The Random Ramblings of a Sysadmin

During my time as a consultant I've seen many interesting takes on security. Today has been no exception. When visiting a client, we found that a new security policy has been enforced. In order to ensure that only authorized personnel and invited guests are in the building, they now require that guests are wearing guest access cards. The procedure for getting a card is as follows:

1. Enter the building
2. Take the lift to the floor mentioned on the sign
3. Sign list and take card

Now, this could have been okay(ish), if not for the shortcomings inherent in the implementation of this physical access restriction scheme:

1. The front door is unlocked
2. The lift allows going to any floor with no sort of identification or security - including the top floor, which has most helpfully been labeled "authorized personnel only"
3. The list/card procedure is not managed or reviewed, the guest is left to do all paperwork alone and unsupervised
4. The card is a simple cardboard guest card, and serves no other purpose than to visually identify guests
5. Employees are generally not wearing ID cards
6. Doors are generally not locked, not even on the restricted top floor

The right way of restricting access would have been to lock the front door, and man it with security guards in charge of the guest list and the guest verification procedure. As for the lifts and doors, proper access control using swipe cards would the way to go. All off this is 1970's technology, and is readily available from all major vendors of building security. Even better methods exist if using modern technology - sadly, they settled for a "solution" which is neither here nor there...