Are You Running With Scissors?
Physical Security: What You Should Be Doing Now!
by BOL Guru Dana Turner
With the nation's current attention focused upon transmittable diseases and potential cyber attacks, it's important not to overlook critical physical security issues that may leave an institution vulnerable. If you're not taking adequate precautions in the physical security arena, you may very well be "running with scissors" when it comes to risk management. This is a basic article that addresses basic concerns. There's nothing fancy here -- just the components of a practical, effective physical security program.
The techniques that you develop not only need to deal with "terrorists", but also the "copycats" and other offenders who will attempt to exploit the current environment. Terrorists are simply thugs with a fancy name. And a thug is a person who wants to steal from you or to hurt you. Copycats are just thugs who don't even have an original thought.
There are several steps you should be taking, if you have not already done so. Look at the types of buildings that your institution needs to secure -- and what those buildings contain -- and concentrate your efforts on these priorities:
Employees and customers -- emphasizing personal safety issues;
Employees and customers -- emphasizing opportunities for potential compromise;
Third party vendors -- the potential ways that they can compromise you;
Offenders -- the potential ways that they can compromise you and hurt you; and
Assets and records -- both tangible and intangible.
You'll need to deal with the basic stuff first. A basic approach to facilities' compliance and their physical aspects is outlined in the Bank Protection Act (BPA). If you aren't even doing the basics, there's no sense in doing any of the more enhanced techniques, because there's no foundation to base them upon. In addition, examiners will focus first upon your compliance with the minimum BPA requirements.
The Risk Assessment
Start by conducting an initial risk assessment that identifies those people, places, and things that represent either direct threats or opportunities for compromise to your institution's security. In terms of facilities, physical security issues focus upon the locations that your institution either owns, rents, manages or controls. Then establish risk assessment priorities based upon safety, security, business practices, and policies.
Next -- develop a methodology that capitalizes upon your initial assessment process to make this an easy-to-manage and continuing process. Using the priorities already described, the examples below will help you focus upon the most important facets of physical security.
Employees and Customers -- examples of personal safety enhancements include:
Providing two "safe" rooms, one room to isolate employees from attack and another room for receiving, opening, and distributing items from a delivery service;
Placing cameras in all sensitive areas, including your executive offices, delivery platform, information systems area and any employee parking lot, and make certain that the recorded images are stored in a secure place; and
If it's appropriate, hiring specially trained security guards to work at sensitive locations.
Employees and customers -- examples of methods for reducing the potential for compromise include:
If you still use metal keys (conventional lock sets), upgrading to electronic access devices such as "swipe cards" or proximity devices; and
Using electronic access devices, restricting access to secure locations based upon a demonstrated need.
Third party vendors -- examples of methods for reducing your exposure to potential compromise include:
Conducting initial and continuing background investigations, particularly on those persons who have unrestricted access (janitors) or who work as temporary employees (data entry clerks) on contract;
Properly securing data, negotiable documents and physical records in restricted areas within a facility; and
Properly securing all equipment and computer programs to prevent sabotage.
Offenders -- examples of the ways that they can hurt you
Installing enhanced lighting to prevent the kidnapping of an employee from the institution's parking lot;
Upgrading alarm systems to prevent a "morning-glory robbery" because of improper opening procedures;
Placing motion sensors in ceiling crawl spaces;
Putting both heat and motion sensors in and on each vault or safe;
Securing all publicly-accessible containers (trash receptacle) within the facility to prevent a bomb from being placed; and
Checking any area that is open to the public (such as ATM kiosks attached to a cash handling facility or restrooms open to the public) for ceiling access into sensitive areas.
Assets and records -- examples of tangible and intangible security issues include:
Inviting in experts to review your facilities and processes, including security architects and professionals skilled in the CPTED (Crime Prevention Through Environmental Design) process;
Checking accesses to all terminal connections and power boxes -- internal and external -- and ensure that they are locked appropriately; and
Removing employees from all ATM re-filling duties, replacing them with armored carriers.
Data Security: Special Considerations
Mary Beth and Michael Guard's recent article, "Physical And Digital Threats To Financial Institutions In The Wake Of The Terrorist Attacks" articulates the potential threats -- and proposed solutions to those threats -- to a financial institution's information capabilities. When it comes to the security procedures for buildings that contain paper and electronic documents and records, we can do any of the following things:
Restricting access to the building and the data;
Paying attention to the "invisible people" (people that are there with our permission but that we don't pay any attention to, because they're where they're supposed to be, doing what they're supposed to be doing);
Securing the actual documents, using appropriate means (such as securing paper documents in a simple lockable filing cabinet, and securing electronic documents using encryption technology); and
Considering the delivery mechanisms for electronic documents (, the location of the fax that receives wire transfer instructions).
The Crisis Management Plan
Take the results that you develop from your risk assessment exercise and turn them into a simple, workable Crisis Management Plan (CMP). The object of a Crisis Management Plan is to have brief guidelines for ensuring safety and security that may be used in any kind of an emergency. This Crisis Management Plan should also ensure the coordination between your institution's disaster recovery plan and security program.
In terms of any new changes or procedures you decide to implement, the next thing to consider is whether these measures should be permanent (policy -- with no expiration date) or temporary (alert memos with expiration dates). You will have to make business decisions about these issues and constantly monitor both real and potential threats.
The Training Program
Having policies, procedures, strategies and tactics that address physical security issues is ABSOLUTELY WORTHLESS without training appropriate people about when -- and how -- to use them. Failing to train employees regarding safety and security procedures is a common fault. Institutions seem to think that: you train someone once and he/she is trained for life. If you've ever thought this thought, please read this next line carefully and think again:
Nobody ever gets it right the first time. It's the repeated exposure to the same information -- over and over again -- that causes a human being to learn!
So -- develop an initial and continuing training program for all of your employees, directors, and third-party service providers that addresses your solutions to identify physical security issues. This training program should be delivered during the (4) four stages of an employee's relationship with your institution:
At the time of orientation, to develop a firm security foundation and attitude;
When the employee is transferred to a new location and has to be re-oriented to his/her surroundings;
When an employee is promoted or changes job assignment and takes on new duties and/or responsibilities; and
When there is a significant change in the security environment. This may be the result of a permanent policy change (the installation of electronic access devices) or a temporary "fix" (altered mail opening procedures to deal with a specific short-term threat). The permanent policy reflects a board decision. The temporary solution, on the other hand, may be issued in memo form by any officer.
Remember to prepare written course outlines, lesson plans and training materials -- and document each training meeting and identify the employees who attended that meeting.
The Test
You should test your potential solutions to physical security threats before offenders test them. The simplest, easiest way to test the effectiveness of your physical security program is to assemble a "testing team". This testing team should be made up of operationally oriented executives, supervisors and staff personnel. There should be two persons in each category -- for a total team of six employees. Assign the team to test the identified security solutions periodically. Allow the team to use outside experts, such as professional hackers, law enforcement agencies, private detectives or a professional shopping service to test your physical security program -- within a controlled environment. Make certain that the team submits a written review after each test and that the team acts promptly to remedy the problems it identifies.
The Odds
Banking is one of the best examples of a gambling operation -- it's a crapshoot. Every day that you open the doors for business, you bet that you're going to keep more money than you lose. So take a lesson from a close cousin to a bank -- a casino -- and give "the house" better odds for keeping more of the money that you make.
These suggestions -- and the ones that you discover on your own -- may only reduce your loss potential by 1% each. This means, however, that if you identify and resolve 40 issues, you have reduced your likely loss potential by 40%. In other words, folks, it's a cumulative effort. This process doesn't demand that you know everything about your institution. It does require, however, that you make an honest (good faith) effort to determine your windows of vulnerability.
If these basic issues seem advanced to you, it's time that you educate yourself -- and your institution's key players -- about the potential risks that are likely to occur. The deadliest financial crimes are becoming those that are committed by savvy thugs with computers. By securing your facilities appropriately -- those buildings that provide a safe haven for employees and customers, and those that contain your critical assets and records -- you deny the thug the only thing that he/she really needs to hurt you: ACCESS.
Both BankersOnline and examining agencies' Web sites contain an abundance of templates and guides that will assist you in completing this process. If you belong to a peer network, your peers will likely have tactics that they can also share with you.
Copyright, 2001, Dana Turner, Security Education Systems, Inc. All rights reserved.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly
Version!
Email This Article!
Discuss NOW!