VND-007 Vendor Access Controls
Description
Vendor and third-party access to organisational systems, networks and data is governed by the principle of least privilege. Vendor access is formally authorised, time-bound, monitored, and reviewed. Privileged vendor access (e.g. remote support, admin credentials) is subject to additional controls including session recording, just-in-time provisioning, and multi-factor authentication.
Rationale
Third-party access is a major source of data breaches. Vendors with standing, unmonitored access to production systems represent a persistent risk that is disproportionate to operational need.
Framework Mappings (6)
| UEM-14 | Third-Party Endpoint Security Posture | full |
| GDPR-Art.29 | Processing Under Controller Authority | partial |
| 5.19 | Information security in supplier relationships | partial |
| 5.20 | Addressing information security within supplier agreements | partial |
| SR-7 | Supply Chain Operations Security | partial |
| CC9.2 | Vendor and Business Partner Risk Management | partial |
Evidence (2)
Vendor access audit logs demonstrating that third-party access to production systems is logged, time-limited, and reviewed.
Example: PAM or privileged access log export (CyberArk / AWS CloudTrail IAM events / Teleport session logs) — showing all vendor access sessions in the last 90 days with: vendor/user identity, session start and end time, systems accessed, and session recording reference
Test: Request vendor access logs for the last 90 days. Verify: (1) all vendor access sessions are logged with user identity, timestamp, and systems accessed, (2) no active standing vendor accounts exist that are not associated with a current vendor engagement, (3) session durations are consistent with declared purposes (no unexplained long-running sessions), (4) privileged sessions have session recordings available.
IAM or PAM configuration demonstrating that vendor accounts are provisioned with least-privilege permissions, require MFA, and are time-limited.
Example: IAM policy export for vendor-associated roles (AWS IAM / Okta group policies) — showing restricted permissions scoped to minimum required resources, MFA enforcement enabled, and time-bound access (session expiry / access expiry dates configured in PAM solution)
Test: Review IAM configurations for all active vendor accounts. Verify: (1) all vendor accounts have MFA enforced, (2) permissions are scoped to the minimum required for the vendor's stated purpose (no AdministratorAccess or equivalent granted to vendors), (3) access expiry dates are set and actively managed, (4) no vendor accounts have access that extends beyond the contractual relationship.
Questions (2)
Is all vendor and third-party access to organisational systems, networks and data governed by least-privilege principles, formally authorised, time-limited and monitored?
Vendor accounts must enforce MFA, have scoped permissions (no broad administrative access), and be time-bounded. Privileged vendor sessions should be logged and, where possible, recorded.
Which controls are applied specifically to privileged vendor access (e.g. remote support, admin credentials)?
JIT provisioning, MFA, and session recording are the expected standard for privileged vendor access. Standing, unmonitored vendor accounts with broad access are a high-risk exposure.