Unattended facility access is, in my opinion, absolutely a part of a vendor's risk profile.
This is the area where the apocryphal story of the HVAC vendor hacking the network comes into play.
Cleaners, maintenance folk, caterers, or whoever is left to their own devices in your secure facility technically has a higher risk associated. Granted, it is mitigated easily by things like clean desk policy, locked offices, etc.
That said, there is also an old saw that if you want to get a message to the cleaning staff, put it on a post it note and leave it on your keyboard. They will get the message with blinding speed most times.
Now, to drill down a little more, I have in the past considered this sort of access to be 'incidental access', which is a moderate risk, rather than a high risk. It's a muddy middle ground where you have folks who are non-staff that could [but probably won't] look at, remember, or even take, private docs or data.
Short form: yes there is risk, but it's also not huge risk.
Thanks,
Dave
David Howe
Chief Information Officer