IT Examiner School, Providence, RI

Activities after On-Site Review

• If needed, revise conclusions and discuss with management • Discuss initial conclusions and suggested ratings with regulatory personnel • Finalize the rating by documenting IT conclusion comments • Coordinate with regulatory personnel regarding the final wrap-up meeting with the institution

IT-RMP Rating Guidelines • Formally under the IT-RMP, examiners assign only an URSIT composite rating at the conclusion of the examination using FFIEC rating definitions • However, with the new InTREX, composite and component ratings are issued based on the FFIEC ratings definitions. – Audit – Management – Development and Acquisition – Support and Delivery http://ithandbook.ffiec.gov/it-booklets/supervision-of-technology- service-providers-(tsp)/appendix-a-ursit/composite-ratings- definitions.aspx • The composite rating which reflects the effectiveness of a company’s IT risk management practices shall consider the effectiveness of management’s information security program.