General Security and Compliance with Smartsheet accounts

TDOLH

Good afternoon. We have been using Smartsheet in a limited capacity for several years. Now we are being asked to expand our use case significantly. Included in that is sensitive information made available to non-company users.

This is a big risk due to provisioning, or more accurately, deprovisioning. No matter which type of account configuration we use, the problem is the same (except if we only allow our company users which isn't a possibility).

The issue is that, for accounts that don't belong to our own company's users, we have no way of knowing when someone no longer needs access. As an example, if someone from another company has an account with access to our Smartsheet data, and that person is terminated, we have no way of knowing that unless someone from that other company tells us.

So I reached out to some others who use SS like this and they also state it's more of a contractual thing like you put verbiage in a contract or something that states the company must let us know timely of a removal. But that's not a very good security and compliance methodology.

I'm just looking for input on how other companies manage this aspect as we are under heavy regulations, and revoking access to anything with sensitive information is heavily scrutinized by our regulators.

Thank you!

Ray Lindstrom

Hi @TDOLH,

There is no link between the external systems and your Smartsheet account instance, so there is no functionality that will support this.

I agree that there should be a contractual obligation. That being said, who follows those anyway. Right?

You can conduct regular audits and reach-outs to the external companies.

Or you can unpublish and republish your sheet (if you used publishing to share), and get a new URL. Doing this every so often, and resending the new link can help eliminate undesired access. It's not ideal though obviously.

Best of luck to you, and keep us posted if you figure out something that works!

BRgds,

-Ray