Overview
Physical access to bank facilities is tightly controlled and managed by the Corporate Security and Risk Department. The services performed by a third party may require that an access device (card/key) be issued to employees of the third party. The Vendor Relationship Manager (VRM) is the associate who contracts with and manages the third party relationship and is responsible for ensuring the process and contract language are appropriate for the risk posed by the third party. This article will guide the VRM to ensure this risk is effectively mitigated.
Contracts and Vendor Agreements
Vendor agreements and contracts with third parties should address and mitigate the risks posed by the issuance of access devices. Include the language below in such agreements:
"Vendor shall follow the bank's processes regarding employees and subcontractors that will be given access devices permitting entry into a facility. Process includes:
(i) Access device (card/key) is issued to a named employee or subcontractor and cannot be shared or reissued to any other individual.
(ii) Vendor must notify the bank immediately upon termination of any employee or subcontractor that has been issued an access device and must retrieve the device.
(iii) Vendor is liable for cost of replacing the access device is lost or stolen.
(iv) Vendor will follow the bank's process to maintain a list of current employees and/or subcontractors."
Any deviations to this language must be approved by the Chief Information Security OFficer prior to execution of the contract.
Vendor Access Lifecycle
Read through the accordions below to learn about vendor access beginning to end, and the steps to take at each stage.
Determine Access Needs
Third parties that require access to Capital City Bank (CCB) facilities after regular business hours may need to be issued an access device. These types of third parties typically perform after hours services when associates are not present, and need to disarm alarms to work. (For example: working on or replenishing cash for ATMs and ITMs.)
Prior to issuance of the access device, the VRM needs to determine the time period appropriate for the third party.
- The time period should be limited to only what is required.
- Corporate Security and Risk can assist with this determination.
Identification of Third Party Employees and Getting Access Devices
The VRM is responsible for completing the following:
- Obtain an initial list of the third party vendor's employees and the CCB facilities where each employee will need access.
- Complete a Building Card Access Request form. For vendors both the Standard AND Non-Standard Access Request sections must be filled out.
- E-mail the request form to _Corporate Security.
Corporate Security processes the request, and works with the VRM to get the access device to the third party.
Note: If you have trouble filling out the form, or have any questions e-mail _Corporate Security.
Maintenance of Third Party Access
It is important to maintain accurate and current information on third party employees who are issued access devices for CCB facilities. The language in the vendor contract states:
“Vendor must notify the bank immediately upon termination of any employee or subcontractor that has been issued an access device and must retrieve the device.”
- The VRM is notified by the vendor of a terminated employee:
- Send an e-mail to _Corporate Security to alert them the employee is terminated and access needs to be removed.
- Note: The access device can be reissued to a new employee when a new access request form is received.
- VRMs cannot solely rely on the third party to notify CCB of employee changes. The following process must be implemented to ensure current information is maintained.
- Corporate Security and Risk periodically provides the VRM with a report of all access devices issued to a third party vendor.
- This is sent either monthly or weekly, depending upon the turnover of the third party employees.
- The VRM sends the report to the third party for confirmation and any needed changes.
- The changes are reported back to _Corporate Security.
- Note: The VRM is responsible for maintaining accurate documentation of this process.
- Corporate Security and Risk periodically provides the VRM with a report of all access devices issued to a third party vendor.
Emergency Access
If emergency access is needed:
- Contact Corporate Security and Risk.
- Once the emergency situation is resolved, submit the Building Card Access Request form.