The physical security risk management process at the federal insurer of bank deposits needs improvement, specifically regarding policies and procedures, quality control standards, training and recordkeeping, a new report issued Tuesday states.
Nine recommendations are made in the report to address the shortcomings; the agency has written that it concurs with all of them and plans to address them by year’s end, the report states.
The report, issued by the Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General (OIG) concludes that the agency has not established an effective physical security risk management process that would meet standards and guidelines set by the federal government’s Interagency Security Committee (ISC). That group issues standards, policies, and best practices to enhance the quality and effectiveness of security in non-military federal facilities, the OIG said.
“While FDIC management has indicated that there have been no major incidents or threats to any FDIC facility over the past 10 years, we found that the FDIC’s physical security risk management process needed improvement,” states the report, titled The FDIC’s Physical Security Risk Management Process.
Specifically, the report states, the agency had not developed adequate policies and procedures, quality control standards, training requirements, or record keeping standards. “FDIC officials responsible for the Physical Security Program had not emphasized compliance with the ISC standards, and instead placed priority attention on other security initiatives,” the report states.
The report outlined a number of instances of security practice shortcomings by the agency, including:
- The agency “frequently did not document its decisions regarding facility security risks and countermeasures, and such decisions were not guided by defined policy or procedure.” Instead, the report states, agency FDIC officials relied on a few experienced employees to make important decisions regarding physical security risks and countermeasures at facilities. Without documentation of these decisions, FDIC executives and oversight bodies were unable to fully consider and review the decisions.
- The FDIC did not conduct key activities in a “timely or thorough manner for determining facility risk level, assessing security protections in the form of countermeasures, mitigating and accepting risk, and measuring program effectiveness.” Collectively, the report states, the weaknesses limit the agency’s assurance that it meets ISC standards for physical security over its facilities.
- The agency did not conduct facility security assessments (FSAs) in a timely manner for 58% of FDIC facilities sampled. “In three instances involving high-risk facilities at the FDIC Headquarters locations, the FSAs were delayed almost 2 years,” the report states. “For one of its medium-risk facilities, the FDIC had begun, but had not completed, an assessment more than 21⁄2 years after the FDIC had occupied the leased space. Further, the FDIC’s assessments did not adequately address certain risks or countermeasures identified.”
The report states that it makes nine recommendations to address weaknesses in the agency’s physical security risk management process, including: enhancing policies and procedures; implementing quality control practices; training employees; reviewing security level determinations; conducting thorough assessments; tracking recommendations for appropriate countermeasures; documenting risk mitigation alternatives and approvals to accept risk; and establishing performance goals and measures.
“In a written response to the report dated April 2, 2019 the Chief Operating Officer and Deputy to the Chairman concurred with all nine recommendations,” the report states. “The FDIC plans to complete actions to address the nine recommendations by December 31, 2019.”
FDIC OIG report: The FDIC’s Physical Security Risk Management Process