Ask the Expert

FFIEC security requirements: Physical security management and logging

Do the FFIEC security guidelines require banks to keep physical security logs, i.e., logs of people entering and exiting the building, or are logs required only for technological processes?

    Requires Free Membership to View

For background, the FFIEC is the Federal Financial Institutions Examination Council. It is a formal organization of the United States government that regulates and oversees financial institutions.

The question, specific to the FFIEC security guidelines (.pdf), is trying to determine if physical security management logs are necessary for all personnel entering and exiting the building.

Don't forget the FFIEC security guidelines only apply to customer non-public personal information.

In the FFIEC IT Examination Handbook (.pdf), dated July 2006, there is an explicit statement regarding physical access to secured areas:

"The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises". (Pages 52-55)

Therefore, based on the above quote from the Examination Handbook, it is necessary to keep physical security logs of visitors who enter secured areas . However, if you are using a badge system to include requiring a key card to enter the facility, then you can configure the key card access control system to maintain a log of those who have accessed a room. Keeping accurate logs, though, would require that there be no piggybacking : that each person entering a room or zone must card only for him or herself -- not holding the door for anyone else -- and thus be logged electronically. This requirement can be included in your security policy and be enforced with a guard or video camera.

This was first published in May 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: