HECVAT Category

Consulting Services

Consulting Services covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

CONS-01

Will the consultant require access to the institution's network resources?

This question is asking whether the consulting service provider will need to connect to or use any of the institution's internal network resources such as servers, databases, file shares, or internal applications. This is a critical security concern because granting external parties access to internal networks introduces potential security risks. External access creates new potential attack vectors and increases the institution's attack surface.

CONS-02

Has the consultant received training on (sensitive, HIPAA, PCI, etc.) data handling?

This question is asking whether consultants who may have access to sensitive data have received formal training on how to properly handle that data according to relevant regulations and standards. Specifically, it mentions HIPAA (Health Insurance Portability and Accountability Act), which governs protected health information, and PCI DSS (Payment Card Industry Data Security Standard), which governs payment card data.

CONS-03

Is the data encrypted (at rest) while in the consultant's possession?

This question is asking whether data that is stored (at rest) by consultants is encrypted. Data at rest refers to information that is stored on physical devices (like laptops, servers, USB drives) or cloud storage rather than data that is actively moving through networks.

CONS-04

Can access be restricted based on source IP address?

This question is asking whether your consulting services can restrict access to systems, applications, or data based on the IP address from which a user is connecting. IP address restriction is a security control that allows or denies access based on the network location of the user.

CONS-05

Will the consulting take place on-premises?

This question is asking whether the consulting services being assessed will be performed at the client's physical location (on-premises) as opposed to remotely. This is important from a security perspective for several reasons:

CONS-06

Will the consultant require access to hardware in the institution's data centers?

This question is asking whether consultants working for your organization will need physical access to the institution's data center equipment (servers, network devices, storage systems, etc.).

CONS-07

Will the consultant require an account within the institution's domain (@*.edu)?

This question is asking whether consultants working with your institution will need an email account within your institution's domain (e.g., consultant@youruniversity.edu).

CONS-08

Will any data be transferred to the consultant's possession?

This question is asking whether the consulting service provider will receive, store, or process any data belonging to your organization during the engagement. In a security assessment, this is crucial because any data transfer to external parties introduces potential security risks. If consultants will have access to your data (especially sensitive or regulated data), this creates additional security considerations including how the data will be protected during transfer, how it will be stored by the consultant, who will have access to it, and how it will be returned or destroyed after the engagement.

CONS-09

Will the consultant need remote access to the institution's network or systems?

This question is asking whether the consulting service provider will require remote access to your institution's internal network infrastructure or systems to perform their work. Remote access means the ability to connect to your organization's systems from an external location (like the consultant's office).