TOPIC: Information Security

Handling visitors - don’t just have them sign the visitors log and let ’em go!

Preventing unauthorized access to customer data starts with controlling physical access to non-public areas of your facilities.  Each institution should implement the following:
  • A well-defined and detailed visitor access policy.  We recommend not allowing unsolicited (e.g. without prior approval) visitors. 
  • Continual employee training on visitor policies and proper methods of screening individuals, as well as how to manage unauthorized visitor access.  If an electrician shows up unannounced, without pre-approval, employees should be empowered to say no!
  • Keep a record of all visitors to non-public areas.
When a visitor arrives, have designated personnel:
  • Verify the reason for the visit and determine if the visit is authorized and by whom.
  • Request photo identification from the visitor.
  • Log the visitor’s name, company, reason for visit, and in/out time.
  • Issue the visitor a badge if available (in accordance with policy) and collect at the end of the visit.  It’s a good idea to keep an accurate inventory of all visitor badges.
The employee should never hand the log to the visitor to sign as there is no real need to have a visitor’s signature.  In fact, handing the log to a visitor lets them see the names and companies of previous visitors, which can be leveraged in social engineering attacks.  When we are performing on-site social engineering testing, we often leverage what we learn from the visitor log for the test at the next location. As for social engineering testing, you would be surprised at how successful unauthorized visits to sensitive areas of institutions can be.  We have found that some employees have a gut instinct that something is not right, but they often don’t act because they are uncomfortable doing so and or may not be aware of the visitor policy.  Training staff how to properly manage visitors is key to success.  Acting it out and practicing how to manage unauthorized visitors gives your staff the tools and confidence they need if and when the situation arises.