It seems to me that the room that contains the proof machine, checks and other source documents should be locked all of the time. That is how I have seen it done in the past. I am experiencing resistance to this concept. Is there a law, reg, guidance or something that requires this room to be locked?
What does your organization do? Or am I just being picky?
By the way, customers and couriers can pass by this room.

Thank you,
D

I can't think of any law or reg, but I would say it's a must-have control. You could do a poll here and present it! Or, maybe your external auditors would back you up?

Hey Big Bad,

How do you go about doing a poll?

D

Heck, I don't know. That was only my 6th post!

Actually I htink when you create a thread it gives you that option at the bottom.

Is it picky to insist that the proof machine room be locked?
Also, please indicate your bank size. We're small.

D

Dawg, I think you have to CREATE a thread. I'll give it a shot.

We have ours locked at all times. You don't want just anyone have access to these items.

Ours is not locked, but customers and couriers do not have access to it.

However, our computer/IT room is locked if left unattended, and it is very close to the proof room.

The last time the FDIC looked at our proof area, they were very interested in who had access and if they really needed access. We had magnetic badge access that recorded everyone entering and had digital cameras to record the area.

I think you have to evaluate your location and who has access to this equipment and items. I agree, I think it is a wise practice to keep these areas locked or at least not easily accessable to customers/couriers/employees who do not need to be there. Also, consider the Safeguards Rules under Gramm-Leach-Bliley. Knowing that 'every reasonable...foreseeable threat' to unauthorized access (be it computer intrusion or physical intrusion) is addressed certainly will fair better in your Regulators eyes. If your bank chooses not to place these areas under lock at all times, make sure you've done a thorough risk analysis with documented reasons WHY IT'S NOT NECESSARY to do this. That's what they like to see, you've acknowledged the risk, evaluated the risk, and made a business decision based on that risk...hope this helps

That's actually very helpful. Management has listed what they consider to be mitigating controls and appear willing to take the risk.

I'll check out the GLBA angle.

Still interested in getting more poll input.

D

We are a small, community bank and we keep our proof room and computer room locked. Only certain employees have access to these rooms. Our Security Officer maintains a list of employees with access to the rooms.