Three Layers of Visitor Screening
Effective visitor screening operates on three layers, each catching different threats:
Layer 1: Public registries — Sex offender databases, government watchlists, and public records that identify known threats. These are checked automatically during check-in.
Layer 2: Organization deny lists — Your internal list of individuals who are banned from your facility. Former employees terminated for cause, individuals involved in prior incidents, people with restraining orders against staff.
Layer 3: BOLO alerts — "Be On the Lookout" notifications for individuals who aren't necessarily banned but require special handling. A person of interest in an ongoing investigation, a former employee who left on bad terms, a known social engineering suspect.
Each layer serves a different purpose, and each requires different management processes.
Public Registry Screening
Sex Offender Registries
The most common automated check, and mandatory for schools in many states. The VMS checks the visitor's name and identifying information against the national sex offender registry during check-in.
How it works:
Visitor scans ID at kiosk
VMS extracts name, date of birth, and photo
System checks against registry database
If match found: silent alert to security staff, visitor sees nothing unusual
Staff follows established protocolImportant: A match is not a conviction at the door. Registry matches require human verification — common names produce false positives. The system flags; humans decide.
Government Watchlists
For organizations with regulatory requirements (government buildings, defense contractors, ITAR-controlled facilities), additional watchlist checks may be required:
OFAC Specially Designated Nationals (SDN) list
FBI Most Wanted
DHS screening databases
Industry-specific restricted party listsCriminal Background Checks
Some organizations run criminal background checks on visitors accessing sensitive areas. This typically requires the visitor's consent and may add processing time.
Organization Deny Lists
Building the List
Your deny list should include:
Terminated employees — Especially those terminated for cause (theft, violence, threats, harassment)
Trespassed individuals — People formally issued a trespass warning
Restraining order subjects — Individuals with court orders restricting contact with your staff
Prior incident actors — People involved in security incidents at your facility
Known bad actors — Individuals identified by law enforcement as threats to your organizationEntry Requirements
Each deny list entry should include:
Full name (and known aliases)
Date of birth (if available)
Photo (critical for visual identification)
Reason for denial
Date added
Added by (who made the decision)
Review date (when should this entry be reconsidered?)
Required action (deny entry, alert security, call police)Due Process
Deny lists have legal implications. Consult your legal team on:
Documentation requirements for each entry
Review and appeal processes
Non-discrimination compliance
Data retention for denied-entry records
Liability for wrongful denialBOLO Alerts
BOLO alerts are softer than deny list entries. They don't automatically block entry — they notify security staff that someone noteworthy has arrived.
Use Cases
Custody disputes — Non-custodial parent arriving at a school; might be legitimate, might violate a court order
Former employees — Not banned, but security wants to know if they return
VIPs — Important visitors who should receive special treatment
Active investigations — Persons of interest in ongoing security or HR investigations
Social engineering suspects — Individuals who match the profile of social engineering attempts reported in your areaAlert Configuration
For each BOLO entry, configure:
Who gets notified — Security team, specific manager, HR, legal
Notification method — Push notification, SMS, email, phone call
Priority level — Informational, elevated, critical
Required response — Acknowledge only, escort required, contact supervisor
Expiration — Auto-expire BOLOs after a set period unless renewedAutomation vs. Human Judgment
The VMS automates the detection. Humans make the decisions.
Automated:
Registry and database checks during check-in
Deny list matching and entry blocking
BOLO notifications to designated staff
Audit trail of all screening actionsHuman:
Verifying matches (false positive assessment)
Making entry/denial decisions for BOLO alerts
Handling confrontations when denying entry
Escalating to law enforcement when necessary
Updating deny lists and BOLOs based on new informationMulti-Location Watchlist Management
For organizations with multiple locations:
Global deny list — Applies to all locations. Someone banned from HQ is banned everywhere.
Local deny list — Location-specific entries for local threats
Synchronized updates — Changes propagate to all locations instantly
Centralized management — Corporate security manages the global list; local security manages local additions
Unified reporting — See all matches across all locations in one viewMeasuring Effectiveness
Track these metrics:
Match rate — How often do checks return hits? (High rate = active threats in your area; zero rate = verify the system is working)
False positive rate — How many matches are not actual threats? (Tune matching sensitivity)
Response time — How quickly does staff respond to alerts?
Deny list freshness — When were entries last reviewed? Stale lists miss current threats and waste time on outdated ones
Coverage — What % of visitors are actually screened? (Should be 100%)Legal and Ethical Considerations
Documentation — Maintain clear records of why each person is on a list
Review cycles — Deny list entries should have review dates. People change.
Non-discrimination — Lists cannot target people based on protected characteristics
Privacy — Screening results are sensitive data; restrict access
Transparency — Have a process for individuals to challenge their inclusion
Data retention — How long do you keep screening results, especially for non-matches?---
KyberAccess includes automated sex offender registry checks, custom deny lists, and configurable BOLO alerts across all locations. See the security features.