Most entry control processes are designed primarily to identify and control access to those who normally inhabit a building — trusted employees and building staff — who may have been required to undergo background screening prior to being hired. Part of the entry process includes the checking of credentials issued by the facility, using security staff or automated systems — for example, a building or access control card.
Visitors — whether business guests, contractors, delivery drivers or repair personnel — do not possess building-issued credentials and are usually unknown to building security staff.
What do we need to know in order to assure ourselves that it is acceptable to allow the visitor into our facility? The term “acceptable” is subjective and depends greatly on the security level of the facility being visited — at a regular commercial office building, anyone dressed in business attire may be considered acceptable. At a high-level military facility, nothing short of background checks and processing through metal, x-ray and explosive detectors may be the norm.
There are four elements in the process that we should follow to ensure that the visitor should be allowed into our facility: verification of identity, validation of purpose, screening and access control.
Verification: First we need to establish and verify the person’s identity. “What is your name and do you have a government-issued credential with picture identification?” A driver’s license is a commonly accepted identification credential; most states provide a machine-readable license that facilitates extracting the holder’s data and some can verify that the document is not counterfeit. However, procedures also need to be in place to address the individual who does not, or cannot, conform to the expected norm — e.g., has no driver’s license or even no picture identification. One company’s policy might be complete denial of access; another’s might be a requirement for the visitor’s host come to the lobby and vouch for the visitor’s identity.
Validation: Once the visitor’s identity has been verified, the second task is to validate that they have a legitimate need to be in the building. Typically, this will require contact with a known, trusted person within the facility — someone who has the authority and responsibility to admit visitors. This may be as simple as phoning the visitor’s host to verify an appointment or checking a list of pre-authorized visitors. A list is most useful where there are multiple visitors for a conference or for a training course, particularly if the host may not be locatable at a regular phone number. Nothing is more frustrating than arriving a few minutes late for a meeting and knowing that the reason security cannot reach your host is because he/she is chairing the meeting in some unknown conference room!
Screening: The third element is screening for any contraband items that might be hand-carried or on the visitor’s person. Prior to the Sept. 11 attacks, it was rare to see personnel or package screening in a commercial environment; but many facilities have implemented some level of visitor checking — from a cursory look into hand-carried bags and briefcases to a full airport-style screening. Some facilities do not perform personnel screening under normal circumstances but keep the necessary equipment close at hand to implement tighter measures if the DHS security level is heightened.
Manual screening of the person and carried bags is more intrusive and less effective than systems but is needed to verify machine-generated alerts. The use of personnel screening technology — walk-through metal detectors, package x-ray machines and even explosive detectors — has been implemented for visitors to a number of high-rise office buildings and other more sensitive environments. Security officers should have high levels of training in systems operation, manual checking and personnel interaction if the screening process is to operate smoothly.
Should all who enter the facility be screened, or are regular building occupants to be treated as trusted persons? Part of this decision rests in the nature of the facility and the nature of contraband items for which the systems are intended to deny access. An employee with a pocket penknife in a commercial office building is a much lower threat than the same item carried by an employee entering restricted currency or bullion processing area. If tenants/employees will not be screened, is there an automated system to check their credentials and validate them as tenants/employees?
Access Control: The three elements described above usually take place in an entry lobby (front door) or a loading dock (back door.) Once the visitor has been verified, validated and/or screened they have earned a reasonable level of trust but, perhaps, not enough to be given the freedom to roam the facility. Access control from the entry point to the remainder of the facility — and any sensitive areas within the facility — is often necessary. Should the visitor be required to wear a badge that prominently announces the person’s name, their host, and the floor(s)/department(s) that they may visit? Certainly this provides an additional measure of security, but only if employees are encouraged to challenge a visitor in the wrong location or one who is not wearing a badge. However, in a large community where employees are not required to wear their badges, visitors need only remove theirs to look like employees.
A simple and effective access control measure, particularly where higher levels of security are warranted, is to assign an escort to the visitor. It becomes the escort’s responsibility to control the visitor’s movements while on the site. The host signs for the visitor in the entry lobby, thereby accepting responsibility for all of the visitor’s actions, and returns the visitor to the exit once the visit is complete, signing that the visitor has not been out of his/her control during the visit. However, there are a number of practical limitations: the host may be a busy person and may not have the time to collect the visitor from the entry lobby. Also, the visitor may be joining a conference already in progress that is being chaired by the host, or the visitor may need to visit a number of different departments. A form on the back of the visitor’s badge can be used to reassign escort responsibility from one host to another, e.g., from an administrative assistant to the conference chair and then to another department head.
A visitor badge can also double as an access control card permitting the visitor access to allowable areas or, for higher security levels, the badge can be used in concert with an authorized employee’s card — a modified two-man rule. The benefits include the maintenance of an auditable record of visitor access and the authorizing host. For simple applications, a barcode can be printed on the visitor badge; for higher security environments, more sophisticated technology can be used, including passive infrared (PIR) and radio-frequency identification (RFID) systems that allow a visitor’s tag/badge to be tracked within a building on a graphic display and can be paired with the host escort.
The Systems Approach
Most visitors, 99.99 percent, arrive for legitimate purposes and should be welcomed at the facility. Active participation of smartly presented security officers who are well-trained in both equipment operation and people skills, and who show a keen interest in ensuring that any delay or inconvenience to the visitor is minimal, are the attributes that make the visitor feel at home and are most effective in detecting off-normal conditions and denial of access to the 0.01 percent of visitors who are intent on harm.
Let’s look at the process discussed above as it is implemented in an automated Visitor Management System (VMS). Such systems are being implemented at corporate facilities, commercial office buildings (at both entry lobbies and loading docks) and gated residential communities. Modified versions are also applicable for visitors to school buildings.
Pre-Approval: The validation phase can start before the visitor arrives: The (authorized) host of the visitor accesses a VMS Web server via a standard browser (and a password) and completes a form that provides, as minimum, the visitor’s name, affiliation, date, time and duration of visit, and where in the facility the visitor will be permitted and if a host is needed. An e-mail can be sent automatically to the visitor with the details of the visit and presentation of the e-mail in printed form can be used as part of the verification and validation processes. Pre-approval of visitors greatly reduces processing time and reduces the number of processing stations required.
The Visitor Arrives: The first step when the visitor arrives at the visitor processing station is to verify identity. Preferably, a standard government-issued credential, such as a driver’s license, is presented and its data automatically extracted by a reader. The alternative is keyboard entry which is slow and error-prone. The VMS software can validate the visit by checking that the individual is not on a “black list” and is expected (pre-authorized) at that date and time. If not pre-authorized, the processing staff can phone the host for validation or can require the visitor to phone the host and obtain pre-authorization. In a busy entry lobby, the latter procedure is becoming more prevalent since the responsibility for authorization is transferred from the administrative staff to the trusted host. Once the verification and validation processes are complete, the system can e-mail the host with notification of arrival and print a visitor badge.
Taking and storing a photograph of each visitor is valuable as a deterrent and can be used to identify a visitor who becomes a suspect in a security incident. Printing the photo on a disposable badge to be worn by the visitor is of less value: given the quality of the camera and typical lobby lighting conditions, the print quality is very poor and the photo of questionable use unless employees and security staff in the facility are trained to check the photo against the holder. Also, as mentioned before, visitor badging is ineffective in large facilities unless employees are also required to wear their badges.
The Visitor’s Badge: The system can automatically print the visitor’s badge as soon as the identity is verified and the purpose for the visit validated. The design of the badge is open to the user, but it is useful to ensure that the following information is prominently displayed: visitor’s name, affiliation, host’s name, meeting location (e.g., floor/room number) and expiration date. A self-expiring sticker may be of added security and, if the badge is to be used in an automated access control system, a barcode can be printed on the badge or a prox reader sensor adhered to it.
A label can be printed that is stuck on a reusable plastic badge that can be a proximity card. Any process that requires peeling off a backing or peeling off an old label is more time-consuming and creates waste. Card stock, pre-printed with standard building information, is probably best if longevity and barcode reading are issues. Although such badges are a little more expensive to produce and need a thermal-printed piece of paper ribbon, they are part of the “visitor experience” and enhance the image of the facility.
The period of validity of a badge may be set at a single visit, multiple visits in one day, of multiple days for, say, a visitor who is attending a week-long training course. The quality of the badge should reflect its expected duration. Another factor to plan for is disposal: a badge dropped in a garbage can outside the building should not permit entry by a dumpster diver.
Visitor management systems can interface with many off-the-shelf access control systems. As soon as the visitor badge is produced, the badge identification number (e.g., barcode or proximity code) and the expiration data can be transmitted to the field panels of the card readers that will read the badge. Thus, a turnstile access control system in the entry lobby, with appropriate readers, can accept the visitor’s badge and control passage into the facility.
The VMS process is ideal for automation — if the visitor is preauthorized and has a machine-readable, government-issued credential. ATMs and boarding pass kiosks have trained us to interface with complex systems through simple processes. Many VMSs promote the use of kiosks: the visitor dips the credential in a reader (similar to a bank card at an ATM) and, if its data matches that on a list of pre-authorized visitors, a photo can be taken and the visitor badge is printed. The self-processing procedure is very quick and cost-payback period for a kiosk can be short; however, most complex situations — a visitor who has not been preauthorized or who has a non-uniform credential — still requires staff assistance.
David G. Aggleton, CPP, CSC, is president and principal consultant at Aggleton & Associates, Inc., a security systems design and consulting firm. Dave has been planning and designing security systems for more than 30 years and can be reached at email@example.com