CONS-07

Will the consultant require an account within the institution's domain (@*.edu)?

Explanation

This question is asking whether consultants working with your institution will need an email account within your institution's domain (e.g., consultant@youruniversity.edu). Why this matters for security: 1. Account provisioning creates potential security risks as each account increases the attack surface 2. Institutional accounts often come with access to internal systems, data, and resources 3. Managing consultant accounts requires proper onboarding/offboarding procedures 4. Consultants with institutional accounts may be perceived as official representatives of your institution The security assessment is trying to determine: - If consultants will need privileged access to your systems - What level of account management will be required - Whether there are potential identity management concerns - If data sharing will occur through institutional systems When answering this question, be specific about: - Whether consultants need institutional accounts at all - If yes, what specific access they need and why - The duration for which accounts will be needed - Any mitigating controls in place for consultant accounts

Example Responses

Example Response 1

No, our consultants will not require accounts within the institution's domain All necessary work will be performed using our own systems and communication will occur through the institution's designated points of contact using existing email channels Our consultants maintain their own email accounts (consultant@ourcompany.com) for all communications, and we have secure file sharing capabilities that don't require institutional accounts This approach minimizes the need for additional account provisioning and management within your environment.

Example Response 2

Yes, our consultants will require institutional email accounts (@*.edu) for the duration of the project This is necessary because they will need access to internal systems including the learning management system, student information system, and internal collaboration tools that rely on institutional authentication To mitigate security risks, we request that these accounts: 1) Be clearly marked as external/consultant accounts, 2) Have the minimum permissions necessary for the project work, 3) Be provisioned only for the duration of the engagement with automatic expiration dates, and 4) Be subject to your standard security monitoring practices.

Example Response 3

No, our consultants typically do not require institutional email accounts However, we may need limited guest access to specific collaboration tools like Microsoft Teams or SharePoint If possible, we prefer to use federated authentication or guest access features rather than full institutional accounts If this approach doesn't provide sufficient access for the project requirements, we can discuss alternatives on a case-by-case basis, always prioritizing the principle of least privilege Our goal is to minimize administrative overhead while maintaining appropriate security boundaries.

Context

Tab
Case-Specific
Category
Consulting Services

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron