Visitor Logs SHOULD be implemented in publicly accessible areas of the business premises, and all visitors SHALL be required to sign them.
Control Type: Physical
Control Function: Detective
Businesses with a large amount of foot traffic ingress and egress through their facilities should take extra precautions to track individuals for accountability. If a visiting party engages in activity, either intentional or unintentional, that culminates in a security incident, the business needs to be able to identify the individual. Visitor Logs are a physical security control that creates an audit trail of human traffic in the business environment. They require visitors to sign in at the front desk when they enter the organization's facilities. Visitors are reminded to sign the log by a member of staff, usually a receptionist or security guard. This member of staff must be trained and prepared to properly escalate if an individual refuses to sign the visitor log.
Visitor logs must not mandate handing over any data that isn't necessary to their purpose. The visitor’s name, phone number, and check-in/check-out time will usually suffice, as this establishes contact information and time correlation. If desired, the business may require visitors to provide a reason for their visit in a short description. The business must ensure that visitor logs are kept fresh. When pages are filled, they must be saved and filed in a secure location. This allows the logs to be easily retrieved if they are needed for investigative purposes, while still physically securing them from unauthorized access. At the end of each workday, the employee(s) overseeing the logs should place them in a locked drawer to prevent unauthorized access after work hours.