If we require assistance from a vendor to have developer access to production how is that treated during the audit?
If the access is temporary in nature, it could be treated the same way you would treat any vendor for a particular service, (e.g. generator inspector, sensitive document shredding vendor, data center badge access software vendor, etc.).
In other words, it is common and acceptable for vendors to assist in an organization’s control environment. You would simply have them be subject to your established vendor management practices, sign appropriate forms that may be required, then allow them to perform what you have contracted/engaged them to do. When the project or issue is complete, you would revoke their authorization / access and review their tasks – in a timely manner.
If their access will be long standing (not tied to a specifically defined project or support issue), then most organizations have the same process in place for temporary access, but with additional monitoring controls.
About the AuthorMore Content by Ryan Buckner