8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
• Enabled only during the time period needed and disabled when not in use.
• Monitored when in use.
8.1.5.a Interview personnel and observe processes for managing accounts used by vendors to access, support, or maintain system components to verify that accounts used by vendors for remote access are:
• Disabled when not in use
• Enabled only when needed by the vendor, and disabled when not in use.
8.1.5.b Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.
Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor’s environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections.
Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames.