Establish and maintain a visitor's log.

UCF ID: 00715

Control Type: Establish/Maintain Documentation

Status: Live

Supporting and supported controls

This control directly supports:

Control visitor access to the facility. [UCF Control ID 01329]

This control has the following supporting controls:

Ensure the visitor's name, firm, and acceptable access areas are entered into the visitor's log. [UCF Control ID 00557]

Maintain all records in the visitor's log for a minimum of 90 days or as prescribed by law. [UCF Control ID 00572]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 53; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 9.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.4.a; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-12.g; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 10-507.e, § 10-721.b; DOT Physical Security Survey Checklist, Personnel Identification and Control Checklist; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.3.1, § 4.3.2, Exhibit 4 PE-8; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-8; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-8, PE-8(1); The Standard of Good Practice for Information Security, CI2.8.3(b); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.1.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.1.2; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.4(a); ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.6(h)

Banking and Finance Guidance

All visitors should be required to sign in before entering the facility. [Pg 53, FFIEC IT Examination Handbook – Information Security]

[Exam Tier II Obj 9.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Payment Card Guidance

The organization must maintain a log of all visitors to the facility that contains the visitor's name, organization, and who is escorting them. The organization must keep the log for at least 3 months.
Verify the visitor log contains the visitor's name, company name, and the name of the employee escorting the visitor. Verify the log is maintained for at least 3 months. [§ 9.4.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must maintain a log of all visitors to the facility that contains the visitor's name, organization, and who is escorting them. The organization must keep the log for at least 3 months. [§ 9.4(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

The organization should maintain a visitor log to identify all individuals granted access to the computer room. [§ 2-12.g, Army Regulation 380-19: Information Systems Security, February 27, 1998]

A record of foreign visitors who access classified information must be retained for 1 year. Records of visitors from NATO must be maintained for 3 years. [§ 10-507.e, § 10-721.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

The visitor log should contain the departure time for each visitor. [Personnel Identification and Control Checklist, DOT Physical Security Survey Checklist]

Calls for Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

Visitors to restricted areas must sign an access register. The register must contain the name of the visitor, the name of the organization the visitor is from, his/her signature, the name of the escort, the purpose of the visit, and the date and time of entry. When the visitor leaves the area, the time of departure should be entered into the register. The organization must review the visitor log at least annually. [§ 4.3.1, § 4.3.2, Exhibit 4 PE-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The organization should create a policy to maintain and periodically review visitor access log to information system facilities for areas not open to the public. [App F § PE-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure a log is maintained of all visitors and includes the name and organization of the visitor, name of the person being visited, the visitor's signature, the date of access, the time the visitor entered and left the facility, and the purpose of the visit; automated mechanisms are configured to properly perform maintenance and review of the visitor access logs; and specific responsibilities and actions are defined for the implementation of the access logs control. Any problems discovered during the implementation of the access logs control should be documented and used to improve the controls.
Interviews should be conducted with personnel who admit visitors to the facility to ensure all visitors are required to sign a log, personnel who use automated mechanisms for the managing and review of access logs, and personnel who maintain visitor access logs. [PE-8, PE-8(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

A log should be kept of all visitors to the site. The log should contain the date and time of entry and departure. Visitors should be supervised at all times, unless they have been previously approved. [§ 9.1.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

A log should be kept of all visitors to the site. The log should contain the date and time of entry and departure. Visitors should be supervised at all times, unless they have been previously approved. [§ 9.1.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Formal procedures and policies should be established for controlling the movement of personnel, other than the service provider staff, into and within the service provider's location to ensure that a log is maintained of all outsiders who enter the premises, including permanent contractors. The log should include the outsiders' name and organization, the purpose for entering the premise, who he/she is visiting, the enter and exit times, remarks, and signature. [§ 6.3.6(h), ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

Visitors to the installation should have their entry and exit times recorded in a log. [CI2.8.3(b), The Standard of Good Practice for Information Security]