Visitor Management

Visitors are normal in most facilities. Customers, auditors, vendors, delivery drivers, job candidates, inspectors, and repair technicians may all need access. The security issue is that visitors usually do not have the same background checks, training, or ongoing accountability as employees. Visitor management creates a controlled way to admit people for a valid purpose without giving them more access than they need.

A basic visitor process verifies identity, confirms the visit purpose, identifies the host, records entry time, issues a visitor badge, explains rules, determines whether escort is required, and records departure. More sensitive environments may require pre-registration, government ID review, NDA confirmation, vehicle checks, restricted routes, temporary badges that expire, or badges with a different color from employee badges.

Tailgating and Piggybacking

Tailgating happens when an unauthorized person follows an authorized person through a controlled entrance. It may be intentional by the follower and unnoticed by the employee. Piggybacking is often used when the authorized person knowingly allows another person to enter, such as holding the door for someone who says they forgot their badge. In everyday speech the terms overlap, but both involve bypassing individual authorization.

The social pressure is real. People want to be polite. Attackers exploit that. A person carrying boxes may wait near a badge-controlled door because they expect someone to hold it open. A confident person in business clothes may say, "I am late for a meeting with the CIO." The correct response is not rude; it is professional. The employee can say, "I cannot badge you in, but I can walk you to reception."

Controls

Scenario: The Helpful Door Hold

An employee badges into the office. A person behind them says they are a new contractor and left their badge in the car. The employee recognizes the company logo on the person's jacket but does not know them. The secure action is to avoid granting entry through the controlled door. The employee should direct or escort the person to reception or a guard desk where identity, appointment, and access can be verified.

Scenario: Vendor in a Server Room

A cooling vendor arrives to inspect an air conditioning unit near the server room. The vendor has a work order, but the host is unavailable. The guard should not simply issue a full-access badge because the vendor seems legitimate. The process should verify the work order, contact an approved alternate host, issue only necessary access, require escort if policy says so, and document entry and exit.

Scenario: Emergency Evacuation

During an evacuation, life safety comes first. Doors may unlock to allow exit, and visitors may leave without normal checkout. Afterward, the organization should reconcile visitor logs and badge records to account for people. Physical access control should never trap people in danger, but emergency modes should be understood and reviewed so they are not abused.

Exam Focus

In facility scenarios, pick the answer that verifies identity and authorization without ignoring safety. Do not let courtesy override policy. Do not give visitors unescorted access to sensitive areas unless explicitly approved. Do not solve a forgotten badge by allowing someone to borrow another person's credential. Good physical access control is consistent, documented, and respectful.