id-am-4 high Identify / Asset Management

Inventories of services provided by suppliers are maintained

Third-party SaaS tools, APIs, and managed services are part of your attack surface even though you do not control them directly. A supplier service inventory lets you quickly assess the blast radius when a vendor has an incident, enforce offboarding when contracts end, and demonstrate third-party risk management to auditors. Without it, shadow IT and zombie accounts accumulate silently.

Estimated effort: 4h

supplierssaasthird-partyinventory

Complete first: id-am-2

Implementation steps

1

Discover all current supplier services

Pull a list of approved vendor contracts from finance or procurement, then cross-reference with your SSO provider and expense reports to catch tools that were adopted without formal approval. Include SaaS applications, cloud infrastructure providers, managed security services, and critical APIs your products depend on.

oktagoogle-workspacemicrosoft-entra-idzluritorii
2

Record required fields for each supplier service

For each entry capture: vendor name, service name and URL, business owner, data types shared with the vendor, contract or renewal date, and criticality to operations. Flag services that process personal data or have privileged access to your environment.
3

Establish an approval and review process

Require formal approval before new supplier services are adopted. Review the full inventory at least annually or when a vendor notifies you of a significant change. Integrate with your offboarding checklist so access is revoked when employees leave or when a contract ends.

servicenowjiraconfluence