AU-14 / A.8.16 / CIS-6.7 NIST SP 800-53 Rev 5

Vendor session recording

Demonstrate that all privileged vendor sessions are recorded, retained according to policy, and accessible for review during security incidents or compliance inquiries.

Description

What this control does

Vendor session recording captures and retains video, audio, and screen activity for privileged third-party users accessing organizational systems, typically via remote support sessions, VDI environments, or jump hosts. This control creates an auditable trail of vendor actions during maintenance, troubleshooting, or administrative tasks. It deters malicious behavior, supports forensic investigations, and ensures compliance with data protection requirements by documenting who accessed what data and when.

Control objective

What auditing this proves

Demonstrate that all privileged vendor sessions are recorded, retained according to policy, and accessible for review during security incidents or compliance inquiries.

Associated risks

Risks this control addresses

Unauthorized data exfiltration by vendor personnel during legitimate access sessions without detection
Malicious configuration changes or backdoor installation by compromised vendor accounts with no forensic evidence
Insider threats from vendor staff abusing elevated privileges to access sensitive customer or financial data
Inability to reconstruct attack timelines when vendor accounts are involved in breach activities
Compliance violations due to lack of evidence demonstrating vendor adherence to data handling agreements
Undetected lateral movement by threat actors leveraging stolen vendor credentials
Regulatory penalties for failure to demonstrate oversight of third-party access to regulated data environments

Testing procedure

How an auditor verifies this control

Obtain the vendor session recording policy and technical architecture documentation showing which systems enforce recording and what session types are captured
Identify all pathways vendors use to access production systems including VPN, jump hosts, VDI sessions, and privileged access management platforms
Review configuration settings of session recording tools to verify recording is mandatory, cannot be disabled by users, and covers all privileged vendor accounts
Select a sample of at least five vendor sessions from the past 30 days and retrieve corresponding recordings from the centralized repository
Validate that sampled recordings include screen activity, keystrokes, commands executed, and timestamps with sufficient quality to reconstruct actions
Confirm retention settings align with policy requirements and verify recordings cannot be deleted or modified by non-administrative personnel
Test a scenario where a vendor user attempts to access systems without recording enabled and verify access is blocked or alerts are generated
Review access logs and recording metadata to confirm no gaps exist between vendor login times and recording start times for the sampled sessions

Evidence required Configuration exports from PAM platforms, VDI systems, or jump hosts showing session recording enforcement settings. Screenshots or video clips from sampled vendor session recordings demonstrating capture quality and metadata. Retention policy excerpts and storage system configurations showing retention periods and access controls for recorded sessions.

Pass criteria All identified vendor access pathways enforce session recording, sampled recordings are complete and retrievable, no gaps exist between access logs and recording metadata, and retention settings match documented policy requirements.

Where this control is tested

Audit programs including this control

Safety Systems & Vendor Remote Access

Safety Instrumented Systems (SIS) and vendor remote access are the two paths most likely to take a plant…