Will the consultant require access to the institution's network resources?
Explanation
Network access by outside consultants raises real exposure, so this item asks whether the consultant will need to reach the institution's internal resources such as servers, databases, or applications. This is a critical security concern because granting external parties access to internal networks introduces potential security risks. External access creates new potential attack vectors and increases the institution's attack surface.
The question is being asked to help the institution understand:
- If they need to provision special access for consultants
- What level of network segmentation or isolation might be required
- What additional security controls should be implemented to monitor and restrict consultant activity
- What data the consultant might be able to access
When answering this question, you should be specific about:
- Whether network access is required at all
- What specific resources need to be accessed
- How the access will be provided (VPN, dedicated connection, etc.)
- Duration of required access
- Whether the access is read-only or requires write/modify permissions
Even if the answer is 'no,' providing context about how the consulting work will be performed without network access helps the security team understand the full picture.
Example Responses
Example Response 1
Yes, our consultants will require limited access to the institution's network resources to perform the contracted services Specifically, they will need read-only access to the HR database server and file shares containing employee training records This access will be required for approximately 4 weeks during the initial assessment phase We request this access be provided through your institution's VPN with multi-factor authentication Our consultants will only access these resources from company-managed devices that comply with our security policy, including full-disk encryption, endpoint protection, and regular security updates.
Example Response 2
No, our consultants will not require access to the institution's internal network resources All consulting services will be performed using our own systems and infrastructure Any necessary data exchanges will occur through secure file transfers using your institution's existing secure file transfer portal Our consultants will provide recommendations based on documentation and information provided by your team through scheduled meetings and secure document sharing.
Example Response 3
Yes, our consultants will need extensive access to your network resources, but we haven't yet determined exactly which systems or what level of access will be required We typically figure this out during the first week of engagement and request access as needed Our consultants generally prefer administrator-level access to make their work more efficient, though we understand this may require additional approval processes We cannot specify exactly how long this access will be needed as it depends on how the project progresses.
Context
- Tab
- Case-Specific
- Category
- Consulting Services
Related questions
- Has the consultant received training on (sensitive, HIPAA, PCI, etc.) data handling?
- Is the data encrypted (at rest) while in the consultant's possession?
- Can access be restricted based on source IP address?
- Will the consulting take place on-premises?
- Will the consultant require access to hardware in the institution's data centers?
- Will the consultant require an account within the institution's domain (@*.edu)?

