Controls Over the Disposal of Sensitive FDIC Information by Iron Mountain, Inc.

August 2006
Report No. 06-016


FDIC OIG, Office of Audits

Background and
Purpose of Audit

In carrying out its mission, the FDIC creates and acquires a significant amount of sensitive information. Much of this information is required to be protected by federal statutes and regulations. It is, therefore, critical that the FDIC implement appropriate controls when disposing of sensitive information to prevent an unauthorized disclosure that could lead to potential legal liability or public embarrassment.

The FDICís Division of Administration (DOA) has overall responsibility for the FDICís records management program, including the disposition of official hardcopy and electronic records no longer needed to conduct business. In 2000, DOA awarded a contract to Iron Mountain, Inc.ģ (Iron Mountain) for nationwide records management services, including the disposal of sensitive FDIC records. The FDICís headquarters offices disposed of approximately 168,000 pounds of sensitive and non-sensitive records from July 2005 through February 2006, primarily due to consolidation of headquarters office space.

The objective of the audit was to determine whether the FDIC has adequate controls for ensuring the secure disposal of sensitive information by Iron Mountain. The audit focused on the disposal of information contained in shredder bins and consoles provided by Iron Mountain for the FDICís headquarters offices.

FDIC, Federal Deposit Insurance Corporation

Results of Audit

The FDIC established a number of key controls to ensure the secure disposal of sensitive information by Iron Mountain. Such controls include a corporate policy on records disposal; policies and procedures related to contractor integrity, fitness, and background investigations; and contractual requirements governing the destruction of information. In addition, no instances of unauthorized disclosure or use of sensitive FDIC information came to our attention during the audit. However, as reflected in the table below, the FDIC needed to improve its oversight of the Iron Mountain contract to ensure that controls designed to safeguard the disposal of sensitive information were effectively implemented. We also identified certain other matters relating to subcontractor costs and agreements and the identification of FDICís records management contractors that warrant management attention.

Controls for Safeguarding the Disposal of Sensitive Information Establishment of Control Implementation of Control
Independent Audits and Trade Certifications Needs Improvement Needs Improvement
Integrity, Fitness, and Custody of Sensitive Information checkmark  * Needs Improvement
Background Investigations checkmark Needs Improvement
Authorization of Contractor Personnel checkmark Needs Improvement
Supervision of Records and Media Destruction checkmark Needs Improvement
Certificates of Destruction checkmark Needs Improvement
On-site Inspections of Disposal Operations checkmark Needs Improvement
* Indicates that the control is in place.

Recommendations and Management Response

We recommended that the Director, DOA:

  • Consider the results of independent operational audits and recognized trade association certifications before approving disposal firms.
  • Require all firms providing records disposal services on behalf of the FDIC to comply with FDIC acquisition policies and procedures.
  • Establish clear expectations regarding contractor and subcontractor oversight for contracted records management services.
  • Perform periodic site inspections of firms providing records disposal services.
  • Ensure that subcontractor invoices and agreements are consistent with FDIC policy and the Iron Mountain contract.
  • Identify all firms providing records management services for the FDIC.

DOA managementís comments and planned actions were responsive to the recommendations.

Last updated 9/22/2006