Manage employee identification within the facility.

UCF ID: 02215

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a process to maintain the facilities. [UCF Control ID 00710]

There are no supporting controls.

Authority documents complied with:

Protection of Assets Manual, ASIS International, Pg 8-I-7 thru Pg 8-I-11; DOT Physical Security Survey Checklist, Personnel Identification and Control Checklist; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.4.8

US Federal Security Guidance

All badges should be registered and controlled and should be under the supervision of a security officer. Procedures should be in place for handling lost, damaged, and/or forgotten badges. All badges should be returned upon employee termination. [Personnel Identification and Control Checklist, DOT Physical Security Survey Checklist]

ISO Guidance

To monitor and control personnel movement in the premises, a visible badge identification program should be implemented. The program should have the following requirements: the badge should uniquely identify the person; the badge should not be easily forged or duplicated; only one badge should be issued at a time to one person; the person the badge was issued to should be responsible to the security and the appropriate use; lost badges should be immediately reported; badges should be prominently worn at all times; staff badges should be distinctly different from visitor badges; visitor badges should be returned when he/she leaves the premises; and staff badges should be returned on his/her last working day, as part of the security exit procedures. [§ 6.4.8, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization's security policy should include requirements for all employees to wear badges whenever they are on the premises. This requirement should be applied to all levels of management. When not all personnel are required to wear badges, personnel do not feel they should challenge personnel not wearing a badge. Then if a visitor removes his/her badge, he/she will look like an employee and will not be challenged. Employees should be charged for replacement badges and have disciplinary action taken for repeated badge losses. To make badges more secure, they should be resistive to changes; have photographs on them; use holograms; and be laminated. Badges should be able to reveal identity at a distance. Badges should have an expiration date and should be updated with new photographs, as necessary. If badges use coding to identify access levels, the coding should be highly visible. [Pg 8-I-7 thru Pg 8-I-11, Protection of Assets Manual, ASIS International]