Who's Visiting the Facility?

April 1, 2007

I was recently at a trade show, standing in a booth trying to get people interested in the training programs offered by Lockmasters Security Institute. As director of special projects for LSI, I talk to many people; trade shows bring out all kinds. At one point, a guy came up and said, “Why would I want to come to your training program…I’ve been in the security business for over 20 years, and there’s nothing you can teach me anyway.” It appears he knows it all. The question looms, how do you reply to that?

Another person asked about visitor control. One of my favorite questions when teaching any topic is what are you trying to accomplish?

Visitor control is a concern for different reasons. The biggest reason is a desire to know who is in your facility. While simple, it can be crucial. And there are actually two reasons for wanting to know who is there. From a protection standpoint, a record of who is in (or has been in) your facility can be important in a loss investigation, or in defending a lawsuit.

The second reason to incorporate visitor control is more concrete, and sometimes required by law. Some jurisdictions require that a facility be able to account for everyone inside a facility in the event of a fire or other disaster. If a building is evacuated, or if a major crisis (fire, explosion, earthquake) occurs, you should be able to know that everyone has gotten out of the building, or know that people are unaccounted for.

The Problems

A major issue with visitor control is the control of information collected. Visitors may be concerned about what happens to information after it is collected. Policies need to be clear, and often need to be explained to visitors. A permanent record of visitors in a building makes sense to the security personnel of that building, yet visitors to that facility may see it differently. The constant news stories of stolen identities make even reasonable people wary of providing personal information to anyone.

If a facility is going to use visitor control, several crucial decisions must be made, among the few include the decision to collect or keep personal information.

Are we going to collect identifying (personal) information?
Are we going to keep identifying (personal) information?

Sometimes I have had people refuse to provide identification. My response is simple; “You don’t have to identify yourself, but I don’t have to let you into my building.”

I have worked in several facilities, and I have had the chance to try different techniques. One facility decided not to retain any visitor information other than a name. When a visitor entered that building, he/she was asked to sign a visitor/guest log. Typically, the receptionist would ask for the guest to sign in, and then ask for identification to match against the name provided in the sign-in log.

(A side note, this particular facility often had celebrities and famous personalities visiting. This resulted in celebrity “autographs” being recorded in the guest log—one of the more notable was a joint visit of Michael Jackson and Lisa Marie Presley—leading to potential theft of the log books.) The only recorded information was a name and a date.

Another small facility kept track of who was in the building by holding a visitor’s identification card while in the facility. When entering the building, a visitor traded his/her driver’s license (or passport) for a facility visitor badge. There was no information recorded, and this technique only identified who was actually in the building. The license was returned to the visitor in exchange for the visitor badge on the way out of the facility.

This exchange system allowed for a complete count of visitors, combined with a name and a photo, in case of an incident, but there was no information recorded or kept.

Better Systems Yield Better Results

The better systems from a security standpoint collect and retain visitor information. There are now automated systems that provide these features, and they can be very efficient as long as you can clearly define what it is that the facility wants.

Automatic readers have the ability to collect information from a driver’s license (including name, address and date of birth) with just a swipe, and many systems also offer the ability to take a photograph of a visitor as well. A photograph can then be incorporated into a visitor badge, and also may be stored and kept.

There is no crime in collecting and keeping visitor data. Clear policies concerning the data need to be defined. Our recommendation is that any data collected from visitors be used solely to maintain a record of who has entered the facility, and used for no other purpose. It should not be a source for mailing lists, and it should not be shared with anyone not directly related to entry or exit from the facility. Strict controls should govern who has access to the information once it is stored.

Jeff Dingle is assistant director of special projects for LSI, a U.S.-based anti-terrorism, homeland security and physical security training company. He has been a Federal Criminal Investigator, security manager at a FORTUNE 15 company and ran the security operations for a former U.S President for eleven years. He can be reached at JeffDingle@LSIeducation.com.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.