DailyWF / Policies
Vendor Access
Set rules for third-party access to systems, data, and support channels.
Policy intent
Access policy should make permissions intentional, reviewable, and removable. It should prevent accounts from surviving role changes simply because nobody owns the cleanup.
Minimum content
- Define who and what the policy covers, including systems, data, tools, users, vendors, and exceptions.
- Joiner, mover, and leaver handling.
- MFA and credential handling expectations.
- Privileged access approval and review.
- Exception expiration and removal evidence.
Expected output
A policy page that states expectations clearly enough to guide approval, exception, and review decisions.
Common failure mode
Leaving access active because ownership, expiration, or review evidence is unclear.
Use notes
| Authority | Identify who can approve, deny, and grant exceptions. |
|---|---|
| Exception handling | Give exceptions an owner, reason, expiration, and review date. |
| Review point | Review when law, tools, contracts, ownership, or operational risk changes. |
Related pages
- Access ReviewDefine how access is reviewed, changed, approved, and removed.
- Remote WorkSet expectations for access, devices, communication, security, and availability away from site.
- Third Party ReviewDefine how vendors, services, and external tools are reviewed before use.
- Access Review ChecklistConfirm account ownership, appropriateness, and removal actions.
- Access Review LogTrack access review findings, approvals, removals, and exceptions.
Use this with a tool
Find related documents, copy a checklist, or request a missing workflow.