CONS-01

Will the consultant require access to the institution's network resources?

Explanation

This question is asking whether the consulting service provider will need to connect to or use any of the institution's internal network resources such as servers, databases, file shares, or internal applications. This is a critical security concern because granting external parties access to internal networks introduces potential security risks. External access creates new potential attack vectors and increases the institution's attack surface. The question is being asked to help the institution understand: 1. If they need to provision special access for consultants 2. What level of network segmentation or isolation might be required 3. What additional security controls should be implemented to monitor and restrict consultant activity 4. What data the consultant might be able to access When answering this question, you should be specific about: - Whether network access is required at all - What specific resources need to be accessed - How the access will be provided (VPN, dedicated connection, etc.) - Duration of required access - Whether the access is read-only or requires write/modify permissions Even if the answer is 'no,' providing context about how the consulting work will be performed without network access helps the security team understand the full picture.

Example Responses

Example Response 1

Yes, our consultants will require limited access to the institution's network resources to perform the contracted services Specifically, they will need read-only access to the HR database server and file shares containing employee training records This access will be required for approximately 4 weeks during the initial assessment phase We request this access be provided through your institution's VPN with multi-factor authentication Our consultants will only access these resources from company-managed devices that comply with our security policy, including full-disk encryption, endpoint protection, and regular security updates.

Example Response 2

No, our consultants will not require access to the institution's internal network resources All consulting services will be performed using our own systems and infrastructure Any necessary data exchanges will occur through secure file transfers using your institution's existing secure file transfer portal Our consultants will provide recommendations based on documentation and information provided by your team through scheduled meetings and secure document sharing.

Example Response 3

Yes, our consultants will need extensive access to your network resources, but we haven't yet determined exactly which systems or what level of access will be required We typically figure this out during the first week of engagement and request access as needed Our consultants generally prefer administrator-level access to make their work more efficient, though we understand this may require additional approval processes We cannot specify exactly how long this access will be needed as it depends on how the project progresses.

Context

Tab
Case-Specific
Category
Consulting Services

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron