We at FEE INC were recently retained to perform our Business Security Audit and ReviewSM (BSAR) for an international bank, located in the Caribbean. The BSAR is a detailed overview of the security position of a business, and covers risks and threats the business may face, and recommends how to manage and mitigate those risks and threats. We surveyed for the bank their functional areas of physical security, financial data security, and personnel.
The bank was drowning in paper. Their conference room was full of papers and file cabinets. The kitchen area was full of computer printouts bound together. The basement was filled with paper. Two makeshift overhead storage areas were filled with paper. The electrical closet was filled with computer paper printouts. Some of the papers were stored overhead in a makeshift 2nd floor. This makeshift floor was deforming under the weight of the papers. In some of the rooms, the paper records physically blocked the fire exits for that side of the building!
The records stored in the basement were piled on the floor and on the a/c ductwork. The records on the floor had been damaged by water and silverfish and the records crushing the ducts were restricting the air flow.
A binder filled with paper shifted, slid to the side, and came to rest on the phone connection board, shorting out half of the telephone lines for the bank. While no permanent damage was done, it cost $700.00 for the telephone repairman to find and fix this.
The papers were stored in the electrical closet were in danger – imminent danger – of sliding over and landing on a lead / acid battery used for starting the generator that ran the backup power supply. Sulfuric acid on paper can cause it to burn, and the metal binders could easily short the uncover battery terminals and ignite the paper attached to the binders.
They were in Paper-Hell because the bank’s internal policy required them to keep paper records, even though they had imaged back-ups, with the imaged back-ups kept both on-site and in a second, off-site location. They had apparently never read the article in AEGIS about records retention policies.
We, however, had, and our recommendation for the bank was to work with the auditors and regulators and come up with a records retention policy they could all live with. It had become a matter of actual safety for the bank and its employees.
The final outcome? Well, they now have to keep only about half of what they were storing. As it turned out, some records required to be kept were those with water damage and chewed on by many generations of silverfish. Fortunately, the bank’s imaged documents covered these documents.
The conference room has been reclaimed, the fire exit doors cleared, the power and telephone closets cleared, the makeshift storage was reinforced, and now allows permanent storage for the smaller number of records the bank has decided it must keep.