Escort visitors and monitor visitor activity in secured areas
Visitors including contractors, vendors, auditors, and guests should not be left unescorted in areas where FCI systems are located. An unescorted visitor can observe screens, copy data, photograph equipment, or install hardware implants without anyone noticing. Escort requirements ensure there is always an authorized employee present who can supervise and take responsibility for visitor activity.
Implementation steps
- 1
Define visitor policies for secured areas
Write a policy specifying that visitors must be escorted at all times in areas containing FCI systems. Define who qualifies as a visitor (including vendors, contractors, and temporary staff not yet badged), which areas require escort, and who is authorized to serve as an escort.
confluence - 2
Implement a visitor sign-in process
Require all visitors to sign in with their name, organization, purpose of visit, the employee they are visiting, and time of arrival and departure. Issue visitor badges that are visually distinct from employee badges and must be worn visibly. Collect visitor badges when visitors exit.
envoy proxyclick excel - 3
Train employees on escort responsibilities
Train all employees to understand they are responsible for the visitors they escort: they must keep the visitor in sight, prevent the visitor from accessing areas beyond the purpose of the visit, and challenge any unescorted visitor they encounter. Brief employees on what to do if they see a visitor without a badge or escort.
knowbe4
Evidence required
Visitor policy
Written policy requiring visitor escort in areas with FCI systems.
- - Physical security policy with visitor escort requirement
- - Facility access procedure
Visitor log
Records showing visitor sign-in and sign-out with escort information.
- - Visitor sign-in log or digital visitor management system export
Visitor badge system
Evidence of a visitor badging system that distinguishes visitors from employees.
- - Photograph of visitor badge
- - Visitor management system configuration
Related controls
Limit physical access to systems and facilities to authorized individuals
Physical Access
Maintain audit logs of physical access to secured areas
Physical Access
Control and manage physical access devices
Physical Access
Sanitize or destroy media containing FCI before disposal or reuse
Media Sanitization