How should vendor IDs be managed when vendors need remote access to system components?

• A. Remote access for vendors must be enabled at all times.
• B. Vendor remote access should be used during business hours only.
• C. Use of vendor remote access requires ongoing manual approvals.
• D. Manage IDs used by vendors to access, support, or maintain system components via remote access: Enabled only during the time period needed and disabled when not in use; Monitored when in use.

Answer: (D)

Controlling vendor access through vendor IDs should be time-bound and monitored to reduce risk and ensure accountability. Enabling vendor IDs only for the exact period they’re needed and disabling them when not in use limits the window during which someone can access critical components, which is a core security practice for remote access. Monitoring those sessions while they’re active creates an audit trail and helps detect any unusual or unauthorized activity, which supports prompt responses and compliance.

Permanent remote access defeats the purpose of least privilege. Limiting access to business hours can be insufficient if urgent maintenance is required outside those hours, and it still leaves a broad time window without explicit just-in-time control. Requiring ongoing manual approvals introduces delays and doesn’t inherently ensure that access is restricted to the necessary time frame or that it’s consistently monitored. The time-bound, disabled-when-not-in-use, and actively monitored approach provides the strongest control over vendor remote access.