Supply chain risk management plans include provisions for activities after a supplier relationship ends
Ending a vendor relationship is a high-risk security event that most organizations handle poorly. Data in the vendor's possession, API keys and credentials they hold, and access accounts still tied to them are all liabilities that need to be resolved. Without a formal offboarding process, former vendors can retain access or data long after the relationship ends.
Implementation steps
- 1
Define a vendor offboarding checklist
Create a checklist to run whenever a vendor relationship ends, covering: revoking all access credentials and API keys, requesting deletion of your data from their systems (and receiving confirmation), removing any integrations or webhooks they may have set up, and archiving the vendor security assessment records for future reference.
jiraservicenownotion - 2
Execute and document offboarding for departing vendors
When a vendor relationship ends, run the offboarding checklist and document completion. For critical vendors, also conduct a data inventory review to confirm you have retrieved or confirmed deletion of any data they held. Obtain written confirmation from the vendor that data has been deleted where contractually required.
jiragoogle-docs - 3
Include offboarding obligations in vendor contracts
For critical and high-risk vendors, include contractual obligations covering end-of-relationship data deletion timelines, confirmation of deletion, and a process for transitioning any dependent workflows. Having this in the contract makes offboarding smoother and gives you legal recourse if a vendor fails to meet their obligations.
docusignironclad
Evidence required
Vendor offboarding checklist
A documented checklist used when vendor relationships end, covering access revocation, data deletion, and integration removal.
- · Vendor offboarding checklist with all steps checked off for a recent departure
- · IT ticket showing access revocation completed when a vendor was offboarded
- · Data deletion confirmation received from a former vendor
Contractual end-of-relationship data obligations
Contracts with critical vendors that include explicit provisions for data deletion and offboarding at the end of the relationship.
- · Data processing agreement section on data deletion timelines
- · Contract clause requiring written confirmation of data deletion
- · Vendor MSA with transition assistance and data return provisions
Related controls
Supply chain security practices are monitored throughout the technology product and service life cycle
Cybersecurity Supply Chain Risk Management
A cybersecurity supply chain risk management program is established
Cybersecurity Supply Chain Risk Management
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
Cybersecurity Supply Chain Risk Management
Supply chain risk management is integrated into enterprise risk management processes
Cybersecurity Supply Chain Risk Management