I think you have to evaluate your location and who has access to this equipment and items. I agree, I think it is a wise practice to keep these areas locked or at least not easily accessable to customers/couriers/employees who do not need to be there. Also, consider the Safeguards Rules under Gramm-Leach-Bliley. Knowing that 'every reasonable...foreseeable threat' to unauthorized access (be it computer intrusion or physical intrusion) is addressed certainly will fair better in your Regulators eyes. If your bank chooses not to place these areas under lock at all times, make sure you've done a thorough risk analysis with documented reasons WHY IT'S NOT NECESSARY to do this. That's what they like to see, you've acknowledged the risk, evaluated the risk, and made a business decision based on that risk...hope this helps