3.3 Visitor Management Protocols

Lesson 3.3: Visitor Management Protocols

By the end of this lesson, you will be able to:

Define the “Sponsor” model and the responsibilities of an escort.
Design a “Visitor Lifecycle” workflow from pre-registration to badge return.
Implement visual management strategies (badge color coding) to instantly identify unauthorized solo movement.
Differentiate between visitor types (Auditor, Vendor, Interviewee) and their access rights.

Security begins before the visitor arrives and ends only when they leave the property.

Rule: No “pop-in” visits. All visitors must be registered in advance by an authorized internal employee (the “Sponsor”).
Vetting: The Sponsor is responsible for vetting the business justification. Why do they need to be here?
Notification: Security receives a list of expected names at the start of the shift. If a name isn’t on the list, they don’t get past the gate.

Identity Verification: Government-issued photo ID (Passport/Driver’s License) is mandatory. The name on the ID must match the pre-registered name exactly.
NDA (Non-Disclosure Agreement): Visitors often see proprietary hardware or client names. Signing an NDA is a condition of entry.
Safety Briefing: A quick review of emergency exits and muster points.
The “Assets In” Check: If a vendor brings tools or hard drives, these must be logged before entry to ensure they don’t leave with your assets later.

Badge Issuance: The visitor receives a temporary badge.
Handoff: The Security Guard does not let the visitor into the building. The Sponsor must come to the lobby to collect them.

Badge Return: Visitor badges must be returned. A lost badge is a security incident.
The “Assets Out” Check: Did they bring in a laptop? Check that they are leaving with only that laptop.

You should be able to look at a person down a long hallway and instantly know if they belong there.

Color Coding:
- White: Employee (Full Access).
- Red: Visitor (Must be Escorted).
- Green: Contractor (Limited Access, usually maintenance).
The “10-Foot Rule”: If you see a “Red Badge” walking alone, you must challenge them immediately. “Where is your escort?”

A visitor badge is essentially a “compliance leash.” It grants no access rights on its own; it only validates presence.

“Eyes-On” Supervision: The escort must keep the visitor in their line of sight at all times.
Liability: If the visitor trips a breaker or steals a drive, the Escort is professionally liable.
Tailgating: The escort swipes their badge, opens the door, and allows the visitor through. The visitor never swipes.

How many visitors can one employee handle safely?

General Office: 1:5 (One employee can watch 5 visitors).
Data Hall / Server Room: 1:1 or 1:2. The risk of accidental damage is too high to watch a large group.

Situation: A delivery driver arrives with lunch for the night shift.
Protocol: They do not enter the building. They stay at the reception desk/lobby transfer hatch. They are not issued a visitor badge.

Situation: An auditor from a bank arrives to inspect their specific server cage.
Protocol:
- Check Govt ID.
- Issue “Visitor” badge.
- Escort (Sponsor) takes them directly to their cage.
- Constraint: They cannot wander into other aisles or look at other clients’ cages.

Situation: A high-level executive from a partner company arrives for a meeting but forgot their wallet/ID.
Protocol:Deny Entry.
- Why? Social engineers often use authority (“Do you know who I am?”) to bypass rules. Without ID, there is no verification.