Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC’s Physical Security Risk Management Process

Tuesday, April 9, 2019

The Office of Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC) issued an evaluation report to determine the extent to which the FDIC’s physical security risk management process met Federal standards and guidelines.

The FDIC employs approximately 6,000 individuals and has about 3,000 contractor personnel who conduct their work at 94 FDIC-owned or leased facilities throughout the country.  FDIC facilities house highly sensitive banking and personally identifiable information, mission-critical systems, and valuable equipment.  The FDIC must ensure its employees, contractors, resources, and assets are safe and secure.

In 1995, the President issued an Executive Order which created the Interagency Security Committee (ISC).  This Committee has issued Government-wide standards, policies, and best practices applicable to all buildings and facilities occupied by Federal employees for non-military activities.  The ISC standards provide a structured methodology for helping to ensure the safety of employees, contractors, and facilities by assessing facility risk, assigning facility security levels, and determining whether implemented countermeasures effectively mitigate risk.  The FDIC adopted the recommended minimum security standards issued by the ISC for all FDIC facilities where practical. 

Our evaluation determined that the FDIC had not established an effective physical security risk management process to ensure that it met ISC standards and guidelines.  While FDIC management has indicated that there have been no major incidents or threats to any FDIC facility over the past 10 years, we found that the FDIC’s physical security risk management process needed improvement:

  • The FDIC had not developed adequate policies and procedures, quality control standards, training requirements, or record keeping standards.  FDIC officials responsible for the Physical Security Program had not emphasized compliance with the ISC standards, and instead placed priority attention on other security initiatives. 
  • The FDIC did not conduct key activities in a timely and thorough manner for determining facility risk level, assessing security protections in the form of countermeasures, and mitigating and accepting risk.  
  • The FDIC did not adequately address countermeasures or track recommendations for minimum security protections.  At some facilities, these countermeasures remained outstanding for more than 4 years, and in some cases, the FDIC could not provide the resolution status of recommendations.
  • In certain instances, the FDIC was not able to provide justification for significant expenditures for countermeasures beyond recommended security protections. 
  • The FDIC had not developed goals and performance measures to help ensure its physical security program was effective. 

Our evaluation did not assess the safety of FDIC personnel and its facilities.  Nevertheless, without a more robust physical security risk management process, the FDIC cannot be certain that it has taken appropriate and cost-effective measures commensurate with risk and aligned with ISC standards.

We made nine recommendations to address the weaknesses in the FDIC’s physical security risk management process; the FDIC concurred with these recommendations.  We believe that the planned corrective actions are significant undertakings by the Agency and, once implemented, are likely to achieve important improvements towards the efficiency and effectiveness of its risk management process for physical security.

PDF Report: 
Print Print