How to Choose a Visitor Management System
If your business manages a lot of visitors, it’s important to have a visitor management system in place. With so many different options on the market, how do you choose the right one for your needs? Twenty years ago, choosing a Visitor Management System (VMS) was relatively easy because there weren’t too many to choose from. Most VMSs were desktop systems. They were not well suited for some of the more esoteric requirements, and they were especially not suited for a network-powered enterprise. In this blog post, we’ll walk you through the process of choosing a visitor management system and highlight some of the key factors to consider. Let’s get started!
What to consider
The first task is to understand what you need in a VMS. The nature of your business is what will determine the features you need in a VMS. If it’s an industrial military complex, then you will have more requirements than someone who distributes home appliances; but there are still certain capabilities that every company needs regardless of the business type.
The next task will be to determine how you will deploy the VMS. The decision about how you will deploy your Visitor Management System is an important one. Once that’s made clear, there are several options for deployment based on the size and scope of business:
- Are you a small company with one location?
- Are you a medium-sized company with multiple locations but mostly operates from a headquarters (this could be a building or a campus-like complex)?
- Are you a large company with many different geographic locations with diverse business objectives?
System Maintenance. No matter how you deploy the system, it must be maintained. How easy is it to maintain? Who is responsible for maintaining the system? Will you need to maintain the system, will you need to hire consultants to perform the maintenance, or will the vendor be responsible for maintaining it? How often are updates issued and how easy are they to install if you or a consultant has to install the updates? How long will the system be down when the system is being updated?
Availability and Reliability. You still need to consider factors like availability and uptimes before implementing a new system into your business; what will happen when the system goes offline? How often does a system experience an unplanned outage? The reliability must factor in because if there’s an unexpected failure during work hours then visitors may have difficulty getting inside your buildings to visit your employees. Employees may be unable to meet schedules if visitors cannot get in at their scheduled times. This could cause your employees to be fall back relying heavily upon manual processes. This would negate the benefits of having an automated Visitor Management System. A highly reliable Visitor Management System such as our MAX Visitor Management System will provide superior uptimes. We have multiple government customers who have experienced many years of service without any unplanned downtimes.
The next task is how you will make the system available for use by your employees. How will you enroll users into the system, and how will you train them to use the system? Will the vendor provide training, or will you provide your training in-house? Will each of your users have a username and password to log into the system or will you connect the system to an existing network that has a single sign-on feature such as Active Directory or SiteMinder or some other federated system to authenticate users?
The last thing to consider is data migration and connectivity to external systems. It is important to note that transferring visitor information from an older system to a new system will not be possible in all cases. If you are considering a move, it’s best practice to ensure this task has been planned out ahead of time so as not to disrupt your business operations and customer experience along the way!
Also if you are now connected to external systems such as an HR system or a Physical Access Control System you will need to check to see if that will be possible with the new system. Such integrations will take planning and time. Making sure any legacy systems can communicate with the new system needs research and planning before moving forward.
Understanding What You Need in a Visitor Management System
The first step in the process of buying a visitor management system is to conduct an intake with your potential vendor. You should ask them about their system, what features they offer and if there are any that would make life easier for you as well as others on staff who may be managing visitors. The goal here opening up lines of communication with the vendor, so the vendor knows how your current system works (if one exists), what you like about it and what you do not like about it. Your vendor should tell you how their system meets all of your needs including the features your present system does not have. You might consider meeting with all of the stakeholders and gaining a documented understanding of what they require to do their jobs. What do they like in any current system and what they would like to see different when switching to a new system.
Do you have a Physical Security Officer (FSO)? With all of the different Visitor Management Systems out there, it’s important that your physical security officers (FSO) have a say in choosing which one will work best for you. Your FSO needs to be involved when making decisions about purchasing or installing new technology so they can ensure any policies are being enforced accordingly and that nothing gets overlooked during implementation! The worst time to find out that the new system does not provide a needed function is when you are trying to go live with the new system.
Large companies with different geographic locations may have an FSO at each location and each location may have different security policies. That is okay as long as the Visitor Management System may be configurable by location.
You should know what kind of activities take place at each location to understand how the Visitor Management System needs to function at each of the locations. For example if one location has dangerous machinery running your biggest concern at that location might be to keep track of the whereabouts of each of your visitors, so they do not wander into a dangerous area. Another location that has classified and/or sensitive intellectual property, you will want to keep track of your visitors so that they do not see something that they should not see.
You might also need to track ITAR compliance or other compliance factors at this other location. And you may need to vet visitors against FBI watchlists, US Treasury watchlists, or other watchlists. The system should be configurable to enforce such additional requirements on a location-by-location basis.
What do you need to track about your visitors? With all of this in mind, here is a list of questions that may highlight some of the items that will need to be tracked on a location by location basis:
- Do you need to record the activities with which the visitor is associated?
- Do you need to record the name of the sponsor that invited the visitor?
- Do you need to record the name of the person approving the visit?
- Do you need to record the location where the visit will take place such as a building number, room number, or identifiable location within the facility?
- Will any classified or sensitive information or property be exchanged? If so, do you need to record the fact that it will be exchanged?
- Does the visitor have the proper clearance, certificates, or insurance that may be required to participate in the visit?
- Has the visitor been banned from this or any other location belonging to this organization?
- Is the visitor attending a public event held at the facility, are they visiting a family member or friend, or are they visiting for some business related to the facility?
- If knowledge of the citizenship of the visitor is required, is there a way to record this? Do you need to track dual citizenship when that is applicable? Are there ways to alter business rules based on citizenship?
- If the visitor is not a US citizen or a green card holder, do they need a VISA? If they need a VISA is there a way to record information about the VISA such as the number and expiration date?
- Are there any pre-entry questions that need to be answered?
- Does the visitor need to have an active NDA on file before they are allowed to enter?
- Does the visitor require an escort while on the premises? If so, do we need to record the name of the escort?
- Does the system require a separation of duties? For example, does the sponsor, the person approving the visit, and the person issuing the visitor pass need to be separate people?
- Does the system provide an audit trail of all of the changes made to the data? How far back do you need the audit trail to go? Ideally, any changes to any visitor data, user data, and system settings should be written to the audit system. The audit data should include the username of the person effecting the change as well as the date and time of the change.
How To Deploy the Visitor Management System
In the old days, most systems were deployed either as desktop applications, client-server applications, or host-based applications. These days the best bet is to go with a cloud-based system. For more detail please read our blog Cloud vs. On-Prem.
There are many advantages to a cloud-based application. One of the first and obvious advantages is that you will not have to install and maintain the application yourself. Certainly, you will have to install and maintain some simple client software but that is considerably simpler than installing and maintaining server hardware and software.
Cloud systems tend to be more secure. It is often thought that an on-premises system is more secure because it is installed internally in an organization. It is unlikely that many organizations can install and maintain something as secure as a professionally installed cloud-based application. They are managed by professionals including those who are totally immersed in security whereas on-premises systems are installed and maintained by IT personnel that are not likely to have the same training on security topics as a person who focuses solely on security topics.
Encryption should be applied to “data at rest” which means data stored in the database and to “data in transit” which means the data that is going between your workstations and the server. The bad guys like to sniff data networks and watch the data going by. But if the data going between the workstations and servers is encrypted, then all a hacker will see will look like gibberish. Be sure to ask to what level data at rest and data in transit is encrypted. Data at rest should be encrypted to something like AES-256 and data in transit should be encrypted to SHA-256 or higher.
The bottom line is that the best bet is to look at cloud-based applications and do not use an on-premises system. The only time we would recommend an on-premises system is when the user wants an automated clipboard that does not need to track any Personally Identifiable Information (PII).
Cloud-based systems are maintained by the cloud host and the application provider. Such support is generally done during off-hours when you will not likely be on the system. Look carefully at the Service Level Agreement though and make sure you understand what is being offered service-wise and what your rights are if the system does go down.
Making the Visitor Management System Available to All Users
As important as this is, it is often overlooked. New systems typically are set up with one or two administrative accounts. It is often up to you to assign your user accounts to your employees. If you only have a few users, then this may be trivial. But if you have hundreds or even thousands of users, then this can be a daunting task.
If you have a single sign-on system, such as Active Directory or SiteMinder then this may take care of getting your users to access the basis system. But depending on the complexity of your installation, you will still have to set up which users get which roles. This is also further exacerbated by the number of different badges or passes that you need. For example, some systems may issue different classes of badges or passes for: Visitors, Contractors, Vendors, Temporary Employee Badges, Foreign National Badges, etc.
Some users will need specific roles to issue visitor requests and visitor invitations. Other users may need the roles that will allow them to approve pending visitor requests and visitor invitations. Some users may perform a security function. Security personnel may be required to research why a person raised a security flag. Such people will need to be assigned a security role. People who issue badges will need the roles necessary to complete the issue process. Still, others may perform administrative roles and will therefore need to be assigned one or more administrative roles.
Another possibility if you are moving off of an older system onto a new Visitor Management System is to check with the vendor to see if they have any ability to transfer the user accounts from the older system to the newer system. That is often not possible but if they do have the capability to make such a transfer, it will be at a significant cost. But such a transfer could save a lot of time and internal labor costs.
As is the case with transferring user accounts from an older system to a newer system, it may be possible to transfer existing visitor and visitor badge information from an older system to a newer system. This will come at a cost, but the cost may be worth not losing the historical value of the old data.
Making the Cut
Selecting the “right” Visitor Management System is not an easy job. There is a lot to selecting the right Visitor Management System to suit your needs and the needs of the stakeholders. You should also consider how likely your Visitor Management System requirements will change over time. You do not want to purchase a system that cannot grow if your company is likely to grow over the next few years. Changing Visitor Management Systems is itself a painful prospect. Many organizations end up staying with a Visitor Management System that is a poor fit just because they do not want to go through the pain of switching.
Picking the right Visitor Management System vendor is as important as picking the right Visitor Management System. Too many software companies are only concerned with closing deals and collecting their periodic subscription fees. They know that many customers will not leave them because the customer does not want to endure the pain of switching. A good Visitor Management System vendor can ease the pain of switching. A good vendor will become a valuable member of your security team!
If you are interested in purchasing a Visitor Management System for the first time or you need a new Visitor Management System that will more closely match your needs, TARGE offers free consultations. Our staff has over 20 years of experience with Visitor Management System customers of all sizes. We have over 40 years of experience working in secure facilities protected by Visitor Management Systems. Contact us by phone, email, or click here and fill out our contact form. We would be happy to have a no-obligation conversation with you.