Background and
Purpose of Audit
In carrying out its mission, the FDIC creates and acquires a significant amount of sensitive information. Much of this information is required to be protected by federal statutes and regulations. It is, therefore, critical that the FDIC implement appropriate controls when disposing of sensitive information to prevent an unauthorized disclosure that could lead to potential legal liability or public embarrassment.
The FDIC’s Division of Administration (DOA) has overall responsibility for the FDIC’s records management program, including the disposition of official hardcopy and electronic records no longer needed to conduct business. In 2000, DOA awarded a contract to Iron Mountain, Inc.® (Iron Mountain) for nationwide records management services, including the disposal of sensitive FDIC records. The FDIC’s headquarters offices disposed of approximately 168,000 pounds of sensitive and non-sensitive records from July 2005 through February 2006, primarily due to consolidation of headquarters office space.
The objective of the audit was to determine whether the FDIC has adequate controls for ensuring the secure disposal of sensitive information by Iron Mountain. The audit focused on the disposal of information contained in shredder bins and consoles provided by Iron Mountain for the FDIC’s headquarters offices.
 |
Results of Audit
The FDIC established a number of key controls to ensure the secure disposal of sensitive information by Iron Mountain. Such controls include a corporate policy on records disposal; policies and procedures related to contractor integrity, fitness, and background investigations; and contractual requirements governing the destruction of information. In addition, no instances of unauthorized disclosure or use of sensitive FDIC information came to our attention during the audit. However, as reflected in the table below, the FDIC needed to improve its oversight of the Iron Mountain contract to ensure that controls designed to safeguard the disposal of sensitive information were effectively implemented. We also identified certain other matters relating to subcontractor costs and agreements and the identification of FDIC’s records management contractors that warrant management attention.
| Controls for Safeguarding the Disposal of Sensitive Information |
Establishment of Control |
Implementation of Control |
| Independent Audits and Trade Certifications |
Needs Improvement |
Needs Improvement |
| Integrity, Fitness, and Custody of Sensitive Information |
 * |
Needs Improvement |
| Background Investigations |
|
Needs Improvement |
| Authorization of Contractor Personnel |
|
Needs Improvement |
| Supervision of Records and Media Destruction |
|
Needs Improvement |
| Certificates of Destruction |
|
Needs Improvement |
| On-site Inspections of Disposal Operations |
|
Needs Improvement |
* Indicates that the control is in place.
Recommendations and Management Response
We recommended that the Director, DOA:
- Consider the results of independent operational audits and recognized trade association certifications before approving disposal firms.
- Require all firms providing records disposal services on behalf of the FDIC to comply with FDIC acquisition policies and procedures.
- Establish clear expectations regarding contractor and subcontractor oversight for contracted records management services.
- Perform periodic site inspections of firms providing records disposal services.
- Ensure that subcontractor invoices and agreements are consistent with FDIC policy and the Iron Mountain contract.
- Identify all firms providing records management services for the FDIC.
DOA management’s comments and planned actions were responsive to the recommendations.
|
