SANS ISC shares best security practices for non-employees who are often clients, business partners, vendors, etc.  The theme is to always “verify before you fully trust” … Additionally ADMINs must continuously log + monitor security events actively & implement best technical defenses for all users

Here are some tips to increase the operations security when working with third-parties.

    1. Know who’s behind the keyboard . Are the third-party employees on the payroll, dedicated to you (read: they know you and your business). Are they also contractors? Are they located in the same country as yours?
    2. When it’s not mandatory, do not keep the remote access open 24×7. All access requests must be approved following a procedure.
    3. Do not grant full access to your infrastructure. Restrict the third-party rights to the minimum resources to perform its job (least privilege). Keep segmentation in mind. Restrict its access to a jump host that will be used to enforce more security controls.
    4. Keep logs of who did what, when, why, and from where. Log everything, all connections, all commands.
      Example: Detect an unforeseen connection from an unusual location outside the business hours.
    5. Keep an inventory of your partners and installed software. Force them to upgrade them and audit the settings.
    6. Enable security settings available in the deployed tools
      Example: Enable MFA, activate client-side certificates, provide security tokens.