Third-party vendors with access to your systems represent an external attack surface you do not directly control. The security posture of your business is partly a function of the security posture of every party with access to your environment. Managing that risk requires a structured approach.
Step One: Vendor Inventory
List every third party with access to your systems or data. Include IT providers, managed service providers, software vendors with admin access, accountants, legal firms with matter management system access, and any other external parties. Most businesses find more vendors than they expected when they do this exercise properly.
Step Two: Access Scoping
For each vendor: what access do they have, to what systems, and why? Is that access still required? Is it scoped to the minimum necessary for the services they provide? When was it last reviewed? Access that was created for a specific project and never revoked is a common gap.
Step Three: Security Baseline Assessment
For high-risk vendors — those with access to sensitive data or critical systems — request a security attestation: SOC 2 Type II report, ISO 27001 certificate, or completion of a security questionnaire. Confirm they enforce MFA on accounts used to access your environment. For lower-risk vendors, a reference check and review of their public security practices may be sufficient.
Step Four: Ongoing Review
Vendor risk is not static. Review the inventory annually, or when a significant vendor changes ownership, undergoes a security incident, or changes the nature of their access. Establish a process for prompt access revocation when vendor relationships end.
What should our contract with an IT provider include from a security perspective?
Minimum security control requirements, breach notification obligations (ideally within 24 hours of discovery), the right to audit, liability provisions for breaches originating from the provider's environment, and data handling and deletion obligations at contract end. Review existing contracts against these criteria and renegotiate where significant gaps exist.
