BlogSecurity
November 21, 2023

Our approach to lifecycle management at Vanta

Written by
Janiece Caldwell
Senior Operations IT Engineer
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

In this series, you’ll hear directly from Vanta’s own Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta secure. We’ll also share some guidance for teams of all sizes—whether you’re just getting started or looking to uplevel your operations. 

In this post, you’ll hear from Janiece Caldwell, Senior Operations Engineer on Vanta’s Enterprise Engineering Team.

Overview of lifecycle management

Lifecycle management is the process of overseeing employees, their systems, and their hardware from onboarding to offboarding—or from provisioning to deprovisioning. Managing the lifecycle of your users, their systems, and their hardware also includes understanding and addressing the compliance and legal risks and requirements along the way.

At Vanta, the Enterprise Engineering team handles the onboarding and offboarding of our employees. Along the way, we partner closely with our Security and Privacy, Risk, & Compliance teams to ensure our policies and procedures consistently align with our controls and requirements.

Benefits of automation

As with many other processes, our Enterprise Engineering team likes to automate as much as we can. Not only does this free up the team’s time for less manual efforts, but automation also helps reduce the chance for user error—both upon onboarding and offboarding.

For example, one of the first user accounts we create for each new employee is their Okta account, which is automatically created from our HRIS (human resource information systems) once it’s inputted by our People team. In turn, we’re able to automate the creation of other accounts based on a user’s Okta account.

When an employee leaves, we also automate the process of removing access, which eliminates the need to manually remove access and reduces the risk of user error. Given that Vanta is a global company, this also eliminates the need for individual members of our team to manually offboard any tools and systems that are provisioned through Okta within different time zones.

While we’re confident in our automation, we also have reactive ways within the Vanta product to quickly catch any potential issues if, for any reason, a user’s access isn’t terminated. 

Our teams review Tests in Vanta on a regular basis which would identify potential issues. Using Vanta’s Access Review tool, we run quarterly Access Reviews on a predefined set of systems and tools with access to sensitive data. This helps identify and remediate any potential issues on a reactive basis, just in case things slip through the cracks.

Our approach to onboarding

Our Enterprise Engineering team genuinely cares about ensuring that new hires have a productive, thorough, and welcoming onboarding experience. 

To do so, new employees receive a dedicated onboarding session on their first day of onboarding to introduce new employees to our tools, processes, and importantly, ways to get help from our Enterprise Engineering team. We help curate team wiki pages and companywide resources to help make it easier to track down important information and understand company structure. We also hold regular Office Hours and encourage new hires to sign up if they have any questions—such as about password managers, which can be a common topic.

In order to be productive from day one, it’s important that new hires have what they need when they need it and that we strive to automate as much as possible to eliminate gaps or unnecessary manual effort. As an example, as a fully remote company, we provide access to a user’s email and calendar shortly prior to a new hire’s start date (with no access to sensitive data) in order to allow them the ability to look ahead and plan for their start date.

Once an employee formally joins, they automatically gain access to the foundational suite of tools deemed necessary from their team—instead of having to manually request access and create more busywork for managers to review and grant approvals.

Our approach to offboarding

While offboarding is a sensitive topic, our overriding principle is to treat all cases of employee offboarding the same way, whether a voluntary or involuntary departure. This is because voluntary terminations often seem less critical, but are equally critical from a security perspective. 

In addition, we work closely in tandem with partners such as our People and Finance teams, as well as people managers.

Tips and suggestions

While each company and team has a different perspective on how to best approach lifecycle management, here are a few tips from Vanta’s Enterprise Engineering team:

  • Put yourself in a new hire’s shoes: To give new hires the best possible experience, always put yourself in their shoes when designing new processes, content, and resources. Remember that the onboarding process can often include an overwhelming amount of information for new hires, so it helps to have resources to look back upon or reference.

  • Seek continuous improvement: Actively seek out feedback about the onboarding experience from new hires, and evolve your processes, content, and resources as needed.

  • Build strong partnerships: It takes strong cross-functional partnerships to help ensure your policies and procedures are robust and meet your company’s security, legal, and compliance obligations. Don’t forget about internal partnerships with your HR, Finance, and Security teams, as well as your people managers. And remember to cultivate important external partnerships such as with your logistics partner for hardware and equipment return, especially if you’re a remote-first company.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Lock on purple background
Security
Blog

How to set up your first security program

If you’re setting up your first security program, here are some steps our CISO recommends you take.

ISO 27001
Events

Live Demo: Simplify ISO 27001 and SOC 2 compliance with Vanta

See how Vanta automates up to 90% of your ISO 27001 and SOC 2 compliance work, saving you time and reducing manual effort.

What's new in Vanta for June
Product updates
Events

What's New in Vanta: June

Are you curious about new Vanta features? Register for our "What's New in Vanta: June" webinar.

Company news
Blog

Vanta’s progress on its pledge to CISA’s Secure by Design Initiative

Vanta’s mission is to secure the internet and protect consumer data. We continue to reinforce our commitment to our mission daily as one of the first organizations to adopt CISA’s Secure by Design pledge.

Related Resources

Security
Blog
Laying the groundwork: Building security foundations at the partial stage

Learn how partial-stage companies build security foundations to advance toward risk-informed maturity.

Security
Blog
How Synthesia Became One of Europe’s Fastest-growing AI Companies | Frameworks for Growth

Hear from Steffen Tjerrild on what it takes to scale an AI company.

Security
Blog
How to implement CPS 234: A 7-step compliance guide

Learn who needs CPS 234 and how the framework affects your organisation.

Security
Blog
Why measuring your security maturity matters (And how we do it at Vanta)

At Vanta, we’ve developed a practical and structured approach to tracking our own maturity using NIST CSF 2.0.

Vanta’s Cybersecurity Maturity Assessment Template cover image
Security
Guide / Report
Vanta’s Cybersecurity Maturity Assessment Template

Evaluate and improve your security posture with Vanta’s Cybersecurity Maturity Assessment Template—based on the NIST CSF 2.0. Track controls, score maturity levels, and build a scalable, resilient security program.

Amjad Masad interview cover
Security
Blog
Amjad Masad of Replit: 10x’ing in a Year and Building the Future of Code | Frameworks for Growth

Amjad breaks down how Replit handled early competition, carved out space as one of the first AI-native dev platforms, and sustained momentum in a crowded, fast-moving market.

Security
Blog
Bret Taylor of Sierra: How to sell to Enterprise Companies as an AI Startup

In this episode of Frameworks for Growth, Vanta CEO Christina Cacioppo sits down with Bret Taylor, Co-founder and CEO of Sierra, to discuss the evolution of technology, from the early days of cloud at Salesforce, to enterprise-ready AI companies.

Security
Blog
Building the Team at Anthropic: Daniela Amodei on Hiring 10x AI Engineers | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Template: Business Continuity Plan cover image
Security
Guide / Report
Template: Business Continuity Plan

Vanta’s Business Continuity Plan Template is designed to help you build a robust, audit-ready business continuity plan with confidence.

Security
Blog
Garry Tan of YC: Why the next unicorns are built by AI | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Security
Blog
5 must-haves in your first security hire + [Job posting Template]

Not sure what you should be looking for when you’re hiring your first cybersecurity professional? Get started with these criteria.

Template: First-security Hire Job Posting cover image
Security
Guide / Report
Template: First-security Hire Job Posting

Use this template to hire your first security lead with key qualifications, skills, and experience needed to scale your security program.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products