Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM

WASHINGTON, D. C.  20551

DIVISION OF BANKING
SUPERVISION AND REGULATION

SR 99-8 (SUP)
March 31, 1999

TO THE OFFICER IN CHARGE OF SUPERVISION
          AT EACH FEDERAL RESERVE BANK


SUBJECT: Uniform Rating System for Information Technology

                    On January 13, 1999, the Federal Financial Institutions Examination Council (FFIEC) adopted a revised Uniform Rating System for Information Technology (URSIT).1  The FFIEC published the revised rating system in the Federal Register on January 20, 1999 (64 FR 3109).  The revised URSIT (Attachment 1 - 58 KB PDF) becomes effective April 1, 1999, and is to be used in information technology examinations of all banks and data processing service providers commencing after that date.

                    The banking agencies originally adopted the URSIT on the recommendation of the FFIEC in 1978.  Over the years, the URSIT has proven to be an effective internal supervisory tool for evaluating the condition of an institution's or service provider's information technology function.  Changes in information technology as well as in the banking agencies' supervisory policies and procedures, prompted a review and revision of the 1978 rating system.  In June 1998, a proposed revision to the URSIT was issued for public comment and distributed to examiners for field-testing.  The final revised URSIT incorporates the comments received on the proposal and from the field testing.  The revisions include:

    • Additional language to conform the URSIT to the Uniform Financial Institution Rating System (UFIRS).2
    • Clarification of the component ratings and a reformat of the descriptions for the ratings.3
    • Two new component categories -- "Development and Acquisition" and "Support and Delivery" which replace "Systems and Programming" and "Operations."
    • An emphasis on the quality of risk management processes in each of the rating components.
    • A requirement that examiners explicitly identify the risk types that are considered in assigning component ratings.

                    In order to facilitate implementation of the URSIT, a guide adapted from the Information Systems Audit and Control Foundation COBIT Implementation Tool Set is provided in Attachment 2 (37 KB PDF).  The implementation guide identifies technology concerns and their relationship to specific rating factors.  This guidance provides a risk analysis baseline for the identification of critical areas in a risk-focused examination methodology.

                    Should your staff have any questions, please have them contact Michael Martinson, Deputy Associate Director, at 202/452-3640, Heidi Richards, Manager of Specialized Activities, at 202/452-2598, or Blaine Jones, Supervisory EDP Analyst, at 202/452-3759.


William A. Ryback
Associate Director

Attachments

Supersedes:   SR Letter 78-507
 
Cross-References:   SR Letters 96-38 and 96-26



Notes:

1.   The revisions to the URSIT were developed by the staffs of the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.  Return to text

2.   Refer to SR Letter 96-38, �Uniform Financial Institution Rating System (UFIRS)�  Return to text

3.   Refer to SR Letter 96-26, �Provision of Individual Components of Supervisory Rating Systems to Management and Boards of Directors�  Return to text


SR letters | 1999