VM-05 Third-Party / Vendor Management

Third-Party Access Management

External party access is least-privilege and monitored.

Domain: Third-Party / Vendor Management
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Continuous
Framework reference: MAS TRM – Third Party/Access

What good looks like

Third-party access is least-privilege, time-bound, MFA-protected, logged and reviewed.

Risk if it fails

Supply-chain compromise via vendor access.

How Tess tests it

3 tests — each concludes only on cited evidence.

Third-party access standard defined

Design

Procedure: Inspect the standard.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: Third-party access listing, logs, review evidence.

Access least-privilege, time-bound, MFA

Operating

Procedure: Sample third-party access.
Expected: Controlled.
Sample: 25 (or full config inspection)
Evidence: Third-party access listing, logs, review evidence.

Access logged & reviewed

Operating

Procedure: Inspect logs/reviews.
Expected: Monitored.
Sample: 25 (or full config inspection)
Evidence: Third-party access listing, logs, review evidence.

Evidence Tess looks for

Third-party access listing, logs, review evidence.

More in Third-Party / Vendor Management

VM-01 Vendor / Third-Party Risk Assessment VM-02 SOC Report Review (SOC 1/2) VM-03 Cloud Provider Governance (GCP) VM-04 Outsourcing Register & MAS Compliance

Want Tess to test VM-05 against your evidence?