Vendor Access Reviews

Your organization needs to be able to demonstrate in your documentation that an appropriate process was used to capture all users and all roles for each in-scope application.

This exercise is commonly known as Vendor Access Reviews or User Access Reviews.

  • Privileged access should be reviewed at least quarterly.
  • A review of all systems in scope, whether or not they are integrated, including your organization's own platform, and customers if your organization manages access on their behalf.
  • For any data used in the review that didn’t come directly from the “Vendor Access List” download, save screenshots of search criteria and record counts used to retrieve the listing of users to be reviewed.
  • Date stamp and reviewer sign-off to signal completion of review.
  • Indication of an “active” review (i.e. notes on the page, check boxes, notes of things to remove/fix), but doesn’t have to be on every line item.
  • For any user indicated as needing to be removed, the user must be removed within a reasonable time after the review.

Example User Access Review:

Screen_Shot_2023-01-23_at_3.03.37_PM.png

How to complete your Vendor Reviews

  • Start with the “Vendor Access List” download from the Data Room.
  • Manually add in any roles that aren’t available via integrations (i.e. Github).
  • Manually add in any systems/users/roles in scope that aren’t in the platform.

How to export Vendor Access List

  • Once in Secureframe head to Data Room in your left navigation menu
  • Click Export Data in the top right corner
  • select Vendor Access List from and then click Export

Frequently Asked Questions (FAQ)

In our list of vendors I have both Atlassian and JIRA. I want to remove Jira (because that is a product of the Atlassian company.) If I archive Jira from the list of vendors, does this have any impact on the integrations we have with Jira?

  • Archiving a vendor that has a related integration will not archive the connection. The vendors and the integrations are considered separate in the platform.
  • You will be able to safely remove the Jira vendor, while keeping the Jira connection.

I used to be able to export the vendor access tab, I don't see how to do that now? 

  • This particular export is located in our Data Room.
  • Once you are in the Data Room, click Export data in the top right. In the modal, make sure Vendor Access List is selected, then click Export. Once the export is completed, you'll find the CSV within the Exports folder, under the date of the export. (Ex, Exports > 2025-01-06)
  • For more information on the Data Room, click here

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.