SATISFACTORY)

Sta3 level and competency generally meet business needs

Indicates strong support structure# processes and practices for IT oversight andoperations management

(rgani)ational structure is well-dened and formally adopted allowing the Boardto be regularly informed of IT performance and set appropriate direction for ITactivities

$IS provides the Board and Senior $anagement accurate# timely andcomprehensive information to enable prudent and reasonable business decisions

$IS supports monitoring of the institution/s activities as well as a means forinformation dissemination at various levels of the organi)ation

%de&uate internal controls# operating procedures# safeguards# and auditcoverage of $IS-related activities are in place

Formally adopted IT strategic plan# policies# procedures# and standards arethorough and re7ective of the comple"ity of the IT environment These arecommunicated and enforced throughout the organi)ation

%de&uate resources are allocated to hire and train employees to achieve a levelof e"pertise necessary to meet business ob8ectives

Succession and transition strategies are formally adopted# well-dened# andreadily implementable

'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankingfully conform to BS1/s re&uirements

Support structure# processes and practices for IT oversight and operationsmanagement

(rgani)ational Structure is dened and formally adopted allowing the Board toremain informed of IT performance and set direction for ma8or IT activities

$IS provides the Board and Senior $anagement accurate and timely informationto support key business decisions

$IS also provides means for monitoring ma8or activities as well as informationdissemination

Internal controls# operating procedures# safeguards and audit coverage of $IS-related activities are in place but may e"hibit modest weaknesses

Formally adopted IT strategic plan# policies# procedures# and standards areade&uate ;owever# minor weaknesses may e"ist in management/s ability tocommunicated and enforce them throughout the organi)ation


10/22

$inor gaps are noted in employee hiring and training process


(rgani)ational structure is informal

The Board is occasionally informed of IT performance

IT strategic plan# policies and procedures e"ist# but may be incomplete

Signicant gaps are noted in employee hiring and training process

Succession and transition strategies are informal

1 (DEFICIENT)

(rgani)ational structure and oversight of IT is decient or lacking

Sta3 level and competency do not meet business needs

;iring and training processes are absent or decient

Succession and transition strategies are non-e"istent or trivial

Succession and transition strategies are formally adopted but may not be readilyimplantable

'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankinggenerally conform to BS1/s re&uirements


$IS provides the Board and Senior $anagement information as basis for decisionmaking but reports may be incomplete# delayed or contain signicant inaccuracies

The plan may not be formally adopted# e3ectively communicated# or enforcedthroughout the organi)ation

Sta3 level and competency are less than what is needed to meet businessre&uirements

'elevant controls on IT (perations# 9endor $anagement and :lectronic Bankingare inade&uate to conform to BS1/s re&uirements


$IS is lacking or is grossly inaccurate which may mislead the Board and Senior$anagement when making decisions and setting direction

IT strategic plan# policies# procedures# and standards have not been formallyadopted or are decient These are not e3ectively communicated and enforcedthroughout the organi)ation

There are few no controls in place for IT (perations# 9endor $anagement and:lectronic Banking

Implementation of the re&uired controls as prescribed in the BS1 guidelines isvery minimal


11/22

IT Ris' M


12/22


13/22

"!ge&e"

4 (STRONG)

6ost-benet discussions for risk response are regularly conducted

3 (SATISFACTORY)


14/22

1eriodic risk assessment activities have signicant scope limitations

There is very little or no cost-benet discussions for risk response

1 (DEFICIENT)

'isk assessment activities are lacking or performed only on an ad hoc basis

'isk response is absent or does little to manage IT risk to an acceptable level

The Board recogni)es the need for IT risk management and issues generalguidance ;owever# responsibility and accountability is informal or unclear

Inventory of identied IT-related risks and controls provides limited view of the

IT risk prole as it may be inconsistently prepared and4or not consolidated


15/22

I"%r&!i%" Se*ri+

+ >ST'(?*@

, >S%TISF%6T('A@

:"isting controls and practices generally conform to BS1 guidelines

0 >:SS T;%? S%TISF%6T('A@

Information Security oversight# supporting structure# practices and

controls e"ceed what is considered necessary given the BSFI/s riskprole

(rgani)ation is able to adapt to changes in the security landscape ascontinuous improvement is embedded in the process

The BSFI promotes information sharing collaboration with partners tomanage industry-wide and cyber-security risks

:"isting controls and practices fully conform to BS1 guidelines and areconsistently implementedsecurity risks are proactively managed

Information Security oversight# supporting structure# practices andcontrols meet what is considered necessary given the BSFI/s risk prole

(rgani)ation is regularly updated of changes in the technology andthreat landscape

BSFI understand its dependencies with partners to enable collaboration

on certain industry-wide and cyber-security risks

:mployees understand their roles and responsibilities and are keptabreast of developments on information security

Information Security (versight# supporting structure# practices andcontrols do not meet what is considered necessary given the BSFI/s risk

prole (rgani)ation is aware of the risks but an enterprise-wide approach isnot established

BSFI is aware of its role in the industry but has not formali)ed itscapabilities to interact and share information to its partners to managecertain industry-wide and cyber-security risks

:"isting controls and practices are generally not compliant with BS1guidelines


16/22

5 >C:FI6I:?T@

:mployees are not aware of information security risks

'oles and responsibilities in managing security risks within theorgani)ation are dened but are not known among its employees :mployees have limited awareness of information security risks

Information security oversight# supporting structure# practices andcontrols are decient# in a material way# to meet what is considerednecessary given the BSFI/s risk prole

%pproach to managing security risk is not formali)ed and may be doneonly in an ad hoc or reactive manner

BSFI is not capable to participate in information sharing with partners inthe industry

'oles and responsibilities in managing security risks within the

organi)ation are not dened


17/22

Deve,%$&e" !"# A-*isii%"

4 (STRONG)

1ro8ects undertaken consistently meet end-user needs

Techni&ues and practices are e3ective and formali)ed

?o signicant weaknesses or problems e"ist

3 (SATISFACTORY)


BSFI/s pro8ect management methodology# controls and related risk

management practices e"ceed what is considered necessary given the BSFI/srisk prole

$anagement regularly e"hibits ability to identify and implement IT solutionsin a controlled environment

1ro8ect controls are evident and consistently result in timely# e2cient ande3ective pro8ect completion

Independent &uality control4&uality assurance procedures for all signicant IT-related activities ensure cost-e3ective value delivery and continuous

improvement through on-going monitoring

BSFI/s pro8ect management methodology# controls and related riskmanagement practices meet what is considered necessary given the BSFI/s riskprole

$anagement e"hibits ability to identify and implement IT solutions in acontrolled environment

1ro8ects undertaken meet end-user needs though minor enhancements maybe necessary to meet original user e"pectations

1ro8ect controls# techni&ues and practices are generally e3ective but withweaknesses that may result in minor pro8ect delays or cost overruns

Independent &uality control4&uality assurance procedures for key IT activitiesare regularly conducted to support value delivery and improvement e3orts

!eaknesses may e"ist but they are easily corrected in the normal course ofbusiness

BSFI/s pro8ect management methodology# controls and related riskmanagement practices do not meet what is considered necessary given theBSFI/s risk prole

$anagement is not consistently able to identify and implement IT solutions#which may result in unwarranted risk e"posure


18/22

1ro8ects undertaken generally meet end-user needs though often re&uirechanges and workarounds prior to or after implementation

Fre&uent pro8ect delays or cost overruns e"ist as a result of weak pro8ectmanagement controls# techni&ues and practices

Independent &uality control4&uality assurance procedures are limited in scope

and may not ade&uately support value delivery and improvement e3orts $oderate to severe weakness are present that may result in signicantproblems or losses in the future

BSFI/s pro8ect management methodology# controls and related riskmanagement practices are decient# in a material way# to meet what isconsidered necessary given the BSFI/s risk prole

$anagement is not able to identify and implement IT solutions and maintain

pro8ect controls to manage risk 1ro8ects do not meet re&uirements and needs of the BSFI# which result inunderused# unsecured or unreliable systems

Severe pro8ect delays and cost overruns are e"perienced by the BSFI due topoor or absence of pro8ect management controls# techni&ues and practices

Independent &uality control4&uality assurance procedures are decient orlacking


19/22

.*si"ess C%"i"*i+

4 (STRONG)

BSFI is able to e"hibit capability to recover within business re&uirements

3 (SATISFACTORY)

BSFI is able to e"hibit capability to recover within business re&uirements


Business 6ontinuity Strategy and practices e"ceed what is considered

necessary given the BSFI/s risk prole Board and Senior $anagement proactively monitor and are activelyinvolved in ensuring resiliency of BSFI operations

Tests are regularly performed covering various scenarios includingcomponent failure up to total shutdown or inaccessibility of the primarydata center

Back-up and recovery strategies# recovery time ob8ective# recovery pointob8ective# technology recovery plans and other related documents are

regularly reviewed and updated to align with changes in the businessenvironment

1articipation from all employees is evident in ensuring risks areproactively managed

Business 6ontinuity strategy and practices meet what is considerednecessary given the BSFI/s risk prole

Board and Senior $anagement are actively involved in ensuring resiliencyof the BSFI operations

Tests are periodically performed covering various scenarios includingcomponent failure up to total shutdown or inaccessibility of the primarydata center with minor problems encountered during systems orapplications recovery

'eview and update of back-up recovery strategies# recovery timeob8ective# recovery point ob8ective# technology recovery plans and otherrelated documents are done periodically

:mployees understand their roles and responsibilities and are keptabreast of developments on business continuity

Business 6ontinuity Strategy and practices do not meet what isconsidered necessary given the BSFI/s risk prole


20/22

1 (DEFICIENT)

:mployees are not aware of business continuity risks

Board and Senior $anagement are regularly updated on the status ofdi3erent initiatives but are not actively involved in ensuring resiliency ofBSFI operations

BSFI is not able to ade&uately e"hibit capability to recover within businessre&uirements due to inade&uate tests performed

1eriodic tests are performed but may be limited in scope or that recoveryof critical systems and applications is fre&uently unsuccessful

'eview and update of back-up and recovery strategies# recovery timeob8ective# recovery point ob8ective# technology recovery plans and otherrelated documents are done as needed or not updated

'oles and responsibilities in managing business continuity risks within theorgani)ation are dened but are not known among its employees

Business 6ontinuity Strategy and practices are decient# in a materialway to meet what is considered necessary given the BSFI/s risk prole

Board and Senior $anagement are not informed of activities and notinvolved in ensuring resiliency of BSFI operations

'ecovery and back-up strategies are not tied up with businessre&uirements or there are none in place

Tests are not performed or typically unable to recover critical systems andapplications

Back-up and recovery strategies# recovery time ob8ective# recovery pointob8ective# technology recovery plans and other related documents are non-e"istent or no longer updated

'oles and responsibilities in ensuring availability and continuity ofoperations within the organi)ation are not dened


21/22

IT A*#i !"# C%&$,i!"e

4 (STRONG)

IT audit and compliance processes and activities are strong

(utstanding Issues are monitored until resolved

3 (SATISFACTORY) IT audit and compliance processes and activities are satisfactory

$a8or issues are monitored until resolved


%udit independence may be compromised

%udit plan does not provide su2cient scope4fre&uency for key IT areas

$onitoring of outstanding audit issues is inade&uate

1 (DEFICIENT)

IT audit and compliance processes and activities are decient

'isks and weaknesses are independently identied and reported to theBoard and %udit 6ommittee in a timely manner

1olicy compliance process is well-dened It provides timely andcomprehensive information to the Board and Senior $anagement on newissuances and emerging risks that may necessitate appropriate action orcorresponding policy change4update

'isks and weaknesses are independently identied and reported to theBoard and %udit 6ommittee but reports may be less timely

1olicy compliance process is dened and provides ade&uate informationto the Board and Senior $anagement on new issuances and emergingrisks that may necessitate appropriate action or corresponding policychange4update

IT audit and compliance processes and activities are less thansatisfactory

'eports presented to the Board and %udit 6ommittee are less thansatisfactory in content and timeliness

1olicy compliance process is informal and provides limited informationto the Board and Senior $anagement on new issuances and emergingrisks that may necessitate appropriate action or corresponding policychange4update


22/22

%udit lacks independence

%udit plan is ine3ective due to inappropriate audit scope4fre&uency

$onitoring of outstanding audit issues is lacking

1olicy compliance process Is decient or absent

'isks and weaknesses are not reported to the Board and %udit6ommittee

gap analysis it rating system

Documents