Your vendors are your attack surface.
Every vendor template we’ve seen is really a procurement document: what it costs, when it renews, who signed it. Useful to a finance department, useless the morning one of them gets breached. There are only four questions that matter, and this register asks them.
- The door is usually somebody else’s box. Most ransomware claims begin at a compromised firewall or VPN — a vendor’s product, on your edge, running their software.
- The column nobody has. When does their product stop getting security updates? Network gear is supported ~5 years from end-of-SALE — so a new firewall can arrive with two years left.
- A BAA tracker, if you’re a clinic. Anyone touching patient data needs a signed agreement. Note that Microsoft 365 and Google Workspace require you to actively enable it.
- Five questions to ask before you sign. A good vendor answers all five without hesitating. The hesitation is the finding.
- Vendor offboarding — the forgotten half. You offboard employees. Almost nobody offboards vendors. The web developer from three years ago very likely still has access.
We put ourselves on the register — and you should too
Your IT provider holds administrative access to nearly everything you own. Federal guidance now names managing the risk from your IT provider as its own explicit goal. So ask us the same five questions. If an IT company flinches at that, it has told you something worth knowing.
Get the template
It opens immediately on the next screen — read it online, or save it as a PDF. Nothing gets emailed to you.
