How to Manage Visitors
Visitors to your facilities come in many shapes and sizes. They may be business guests, employee family members or potential new hires arriving for an interview. Delivery personnel can range from uniformed USPS or FedEx drivers to bicycle messengers; they can be carrying food that has been ordered for a meeting or by an employee for lunch; they can be surprising an employee with flowers or a singing telegram. Contractor tradesmen can be scheduled to work on an interior construction project, to repair a copier, to clean a carpet, to install a new phone or to implement a new network in a sensitive IT server room. Some of these visitors may be regulars, and others may be first-timers.
Regardless of their access needs, all visitors need to be processed quickly, efficiently, accurately and with a sense of welcome and friendliness.
Although employees and building staff with a permanent building or company credential usually represent the majority of people entering a facility, visitors require a different type of processing to keep security at an optimum level. That optimum level often depends on the security profile of the host facility; and the assets (physical or intellectual) to which the visitor will need access.
Some facilities may require visitors to be pre-screened for identity and be escorted while on the premises; others may accept the presentation of a business card or a driver’s license from an appropriately dressed individual. Most visitor management strategies will range somewhere between these extremes and it is important for the security director to determine the appropriate level of implementation.
Crafting a Visitor Management & Security Plan
In all cases, there are four major elements that should be considered for well-managed visitor control:
1. Verification of Identity: Who is the person seeking access to the facility and can they prove that they are who they say they are?
2. Validation of the Visit: Does the person have a valid reason to visit the facility. Do they have a scheduled meeting with a trusted person within the facility? Is their host expecting them or prepared to accept a delivery?
3. Screening for Contraband: Do building or company policies require screening for weapons or explosives? After the 9/11 incident many commercial high-rise operations instituted the use of package x-ray and walk-through magnetometers for employees and/or visitors.
4. Control of Access from the building lobby to other areas within the facility. Is the visitor issued a badge? Can it be used at access control card readers? Are escorts required?
Before looking at different management strategies associated with each of these important security elements, there is some homework to be done and a myriad of questions to be answered. There are a number of options to consider, which need to be understood before addressing security solutions. Here is a checklist of the many considerations to make before implementing a visitor management plan:
- Building Occupancy. Is the building owner-occupied or are there multiple tenants? How much input is required from other tenants? Do their operations have an impact on security? For example, many wealth management and legal services firms would prefer no access or video records of their clients; on the other hand, government contractors may require auditable transactions.
- Security Level. What is the required security posture for this facility? Are security regulations mandated — for example, government entities and those subject to PCI compliance? To what level will the elements described above be implemented? Are corporate culture, security image and budgetary issues important, and to what extent? Will the level of security vary based on dynamic threat scenarios, for example a 9/11-type incident or a theft within the building?
- Visitor Volume. How many visitors per day need to be processed? What is the worst case, and when (day and time) does it occur? How will this be impacted by peak volumes of regular employees entering or exiting the lobby? What is an acceptable queuing or wait time for the visitors?
- Processing Time. What proportion of visitors can or will be preprocessed by the host? What proportion arrives in ones or twos or as groups (say, for training or presentations)? How long will it take to complete the processing in each of these scenarios? What impact will “exceptions” have on processing time — for example, VIP visitors, or visitors without a valid credential or a host? What impact will there be if a higher security level is implemented due to an increased threat?
- Processing Stations. Based on worst-case visitor volume and processing time, how many processing stations are required to ensure that the acceptable queuing/wait time is not exceeded? If additional processing is required during a heightened security period, will more staff be required or will longer wait times be acceptable? Is there enough lobby space for processing stations, or should a visitor center be considered? What training will be required for processing and security staff?
- Policies. What written policies need to be prepared to aid in the visitor management program? What credentials are considered acceptable and what actions should be taken for exceptions? How is contraband defined, and is there a formal relationship with local law enforcement and approved procedures if dangerous items are found? What areas of the facility can the visitor access based on the credential and the issuance of a badge, and will an escort be required for other areas? What will be the custodial duties of the escort? Who will be authorized to pre-approve a visitor and will they require security training associated with such authority or for escort duties?
Once these myriad of questions have been asked — and as many as possible answered — we are better able to determine the most appropriate strategies for the visitor management program. One of the most important drivers is the volume of visitors.
How to Process Visitors
A small number of guests can be processed at a single concierge, reception or security desk with a visual inspection of the visitor’s credential, a sign-in book and, perhaps, a hand-written badge. An alternative is to design and implement an unstaffed — or virtual — reception area with audio and/or video communications between the entry vestibule and a remote receptionist or even the host. Such systems can be very unsophisticated — similar to an apartment building intercom system.
There is visitor management software available to automatically read the visitor’s credential (via a business card or driver license scanner), compare it to a pre-authorization list, auto-dial the host for meeting confirmation, and print a visitor badge that could use a bar code to control access to selected areas.
Larger buildings may have several hundreds of visitors per day or even hundreds per hour — the Empire State Building visitor management system, for example, was designed to process more than 600 visitors per hour at peak times. These volumes require a well-conceived strategy, and the criteria discussed above must be well-researched if the correct strategy is to be selected.
In a multi-tenant office building, the minimalist approach for the building manager may be to offload the responsibility to the tenants, and to allow free access as far as the tenants’ front doors. The tenant can then implement such level of visitor management as he/she may consider appropriate for their particular operation. Where the level of potential threat to the building itself is low and the building manager is not marketing “security” as a feature of the facility, this is a very common strategy.
However, for owner-occupiers and landlords of office buildings in major urban environments, a more proactive strategy may be called for. There are many visitor management systems on the market, most of which will include the features listed below.
Pre-approval
Authorized employees can access and complete a visitor pre-approval form on a web server. The system may require authentication from a supervisor before the data is accepted into the system database. The system can e-mail the visitor to let them know that they are pre-approved and that message can contain a bar code that authorizes the use of parking facilities or can be read at a visitor processing desk.
Processing
When the visitor arrives at the facility and presents him/herself at the reception desk/visitor processing station, the visitor is asked to provide a credential to verify their identity. The credential may be as simple as a business card or more rigorous, such as a government-issued driver’s license or passport. It should be noted that a pre-approval letter or e-mail, even with a bar code, does not verify the identity of the visitor.
Automated scanning of a credential enables software to read the data on the card and use it to populate the data field in the visitor record. In addition, many systems can check the validity of the document and check against “black lists” that are either developed internally or available from government agencies, such as the registered sex offender list.
The system can use the visitor’s data (manually or automatically entered) to check against the list of pre-approved visitors for that day. That may be sufficient to allow the visitor permission to enter the facility (with or without a visitor badge), or procedures may require a further check with the host to ensure availability, meeting location and/or escort requirements.
Badge Creation
The system automatically issues an e-mail to the host to notify of the visitor’s arrival and can print a visitor badge. The badge can have any combination of visitor name, issue/expiration dates, photo, host name, escort requirements, access control bar code, and meeting location/building floor. Visitor security policies, emergency egress instructions or even directions and a map to the meeting location can be printed on the back of the badge.
It goes without saying that, unless employees wear badges, a visitor without a badge looks like an employee.
In addition to the virtual reception system outlined above, kiosks can be used to process visitors and create the badges. They are ideal for the frequent visitor who is pre-authorized and has an acceptable, machine-readable credential. Unlike the virtual receptionist, the kiosk screen is used only for data display. The visitor initiates the transaction and is prompted to present their credential, for example, a driver’s license. If the visitor is pre-authorized, a visitor badge can be printed immediately. If not, the system may prompt for a keyboard entry of company and/or host to be visited and can connect to the host’s phone for verification of the meeting and, via the host’s telephone keyboard, an authorization for the kiosk to print the visitor badge.
Integration with Access Control
If the visitor badge has a bar code or other machine-readable technology, and if that badge is to be used for access control, the visitor management system will interface with the facility’s access control system. It downloads access privilege data to the field panels that control authorized access points. Such portals can be turnstiles in the entry lobby that control access to the interior of the facility or elevator banks.
In addition, the access credential can be used in elevator lobbies to enable hall call for an elevator cab or, within an elevator cab, to enable floor call — selection of the floor to which the visitor is authorized to travel. During off-normal hours, when there is little employee or visitor traffic, the visitor management system may also be able to interface directly with the elevator management system to enable the floor call.
Visitor badges can provide access authorization for a single entry at a controlled portal or for any authorized period of time. They can also be issued to employees for one-day access when they arrive without their regular access credential or to temps or contractors that are expected to be on the premises for only a week, for example.
Auditable Records
A manual, handwritten visitor log can provide a great deal of data, if the writing is legible and the person reading it has plenty of time available. The systems approach is the best solution when security regulations, such as PCI, require auditable records.
Perhaps one of the most powerful tools available from a visitor management system is its ability to provide instant, automated reports based on user-selectable criteria in the visitor management database.
For example, the system can provide reports as to when and how often a particular visitor comes to a facility; who is the visitor’s host; how many visitors is an employee hosting; how many visitors are being processed daily or hourly; and, what is the throughput of each processing station.
David G Aggleton, CPP, CSC, has been developing security system design solutions for building managers and tenants in more than 150 commercial office buildings. He is a member of the International Association of Professional Security Consultants (www.IAPSC.org) and the ASIS Security Architecture & Engineering Council. He can be reached at [email protected].