In recent years, bank examiners have also been taking deeper dives into physical security, especially during Gramm-Leach-Bliley Act (GLBA) exams. Therefore, physical security programs should be based on accepted industry standards and must focus on complying with pertinent banking regulations (e.g., Bank Protection Act, GLBA, etc.).
It is more important now than ever that physical security programs are proportionately scaled to ensure that banks are well-positioned to manage these threats and regulatory scrutiny.
Strategic Risk Assessment
The first step in assessing a physical security program is to complete a strategic risk assessment of your entire organization. The assessment should provide a comprehensive view of the bank’s position in the local as well as the global threat environment. (Even small and regional banks are now susceptible to global events, including geopolitical disruptions and foreign espionage). The goal is to identify physical security threats and areas where your organization might be vulnerable. A proper risk assessment supports strategic planning, resource prioritization, organizational design, executive support, and stakeholder engagement; it forms the foundation of an innovative security program.
Physical Security Program Assessment and Gap Analysis
Using what you learned from the strategic risk assessment, an assessment and gap analysis of your physical security program can be more effectively completed. Start by answering the following questions:
- Does the program contain key components that address security risks identified during the risk assessment? Some examples of key components include risk assessment requirements, incident management, training requirements, executive security, insider threat, travel security, security requirements for branches, ATMs, and buildings,
- Does the program consist of written policies, procedures, and standards? Compile a list of existing documents and identify policies, procedures, and standards that are missing and need to be developed. During this exercise, consider how the lack of a procedure or standard could adversely impact the security team’s ability to conduct tasks or to apply security measures consistently.
- Are physical security standards comprehensive, based on industry best practices and in line with regulatory requirements? Do the standards address bank branches, ATMs, operations centers, and headquarters buildings? Physical security standards are an important part of the overall physical security program, ensuring consistent levels of protection and risk-based application of security systems, devices, and enhanced security measures. They support defensible business cases for security during new construction, renovations, acquisitions and when seeking to update security technologies. Consistent standards can help reduce crime, and the risk of litigation and support compliance with regulatory requirements, e.g., the Bank Protection Act, GLBA, etc. The development of physical security standards can be time-consuming and is often put on the back burner of things to do.
- Are there policies, procedures, and standards with which your bank is not complying? If so, what are the reasons for noncompliance? Is it that they are outdated, poorly written or lack buy-in from stakeholders? These should be categorized for appropriate action.
The Physical Security Policy
Finally, a physical security policy is needed. This policy does not need to be prescriptive but rather should serve as the overarching framework of your organization’s physical security program. The policy should consist of brief summaries of the program’s components along with the policy requirements for each. The policy should specify governance processes to ensure that the policy, along with related standards and procedures, are reviewed annually to address material changes, and areas of non-compliance, and to add new components as your bank’s security program matures. Policies should also be approved by the board of directors or designated committee in compliance with the Bank Protection Act.
Conclusion
Depending on the current state of your security program, these recommendations can be challenging and time-consuming. While larger banks sometimes have the resources to manage this in-house, others leverage the resources of third-party consultants to conduct independent program reviews. The primary objective, either way, must be to ensure a physical security program that is holistic and fit for purpose that will bring credibility to the security team, mitigate risks, provide guidance to employees, and position your bank for favorable regulatory exam results.
This post was originally published on 3rd party site mentioned in the title of this site