The Vendor Access Review Every Operator Should Run This Quarter
If a vendor finished work six months ago, their login to your systems probably still works. Not because anyone decided to keep it — because nobody decided to turn it off.
By Droptine Group · 4 min · Energy + Oil/Gas
TL;DR
- Vendor access accumulates silently: granted for one job, kept "just in case," and forgotten by everyone except the systems that still honor it.
- A vendor access review means building an inventory of every external path into your systems, matching each one to a current business need, and closing the ones that don't have one.
- You can start the inventory yourself this week — the hard part isn't the work, it's that the list is usually longer than anyone expected.
Why Vendor Access Builds Up
Vendor access has a natural lifecycle on paper: a contractor needs in, gets access, finishes the job, and access goes away.
In practice, step four rarely happens on its own.
The integrator who commissioned a new pump in April may still have a VPN credential that works in November. The remote-monitoring vendor who needed access to one dashboard got broader network access because that was easier to set up at the time. The equipment vendor who "might need to check on something" has credentials parked somewhere on your system.
None of this started as negligence. Each access grant made sense when it was issued. The problem is that granting access has a clear owner — whoever set up the project — and revoking it doesn't. When the job ends, the credential doesn't automatically follow.
So it stays. And the next project adds another one. And the one after that.
This is how operators end up with a list of external paths nobody has thought about in years, some of them reaching systems they'd rather nobody outside the company touched.
What a Vendor Access Review Actually Is
It isn't a security audit and it doesn't require a security team.
A vendor access review is three things: an inventory, a matching exercise, and a cleanup.
The inventory is a list of every external path into your systems — every login, every VPN connection, every remote-access credential held by a contractor, vendor, or service company. Not "the ones you know about." All of them.
The matching exercise asks one question for each item on that list: is there an active contract or current business need that justifies this access? If the answer is yes, it stays. If the answer is no — or "I'm not sure" — it needs a decision, not an assumption.
The cleanup revokes what doesn't belong and documents what does. Going forward, new access gets scoped narrowly, logged, and set to expire.
That's the review. It's operational housekeeping with security consequences.
How to Run One This Week
You don't need outside help to start. Here's a sequence that a non-security person can work through:
1. Build the list.
Ask your IT person, your field supervisor, and your operations manager the same question: who has remote access to our systems right now? Include every vendor with a login, a VPN connection, or remote-desktop access — not just the ones you use regularly. Pull from memory, from tickets, from the network's active user list. Write it down.
2. Check each one against an active contract.
Go through the list and ask: is this vendor currently under contract? Did the engagement that created this access end? Pull the relevant contracts. If there's no active agreement behind an active credential, that's your first finding.
3. Find out what each vendor can actually reach.
An access credential that can only reach a single monitoring dashboard is a different exposure than one with broader network access. For each entry on your list, document what systems that vendor can see or touch. This is often the step where the list gets uncomfortable.
4. Check whether access is logged.
When a vendor logs in, does anyone know? Is there a record? Logging isn't the same as monitoring, but it's the starting point for knowing what's happening in your environment. If vendor logins generate no record, that's worth noting.
5. Make new access time-bound from here forward.
Before you close out the review, set a rule: any new vendor access has a written expiration date tied to the contract or project. When it ends, access ends. This doesn't fix what's already there, but it stops the accumulation from continuing.
What Operators Usually Find
Running this review for the first time surfaces a consistent set of things.
Former contractor accounts that are still active. Nobody removed them when the work ended — it either wasn't in the offboarding checklist or there wasn't one.
Shared credentials. One login created for a vendor team, used by multiple people, never rotated. When a single person leaves that company, the credential doesn't go with them.
Access broader than the job required. The vendor needed to reach one system, but the path they were given also touches adjacent systems. The scope was set for convenience, not precision.
None of these are dramatic. They're the ordinary residue of operations that prioritized getting work done — which is the right call at the time. A vendor access review is just the part where you look at what accumulated.
When to Get Help
If the inventory itself is hard to produce — if you ask around and nobody can give you a confident list of who has access — that's the finding.
It means vendor access isn't being managed in any organized way, and there's no baseline to review against. That's a different problem than having a list with some items that need cleanup. It means the list doesn't exist yet.
At that point, building the inventory is the first piece of work, and it's worth doing with someone who can pull it from your systems directly rather than assemble it from memory and guesswork.
If remote access or vendor logins are on your mind, an operational risk review puts the whole list in front of you.
Keep going
Cybersecurity for Energy + Oil/Gas Operators
The exposure points specific to your environment.
Useful in theory. More useful applied to your business.
If this article described something you recognize, a 30-minute conversation will tell you how much of it applies to you.