BlogSecurity
November 21, 2023

Our approach to lifecycle management at Vanta

Written by
Janiece Caldwell
Senior Operations IT Engineer
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

In this series, you’ll hear directly from Vanta’s own Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the team’s approach to keeping Vanta secure. We’ll also share some guidance for teams of all sizes—whether you’re just getting started or looking to uplevel your operations. 

In this post, you’ll hear from Janiece Caldwell, Senior Operations Engineer on Vanta’s Enterprise Engineering Team.

Overview of lifecycle management

Lifecycle management is the process of overseeing employees, their systems, and their hardware from onboarding to offboarding—or from provisioning to deprovisioning. Managing the lifecycle of your users, their systems, and their hardware also includes understanding and addressing the compliance and legal risks and requirements along the way.

At Vanta, the Enterprise Engineering team handles the onboarding and offboarding of our employees. Along the way, we partner closely with our Security and Privacy, Risk, & Compliance teams to ensure our policies and procedures consistently align with our controls and requirements.

Benefits of automation

As with many other processes, our Enterprise Engineering team likes to automate as much as we can. Not only does this free up the team’s time for less manual efforts, but automation also helps reduce the chance for user error—both upon onboarding and offboarding.

For example, one of the first user accounts we create for each new employee is their Okta account, which is automatically created from our HRIS (human resource information systems) once it’s inputted by our People team. In turn, we’re able to automate the creation of other accounts based on a user’s Okta account.

When an employee leaves, we also automate the process of removing access, which eliminates the need to manually remove access and reduces the risk of user error. Given that Vanta is a global company, this also eliminates the need for individual members of our team to manually offboard any tools and systems that are provisioned through Okta within different time zones.

While we’re confident in our automation, we also have reactive ways within the Vanta product to quickly catch any potential issues if, for any reason, a user’s access isn’t terminated. 

Our teams review Tests in Vanta on a regular basis which would identify potential issues. Using Vanta’s Access Review tool, we run quarterly Access Reviews on a predefined set of systems and tools with access to sensitive data. This helps identify and remediate any potential issues on a reactive basis, just in case things slip through the cracks.

Our approach to onboarding

Our Enterprise Engineering team genuinely cares about ensuring that new hires have a productive, thorough, and welcoming onboarding experience. 

To do so, new employees receive a dedicated onboarding session on their first day of onboarding to introduce new employees to our tools, processes, and importantly, ways to get help from our Enterprise Engineering team. We help curate team wiki pages and companywide resources to help make it easier to track down important information and understand company structure. We also hold regular Office Hours and encourage new hires to sign up if they have any questions—such as about password managers, which can be a common topic.

In order to be productive from day one, it’s important that new hires have what they need when they need it and that we strive to automate as much as possible to eliminate gaps or unnecessary manual effort. As an example, as a fully remote company, we provide access to a user’s email and calendar shortly prior to a new hire’s start date (with no access to sensitive data) in order to allow them the ability to look ahead and plan for their start date.

Once an employee formally joins, they automatically gain access to the foundational suite of tools deemed necessary from their team—instead of having to manually request access and create more busywork for managers to review and grant approvals.

Our approach to offboarding

While offboarding is a sensitive topic, our overriding principle is to treat all cases of employee offboarding the same way, whether a voluntary or involuntary departure. This is because voluntary terminations often seem less critical, but are equally critical from a security perspective. 

In addition, we work closely in tandem with partners such as our People and Finance teams, as well as people managers.

Tips and suggestions

While each company and team has a different perspective on how to best approach lifecycle management, here are a few tips from Vanta’s Enterprise Engineering team:

  • Put yourself in a new hire’s shoes: To give new hires the best possible experience, always put yourself in their shoes when designing new processes, content, and resources. Remember that the onboarding process can often include an overwhelming amount of information for new hires, so it helps to have resources to look back upon or reference.

  • Seek continuous improvement: Actively seek out feedback about the onboarding experience from new hires, and evolve your processes, content, and resources as needed.

  • Build strong partnerships: It takes strong cross-functional partnerships to help ensure your policies and procedures are robust and meet your company’s security, legal, and compliance obligations. Don’t forget about internal partnerships with your HR, Finance, and Security teams, as well as your people managers. And remember to cultivate important external partnerships such as with your logistics partner for hardware and equipment return, especially if you’re a remote-first company.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.