Manage Support Partner Access to your Critical Systems

Increasingly clients require your IT systems to meet their specific security requirements and assurance that you are protecting their data. If your security doesn’t meet their expectations they may well choose to take their business elsewhere. An often overlooked aspect of IT security is how you manage the support companies that access your environment to keep your critical systems running. But you trust them, right? Wrong, if they compromise your security or customer’s data integrity, the buck stops with you. Ensure that you are managing support vendor access and that you are able to demonstrate this to your clients

The basics to get you started:

Define and agree with each support vendor the following acces to your company systems:

Access to XXX systems will be via the company’s (VPN/vDesktop/Other) system only. The company will not allow access using any other method, although it may alter its standard access method(s) from time to time. Decide on the method that best suits you and stick to it.

Login credentials should be unique for each vendor and each technician accessing your system, this gives you accountability. Passwords should be changed every (choose your interval) days, or after each discreet session, or immediately after a technician leaves the vendors employment.

Changes to login credentials and passwords must be communicated to the external party using a secure method. Open email messages are not acceptable and will result in the relevant accounts being made inactive until new credentials can be provided securely. Select a preferred method for sending secure encrypted data and stick to it.

All accounts should have the minimum set of privileges that are necessary to complete operational or project related current tasks. This principle applies to users, computers and the services that run on them. Accounts created for vendor access must not be used for anything else – i.e. services accounts or imbedded code.

Agree frequency, duration and or specific dates or windows of access. For longer projects, access should be reviewed on a weekly or monthly basis, and a record kept of the justification to renew contiguous access. A support vendor should never be able to access or make changes to your systems without notification and authorisation.

Purpose – ongoing support, periodic maintenance, project related, other (specify).

Level of access required – note, full administrator access is not permissible. If a similar level of access is required, it should be without the ability to alter other users access rights. All access must be confined to the system(s) relevant to that vendor only. All access rights will be reviewed (select an interval that works for you), or after each discreet access session.

If you are using multi factor auhentication to protect your systems, consider extending this requirement to your support vendors

For all new vendors requesting remote systems access, a formal request for information regarding security of their own systems should be made. Remote access should only be granted if the vendor can demonstrate that reasonable measures are in place to minimise their, and in turn your, exposure to risk.audits

For more detailed advice on how to assess, manage & secure your supply chain, email us or give us a call. We’re happy to help.