Vendor Access Register + Third‑Party
Access Checklist

A simple register to track who has access and reduce third-party risk.

Goal

Know who has access to your systems, why they have it, and whether it’s protected (MFA, least privilege, time limits).

1) Vendor access register (template)

Vendor	System(s)	Access method	Account type	MFA?	Last used	Owner	Expiry/review
__________	__________	VPN / Portal / Remote tool	Named / Shared	Yes/No	__________	__________	__________
__________
__________

2) Access hardening checklist

Control	Target	Status
Named accounts only	No shared vendor credentials	☐
MFA enforced	All vendor access requires MFA	☐
Least privilege	Access limited to needed systems only	☐
Time-bound access	Disable after work completes (where feasible)	☐
Logging	Record sessions / audit access	☐

3) Review cadence

Monthly: review “last used” and remove stale accounts.
Quarterly: review full register with management.
After any incident: rotate shared secrets and confirm MFA.

4) Simple vendor access policy statement

Copy/paste into your internal policy pack:

All third-party access must be approved by a system owner, use named accounts with MFA, and be limited to the minimum necessary privileges. Access is reviewed quarterly and removed when no longer required.

Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.

👉 Free 30-minute consultation

No hard sell - just clarity and practical next steps.

hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)

Book now