Manage Learn to apply best practices and optimize your operations.

FFIEC security requirements: Physical security management and logging

In this expert response from Ernie Hayden, learn about FFIEC security requirements for creating physical security logs.

Do the FFIEC security guidelines require banks to keep physical security logs, i.e., logs of people entering and exiting the building, or are logs required only for technological processes?

For background, the FFIEC is the Federal Financial Institutions Examination Council. It is a formal organization...

of the United States government that regulates and oversees financial institutions.

The question, specific to the FFIEC security guidelines (.pdf), is trying to determine if physical security management logs are necessary for all personnel entering and exiting the building.

Don't forget the FFIEC security guidelines only apply to customer non-public personal information.

In the FFIEC IT Examination Handbook (.pdf), dated July 2006, there is an explicit statement regarding physical access to secured areas:

"The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises". (Pages 52-55)

Therefore, based on the above quote from the Examination Handbook, it is necessary to keep physical security logs of visitors who enter secured areas . However, if you are using a badge system to include requiring a key card to enter the facility, then you can configure the key card access control system to maintain a log of those who have accessed a room. Keeping accurate logs, though, would require that there be no piggybacking : that each person entering a room or zone must card only for him or herself -- not holding the door for anyone else -- and thus be logged electronically. This requirement can be included in your security policy and be enforced with a guard or video camera.

This was last published in May 2010

Dig Deeper on Security audit, compliance and standards