DailyWF / Policies

Vendor Access

Set rules for third-party access to systems, data, and support channels.

Type: PolicyVersion: v7

Policy intent

Access policy should make permissions intentional, reviewable, and removable. It should prevent accounts from surviving role changes simply because nobody owns the cleanup.

Minimum content

  1. Define who and what the policy covers, including systems, data, tools, users, vendors, and exceptions.
  2. Joiner, mover, and leaver handling.
  3. MFA and credential handling expectations.
  4. Privileged access approval and review.
  5. Exception expiration and removal evidence.

Expected output

A policy page that states expectations clearly enough to guide approval, exception, and review decisions.

Common failure mode

Leaving access active because ownership, expiration, or review evidence is unclear.

Use notes

AuthorityIdentify who can approve, deny, and grant exceptions.
Exception handlingGive exceptions an owner, reason, expiration, and review date.
Review pointReview when law, tools, contracts, ownership, or operational risk changes.

Related pages

Use this with a tool

Find related documents, copy a checklist, or request a missing workflow.