Implementing Effective Visitor Management Part 3 – Visitor Escorting
Within a security design and policy statement, everything should be based on the Security Risk Assessment and Design Basis Threat which enables us as security professionals to deploy protective security measures that are proportional and effective, without being overly obstructive.
Risk and Policy
Making the decision to require visitors to be escorted clearly does introduce a extra complexities and work, however this could be fully justified with the risk that visitors may pose.
Visitor escorting protocols are usually included in an access management policy document which also includes physical access control and materials management to mitigate identified risks.
It’s best practice that visitors should only be escorted by employees. Contractors or other visitors should never be authorised to escort, under any circumstances.
Once the decision has been taken to require visitors to be escorted, it is important to determine whether visitors are required to be escorted everywhere, or only in more sensitive areas. Practical considerations also need to be made in terms of allowing visitors access to tea and coffee making or toilet facilities.
Background and Identity Checks
If basic background checks need to be made on people visiting, this will mean visitors will need to be pre-enrolled and notified to security in advance of their visit.
It may also be necessary to require the visitor to bring with them a passport or government issued identity card will also ensure that the identity of the visitor can be positively confirmed prior to allowing them access to the facility.
Site and Access Design Considerations
Access Design Model
When designing physical security, there are two main design models, Exclusion by Exception or Admission by Exception. Typically a site that requires visitors to be escorted will primarily be operated under the Admission by Exception Model.
This model implements strict physical access controls to both building and perimeter, to ensure that only people with the specific authorization to gain access to site are able to do so, and have a genuine need to be on the site.
Visitor Access Routes
Visitor Access Routes need to be defined as to how a visitor needs to move around the site to get to a reception area to be greeted.
For highly secure sites, there may be a visitor reception building that is outside the perimeter of the site, the building could also straddle the perimeter fence, similar to the terminal building at an airport. Once visitors have signed in, they can be collected from the reception building by their host and taken to teh meeting location within the secure perimeter.
Larger or more complex sites, may require the host to collect the visitor by vehicle from the reception building outside the secure perimeter before driving through a vehicle control point to the meeting or work location.
To ensure effective access control and reduction in risks associated with visitors accessing parts of a facility, correctly identifying and labeling zones is critical.
Zoning involves dividing the site and building into smaller areas, and labelling each area with a specific risk level.
Once zones are defined, an access policy can be created for each zone which will determine who can gain access to an area, and how they identify themselves to the access control system.
Not all zones will apply to all sites, but here is a brief example of a zoning model that can be customised to suit any site or facility.
Anyone is welcome, no physical barriers to entry, this could be the defined perimeter to the site, or main car park outside the perimeter.
This zone could equally apply to pars of a building, for example, the lobby of a hotel. There are usually revolving doors to gain entry, but these are not locked, allowing anyone to gain access to the lobby area.
These areas require an invitation to gain access to them, there are a wide variety of available locations and discretion is required in terms of who can access these areas.
Open collaboration spaces could be meeting rooms within a corporate office environment. These may sit beyond the reception area, and therefore, require invitation to access but anyone with a legitimate business purpose can be invited into them.
These areas are only generally accessible to trusted individuals. Confidential areas are, by necessity private areas, individuals must have specific authorization to access them, and a visible form of identification, (such as an access control badge with a photo worn on a lanyard) must be displayed at all times.
This zone could be a more sensitive office area, such as the finance or Human Resources department where more sensitive information is used and stored.
These areas are only accessible to vetted individuals. Activities in these areas are deemed to be secret, with strict robust access control measures in place to ensure that only vetted individuals are able to gain access.
Computer rooms, executive suites and security control rooms would generally be classified as restricted and require strict control and vetting to gain entry.
Technical Surveillance in Confidential or Restricted Areas
Most modern smartphones, tablets and some laptop computers now come with internet connections meaning that they can connect to the internet from anywhere, nearly all of these types of devices also have at least one high quality camera.
Devices with cameras pose a security risk in that photographs of sensitive information could be obtained by visitors whilst in a restricted area, or could take photos of the building layout and security measures inside the buildnig.
This information would be of great value to persons or organisations interested in corporate espionage or hostile reconnaissance, gathering information on building layouts and security provisions to attack the facility at a future point in time.
If visitors are to be taken into highly restricted or sensitive areas, it is worth considering the introduction of a materials management policy where visitors are unable to take these devices into restricted areas.
This could be as simple as advising visitors in advance that they must leave devices in a locked car, or provide storage to allow visitors to deposit devices before entering into restricted areas.
Materials Management – Authority by Exception
The policy will also need to have a process that allows an employee, by exception to authorise a visitor to carry equipment into a restricted area as the equipment may be required for the visitor to complete their work whilst in the restricted area.
This authorisation should be recorded to provide an audit trail of any visitor who has taken devices into a restricted area to allow the investigation of any potential information security breaches.
How can the Access Control System Support Escorting Requirements?
Distinguish between different person types
Access Control Systems should be capable of distinguishing between different types of people, in this case, Visitors and Employees.
Link Visitors to hosts
The system should be capable of allowing an adminstrator to link a Visitor to an Employee who will act as the host for the visitor.
It should not be possible for any person type other than an employee to be able to act as the host for a visitor.
The access control system should not allow a visitor to be enrolled and given a card unless the person acting as their host has used their access control system to gain entry into the site – this reduces the risk of an employee being able to gain access to the site without an appointment.
If turnstiles or similar portals are used on site, the access control system should require that a visitor be granted access permissions for each access portal, but that they can only gain access through the portal if the employee nominated as their host has used their card to access the portal first.
Integration with document scanners
If the site requires that a visitor bring a passport or government issued identification document with them, consider using document scanners to read the information from the document to populate the access control system.
This will not only speed up enrollment and eliminate mistakes with spelling and data entry, it will also ensure that a receptionist can visually check the identity of the person prior to issuing them a card.
Question: Do you implement visitor escorting within your organisation? How is this supported by your access control system?
This is the third part of a multi-part series on Visitor Management, here are the first two posts in the series: