Visitor Management Part 2 – Managing Visitor Access Permissions
Once a visitor has been signed in and identified, we need to ensure that they can move around the building to facilitate the purpose of the visit.
The first question to ask is do people actually need a card to move around the building?
The answer could simply be no if it is expected that visitors will be escorted at all times, but take into account how they will get access to facilities such as the coffee machine and the toilet.
If turnstiles are deployed to control access into or around parts of the building, then it’s more likely that a card will need to be issued.
Whilst it’s possible to use manually operated disabled gates to allow a visitor through, this negates the security value of the turnstile, i.e. to prevent tailgating and ensure that the card can only be used by the authorised card holder.
If the area with the turnstiles has permanent manned guarding, allowing a visitor through a disabled gate may be acceptable, but if there is no manned guarding, this is a bad idea.
What permissions does a visitor get?
Assuming the decision has been taken that visitors need cards to move around the building, the next question is how due we ensure that the visitor has the necessary permissions to carry out their visit?
One school of thought is that all visitors have access to all common areas by default, but this can be dangerous if the cards themselves are not secured as anyone could pick up a card from the reception desk and use it.
Do we necessarily want a visitor to gain access to all common areas? May be not.
Another option is to split the common areas into specific zones and assign a visitor access to a specific zone, if they need to go into a different zone, this can be added to the visitors authorisations, or perhaps if they need to gain access to a more restricted access zone, an employee could escort them.
The most secure option is to provide a bespoke access profile to each visitor, however this may be harder to manage manually, especially if the organisation does not require visitors to be registered in advance of attending site.
We also need to make sure that the permissions and card expire automatically once they are no longer required to reduce the impact of someone not returning a card, either accidentally or deliberately.
One option is to set the expiry date for the person or card to the date that they are visiting, this will ensure that at the end of that day, the person or card is automatically blocked.
Unless this can be automated and pre-programmed into the system, this option is dangerous as it requires someone to remember to do this when they input the visitor details.
The other option is to define the start and end date and time of the visit, for example, Monday 10th January, from 10am to 3pm. This option requires an extra step and more data entry initially, but increases security as the card will not work outside of these times, and will only work on the 10th January.
How are permissions applied?
Who determines where a visitor can go?
Is this defined in a security policy or is it a judgement that the person that enters the visitor information makes?
How is this managed and audited to ensure that someone is not giving excess permissions?
The smart way to do this is to define the security policy within the access control system and apply business logic rules to allow the system to automatically grant and revoke access permissions.
In this automation model, information about the visitor is added, for example, Mr Smith from Company A is meeting with Sales. The system can then apply the access permissions required to enter the Sales area.
This allows the organisation to define a policy that is applied consistently, whilst still allowing flexibility, it also reduces the risk of human error, or employee collusion.
What about verification?
Are there areas that a visitor will need to gain access to that require verification by a means other than a card, such as a PIN code or fingerprint?
Issuing PIN codes or enrolling biometric information can add extra layers of complexity to a visitor management scenario that are simply not necessary.
Consider whether the access control system can be configured to allow a visitor to gain access to a door without a secondary form of identification, alternatively, require that an employee escorts visitors in and out of these areas.
Alternatively, most access control systems can be configured to allow escorting. In this mode, the visitor does not need to enter a PIN code as long as their host (the employee) has passed through the same access portal within a short period, for example 2 minutes, as we can reasonably assume that the two people are together.
This is the third part of a multi-part series on Visitor Management, here are the some of the other posts in the series: