Visitor access management has come under increasing scrutiny across a number of regulatory standards. It will come as no surprise that many organizations are subject to an array of compliance standards each with a different take on visitor management.
In this article, we will unpack the visitor management requirements set out in C-TPAT, ITAR, FSMA and FSIS.
How does a Visitor Management System help with Regulatory Compliance?
In many organizations, a visitor management system was purchased as a replacement for a paper visitor logbook which was failing to meet their compliance requirements. As the volume of visitors, contractors and vendors increases, small scale solutions often struggle to meet a competing array of safety, security and compliance regulations.
Here is a great example. ISO 27001 (the international standard for information security) requires that visitors are logged in, that copies of visitor check-in/out is maintained for audit purposes and that visitors are routinely escorted. PCI DSS has a vastly greater set of requirements across visitor identification, registration procedures, data collection and retention, tracking of movement and prevention of restricted access.
RightCrowd Visitor Management solutions can help companies manage different visitor types, provide registration and approval workflows, integrate into the physical access control system, limiting visitor access to approved areas and delivering compliance reporting. Visitor access privileges are granted according to policy, and all individuals and services are properly authenticated, authorized and auditable.
Customs-Trade Partnership Against Terrorism (C-TPAT)
The Customs-Trade Partnership Against Terrorism (C-TPAT) is a US Customs and Border Protection program to ensure the safety of all goods entering the United States. CTPAT is a voluntary public-private sector partnership program which recognizes that CBP can provide the highest level of cargo security through close cooperation with the stakeholders of the international supply chain such as importers, carriers, consolidators, licensed customs brokers, and manufacturers.
For compliant visitor management the standard requires:
- Access controls to prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets.
- Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry.
- Visitors must present photo identification for documentation purposes upon arrival.
- All visitors should be escorted and visibly display temporary identification.
- Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.
International Traffic in Arms Regulations (ITAR)
ITAR stands for International Traffic in Arms Regulations. It’s a set of export control laws to prevent sensitive information from getting into the hands of foreign nationals. All manufacturers, exporters, and brokers of defence products, services, and related technical data are required to be ITAR compliant or certified.
Organizations must register with the Directorate of Defense Trade Controls, follow proscribed import and export procedures, and screen suppliers, vendors, and subcontractors.
For compliant visitor management the standard requires:
- Companies must keep records of everyone who enters a facility (and thus could be exposed to sensitive information).
- Companies must have a documented visitor management process that involves verifying whether visitors are United States citizens.
- Visitors may be required to sign an ITAR NDA and a technology control plan (TCP) briefing.
- Companies must also maintain comprehensive visitor records.
Food Safety Modernization Act (FSMA)
The Food Safety Modernization Act (FSMA) protects the US food safety system by shifting the focus from responding to foodborne illness to preventing it. FSMA was enacted in response to dramatic changes in the global food system and in our understanding of foodborne illness and its consequences. FSMA contains seven FDA rules that govern food safety practices and procedures. The Food Defense Rule aims to protect the US food supply from intentional contamination and includes requirements for visitor management.
For compliant visitor management the standard requires:
- The owner, operator, or agent in charge of a facility shall identify and implement preventive controls, at critical control points, to provide assurances that
- 1 hazards identified in the hazard analysis conducted under subsection (b)(1) will be significantly minimized or prevented;
- “(2) any hazards identified in the hazard analysis conducted under subsection (b)(2) will be significantly minimized or prevented and addressed, consistent with section 420, as applicable; and
- “(3) the food manufactured, processed, packed, or held by such facility will not be adulterated under section 402 or misbranded under section 403(w).
- The owner, operator, or agent in charge of a facility shall maintain, for not less than 2 years, records documenting the monitoring of the preventive controls implemented under subsection (c), instances of nonconformance material to food safety, the results of testing, and other appropriate means of verification under subsection (f)(4), instances when corrective actions were implemented, and the efficacy of preventive controls and corrective actions.
United States Department of Agriculture (USDA) & Food Safety & Inspection Service (FSIS)
The Food Safety and Inspection Service (FSIS), an agency of the United States Department of Agriculture (USDA), is the public health regulatory agency responsible for ensuring that United States’ commercial supply of meat, poultry, and egg products is safe, wholesome, and correctly labelled and packaged. The FSIS also acts as a national health department and is responsible for the safety of public food-related establishments as well as business investigation.
FSIS ensures information security controls are in place to protect FSIS information systems and data in compliance with NIST SP 800-53, and it creates a number of obligations around physical access authorizations, physical access control, monitoring physical access and visitor access records.
For compliant visitor management the standard requires:
- Companies maintain visitor access records to the computer facility (except for designated publicly accessible areas); in accordance with record retention policies; and designate officials within the organization to review the visitor access records daily.
- Visitor access records must include:
a. Visitor’s name, organization, and signature;
b. Form of identification;
c. Date of access;
d. Time of entry and departure; and
e. Purpose of visit.
- Companies employ automated mechanisms to facilitate the maintenance and review of visitor access records. This requirement is only applicable to HIGH systems.
Visitor access management has come under increasing scrutiny across a number of regulatory standards. It will come as no surprise that many organizations are subject to an array of compliance standards each with a different take on visitor access.
If you would like to know more about RightCrowd Visitor Management can help, please contact us.