With all the emphasis on technology and access to our customer data from the internet it is important to be reminded of some of the basics of old fashion and old economy physical security. Our branches, departments, and files have to be protected from unauthorized entry by good key control and adequate after hours premise alarm systems. Inadequate control can lead to mysterious disappearances of cash and files, destruction of property, theft of physical assets, and improper access to customer information.
Key control is an important if not a major control and security issue. Your Information Security Risk Assessment required under GLB should address this concern. Important keys such as the front door key, dual custody cabinet keys, and vault keys should be under strict control. A periodic audit is necessary. The basic elements of good key control include the following key records:
Master Key List Create a master list of all important keys. This list should include the total keys by key type or number, the total assigned to employees and the total in dual custody. Keys assigned and those in dual should agree to the total keys
Employee Key List Each employee should have a key sign out sheet that tracks that employee's keys. This enables the department to recover all keys from terminating employees.
Dual Custody Key List Keys in dual custody should be documented by key type and agree to the Master Key list.
You will notice that I speak about tracking important keys. It is not necessary in my opinion to track every key in the Bank. Many are inconsequential. Determine which are the most critical keys and track those with a vengeance.
The next important issue with keys deals with the individual control of keys. A branch manager who had the key portion of the vault key/combination entry had a habit of leaving his keys in his unlocked desk. One day when he was out on a customer call an employee with the combination half accessed his keys and stole a number of negotiable instruments. Instruct your employees to keep positive control of their keys during new hire briefings and during security training.
Once an important key is lost or missing you should immediately change that key and lock. This is especially true if your department or branch does not have an after hours premise alarm system, which many branches do not. After hours access to a branch without an alarm cannot lead to a cash loss, but there is the possibility of theft of property, malicious destruction of the premises, and access to or destruction of the network server.
A key to success in physical control is to have positive control over your keys.
-----------------------------------------
Gene Bucciarelli, MBA CPA is the principal of Internal Control Systems, a community bank auditing and consulting firm. He can be reached at genebucc@aol.com and 925.828.7360.
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
