I'm drafting a guide on governing / reviewing external vendors connections to our corporate for support/development purposes:
so far we have 2 types of connections that are of concern (leaving out those ad hoc ones like Webex) :
a) permanent point-to-point VPN (using leased lines or permanent tunnel via Internet)
b) vendor are given RSA tokens to connect to us
Anyone has any such guide/doc to share & what are the fine points to look out for? Eg:
1. periodically expiring the connection so that outsource owner (or the vendor's contact in our company) is forced to review it if it's still needed
2. review the staff list of the vendors (as user recertification of the vendor)
3. change in the hours of access?
4. permitting access to specific PCs at vendors' end?
5. logging / reviewing of the vendors' access? (local regulator requires that vendors access must be 'monitored' so thinking of how to fulfill this)
6. ... ?