4 minutes
Best practices for physical protection of CU facilities
While cybersecurity concerns, controls and programs may be top of mind within credit unions and during many board discussions, it is important that physical security items for credit union facilities not be overlooked. Protecting employees, members and assets, while under our roofs, is something we need to regularly review and update. In this article, we’ll examine a number of best practices credit unions can use for facility physical protection.
In its role of providing governance over credit union operations, the board of directors is responsible for providing direction on facility security and monitoring management’s compliance with this direction. To this end, the board needs to ensure:
- physical security guidance is available in the form of written policies, standards and procedures;
- audits are undertaken to confirm compliance with written guidance; and
- policies, standards, and procedures are routinely reviewed and updated for changes in risk.
For management, an important aspect of facility security is to designate specific roles and responsibilities for security items. Depending on size, number and distribution of branch offices, a facilities manager, individual branch managers, or a combination of both may be the right fit to take responsibility for branch security. Within each office, individual managers and staff should understand their responsibilities under various situations.
With respect to suspicious activity, it is important the credit union have a training program to ensure all employees understand their duties and responsibilities for reporting suspicious activity and responding to threatening situations. Beyond just “what to do if there’s a robbery,” security training should also include:
- fire and other natural (earthquake, tornado, hurricane, etc.) events. Employees should have a clear understanding of what to do, where to go and how to handle members in these situations.
- how to operate and what types (A,B,C,D,K) of fire extinguishers are appropriate for various fires (paper, electrical, oil/gas).
- bomb threats
- training and drills on “active shooter” situations if appropriate, depending on where the facility/branch is located.
The credit union should have forms available for employees to describe suspicious individuals, vehicles and events. And just as credit unions have found a centralized examination of suspicious transaction activity has led to greater control over transaction fraud, centralized examination and logging of suspicious activity at and around offices can lead to greater knowledge and better prevention of physical threats. Patterns or trends should be reported to upper management and the board of directors.
Within the credit union’s facilities, a number of important security considerations need to be examined and provided for. Here are a few examples:
- Emergency exit routes and doors need to be clearly labeled. If doors are alarmed, the alarms must be tested regularly.
- Where applicable, mounted battery-operated emergency lights should be provided. Purchased flashlights should be placed in clearly labeled strategic locations. Batteries for mounted lights and flashlights should be tested regularly and replaced as needed.
- First aid kits should be located in clearly labeled locations. The inventory of these kits should be checked regularly and any old/expired items replaced.
- If deliveries are made to a common (public) area, they should not be left there for an extended period. Packages should be examined based on U.S. Post Office guidance on suspicious mail and packages, and promptly moved to a more secure location.
External security is just as important. Here are a few examples:
- Electrical transformers, gas lines/meters, or water line/meters on or entering the credit union’s facilities should be secured. If they are potentially in the path of a run-away vehicle, concrete barriers or bollards should be used (be sure to contact your utility companies before installation). In addition, appropriate credit union personnel should receive training on turning off these items in the event of an emergency.
- Appropriate “security screws” should be used, and common flat and Philips-head screws should be avoided on door latch protectors, door security plates, window security bars and ventilation grates.
- For external lighting needs, surveys and examinations should be done at night to note areas where lighting is needed. For areas where continuous (always on) lights may not work, consider motion-activated lights.
- As with lighting, outside cameras should be checked and evaluated during night and low-light conditions. A camera with a clear picture during regular business hours may be of no help after dark.
The credit union should create checklists and logs to verify security controls continue to work as designed and desired. Regular audits can assure appropriate checks, updates, and maintenance work is performed.
Properly managed, physical security controls work to keep the credit union a safe and sound facility for employees and members.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insights to CUs on information technology governance, information security, and technology risk management.