Skip to content

Vendor Management

Prerequisites

Section titled “Prerequisites”
  • Security questionnaire, DPA template, risk categorization.

Steps

Section titled “Steps”
  1. Evaluate: security posture, certifications, data flows, retention, and exit.
  2. Contract: DPA/SCCs, breach SLAs, subprocessor disclosures.
  3. Onboard: least-privilege access, key management, logging.
  4. Review: annual risk review, usage, costs, and alternatives.
  5. Offboard: revoke access, export data, confirm deletion.

Validation

Section titled “Validation”
  • Vendors have required controls; access and cost are right-sized.

Troubleshooting

Section titled “Troubleshooting”
  • Shadow tools: centralize procurement and SSO.

Time/Impact

Section titled “Time/Impact”
  • 2–6 weeks depending on risk. Reduces exposure and surprises.
Section titled “Related”