Visitor Management, Tailgating, Piggybacking, and Facility Scenarios

Visitor Management

Visitors are normal: customers, auditors, vendors, delivery drivers, job candidates, inspectors, and repair technicians may all need access. The risk is that visitors usually lack the background checks, training, and ongoing accountability employees have. Visitor management admits people for a valid purpose without granting more access than they need.

A basic visitor process verifies identity, confirms purpose, identifies the host, records entry time, issues a visitor badge (often a different color so it is obvious on sight), explains the rules, decides whether an escort is required, and records departure. Sensitive sites add pre-registration, government-ID review, an NDA, vehicle checks, restricted routes, and temporary badges that expire.

The visitor log itself is a security record, not paperwork. It establishes accountability (who was on site and when), supports investigations after an incident, and is frequently requested during audits and compliance reviews. A reliable log captures the visitor name, the host, time in, time out, badge number, and purpose. Two common gaps the exam probes: a visitor who signs in but never signs out, leaving the organization unsure whether they ever left, and a sign-in sheet left open where one visitor can read prior visitors' names, a small privacy leak.

Electronic visitor systems reduce both problems by timestamping events and hiding earlier entries.

Tailgating and Piggybacking

These terms overlap in everyday speech, but the exam distinguishes intent:

Both defeat individual authorization. The social pressure is real: people want to be polite, and attackers exploit it. A person carrying boxes lingers near the door expecting a hold; a confident person in business clothes says "I'm late for a meeting with the CIO." The correct response is professional, not rude: "I can't badge you in, but I'll walk you to reception."

Anti-Tailgating and Visitor Controls

A mantrap (also called an access-control vestibule) is two interlocking doors where the second will not open until the first closes and the person is verified, allowing only one individual through at a time, which is the strongest anti-tailgating control listed. A turnstile raises the bar but a determined person can still jump or push through, so it sits below a mantrap. Security awareness training is the cheapest layer: teaching staff that politely refusing to hold a door is correct behavior addresses the social-engineering root cause that hardware alone cannot fix.

Strong programs combine the human control (awareness) with a physical control (turnstile or mantrap) and a monitoring control (guard or camera) so a single failure does not let an unauthorized person in.

Scenario: The Helpful Door Hold

An employee badges into the office. A person behind them says they are a new contractor who left their badge in the car and points to the company logo on their jacket; the employee does not recognize them. The secure action is to not grant entry through the controlled door. The employee should escort or direct the person to reception or the guard desk, where identity, appointment, and access can be verified. The jacket logo proves nothing.

Scenario: Vendor in a Server Room

A cooling vendor arrives to inspect an HVAC unit near the server room with a work order, but the named host is unavailable. The guard must not simply issue a full-access badge because the vendor seems legitimate. The process verifies the work order, contacts an approved alternate host, issues only the necessary access (least privilege), requires an escort if policy says so, and documents entry and exit.

Scenario: Emergency Evacuation

During an evacuation, life safety comes first. Fail-safe doors unlock to allow exit, and visitors may leave without normal checkout. Afterward, the organization reconciles visitor logs and badge records to account for everyone, often at a designated assembly point where headcounts confirm no one is left inside. Physical access control must never trap people in danger, but emergency modes should be understood and reviewed so they are not abused as a routine bypass.

This is exactly why an accurate visitor log matters: during a real evacuation, responders need to know how many people were on site and whether each one is accounted for. A visitor who signed in but never signed out creates a dangerous gap, because searchers may waste time looking for someone who already left, or worse, may stop searching for someone still inside. The exam frames the emergency scenario as a deliberate clash between two goals, security and safety, and safety always wins; the security review happens afterward, not during the emergency.

Exam Focus

In facility scenarios, pick the answer that verifies identity and authorization without ignoring safety. Do not let courtesy override policy. Do not grant unescorted access to sensitive areas unless explicitly approved. Never solve a forgotten badge by lending or borrowing a credential. Good physical access control is consistent, documented, least-privilege, and respectful.