Control visitor access to the facility.

UCF ID: 01329

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a process to maintain the facilities. [UCF Control ID 00710]

This control has the following supporting controls:

Establish and maintain visitor identification procedures and access methods. [UCF Control ID 00713]

Establish and maintain a visitor's log. [UCF Control ID 00715]

Ensure visitors have been authorized prior to accessing areas containing restricted data or information. [UCF Control ID 01330]

Authority documents complied with:

FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 9.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.1.2, § 9.2; Protection of Assets Manual, ASIS International, Pg 1-I-A1, Pg 15-I-20; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(12); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 10-501; DOT Physical Security Survey Checklist, Personnel Identification and Control Checklist; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; 49 CFR Part 1542 - Airport Security, § 1542.211(e); US The International Traffic in Arms Regulations, April 1, 2008, § 125.5; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 4 PE-7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PE-7, App F § PE-7(1); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PE-7, PE-7(1); The Standard of Good Practice for Information Security, CI2.8.3(c), CI2.8.3(d); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.1.2, § 9.2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.6(c), § 6.3.6(e)

Banking and Finance Guidance

[Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 9.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Payment Card Guidance

The organization must ensure procedures are in place to allow individuals to easily distinguish personnel in classified areas as being either an employee or a visitor.
Verify procedures are in place for issuing badges to employees, contractors, and visitors. Verify visitors are escorted at all times if they are in areas with active network jacks.
Observe personnel walking around the facility to ensure it is easy to distinguish between employees and visitors. [§ 9.1.2, § 9.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must ensure procedures are in place to allow individuals to easily distinguish personnel in classified areas as being either an employee or a visitor. [§ 9.1.2, § 9.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Unescorted visitors with access to restricted areas must have appropriate credentials, which must be verified and validated. [§ 27.230(a)(12), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

The organization must develop procedures for handling international visitors. [§ 10-501, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Procedures should be developed for escorting visitors. [Personnel Identification and Control Checklist, DOT Physical Security Survey Checklist]

Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Procedures must be developed for escorting individuals who do not have access to secured areas, including only allowing individuals with unescorted access to escort individuals; ensuring escorted individuals are continuously escorted; and logging what actions the escorted individual is taking. [§ 1542.211(e), 49 CFR Part 1542 - Airport Security]

During a classified plant visit by a foreign person, a license is not required for the oral or visual disclosure of unclassified technical data. Approval by the Directorate of Defense Trade Controls is not required for oral and visual disclosure of classified information if the visit has been approved by an appropriate U.S. Government agency. A license is not required if unclassified technical data is disclosed to a foreign person during an unclassified or classified visit that has been approved by the Directorate of Defense Trade Controls or a U.S. Government agency. [§ 125.5, US The International Traffic in Arms Regulations, April 1, 2008]

US Internal Revenue Guidance

The organization must implement visitor controls to authenticate visitors prior to allowing them to enter the facility. [Exhibit 4 PE-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

App F § PE-7 The organization must establish and maintain visitor control policies and procedures to control system physical access by authentication before authorizing visitor access to the facility nonpublic areas.
App F § PE-7(1) The organization should escort visitors and monitor visitor activity when required. [App F § PE-7, App F § PE-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the facility should be examined to ensure visitors are authenticated at all times before gaining access; visitors are escorted; visitor activities are monitored; and specific responsibilities and actions are defined for the implementation of the visitor control. Any problems discovered during the implementation of the visitor control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in authorizing and authenticating site visitors and with personnel who escort and monitor site visitors. [PE-7, PE-7(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Formal procedures and policies should be established for controlling the movement of personnel, other than the service provider staff, into and within the service provider's location to ensure that all visitors remain at the entrance or escorted to a designated waiting area until a service provider staff member meets them and all visitors are escorted at all times. [§ 6.3.6(c), § 6.3.6(e), ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should ensure all visitors are escorted by appropriate personnel when they are in the facility. If a visitor or vendor refuses to sign a secrecy agreement he/she should be prevented from entering sensitive areas and should be escorted throughout the facility. [Pg 1-I-A1, Pg 15-I-20, Protection of Assets Manual, ASIS International]

Visitors should be supervised at all times and should be issued instructions about security requirements and prohibited equipment. [CI2.8.3(c), CI2.8.3(d), The Standard of Good Practice for Information Security]