Connor Group works with Sub-Contracting entities to address Client requests for which Connor Group does not have expertise. As most clients require advance notification prior to a sub-contractor being used, it is Connor Group's policy to notify clients when subcontracted resources will be used to service any component of work for that client. In addition, security and system controls must be maintained for any sub-contracting activity.

Controls can be met through two scenarios: utilizing Connor Group resources or offloading resource management to the sub-contractor.

  1. Utilizing Connor Group resources (systems and identities).
    • Subcontracted resources may utilize Connor Group (CG) computers and identities (username@connorgp.com) to perform work on behalf of Connor Group. 
      • Pros: 
        • Connor Group endpoint and identity controls are maintained.
        • CG Email maintains confidentiality and security requirements
        • CG identities ensure appropriate lifecycle management, monitoring, and access
        • Integration into CG's MS365 ensures proper access controls and data protection for client data (if stored)
        • Communications with the client appear homogenous within Connor Group (no [email protected] addresses)
      • Cons
        • Connor Group assumes the cost of maintaining assets for subcontractor
        • Increased work for Connor Group IT and HR managing subcontracted personnel and accounts
        • Subcontracted assets must be spun up/down through the engagement leader, increasing their management overhead
  2. Offload systems and identities to the sub-contractor
    • The subcontracting entity may offer to use their own systems and identities.
      • Pros: 
        • Connor Group can offer more services to clients, not just services with in-house expertise available.
        • Oversight and management of systems and identities is pushed to the sub-contractor, easing Connor Group work
        • Less overhead costs on CG balance sheets
      • Cons
        • Increased Risk: No visibility on security or operational controls
        • Increased oversight costs: Subcontracting entity and CG must maintain attestation reviews and artifacts to meet client and CG Security requirements
        • Reduced Control: Account access is provisioned to subcontracted identities, which Connor Group cannot maintain or monitor
        • Any client visibility reveals subcontractors, not CG assets performing work, reducing contract persistence
        • Connor Group is liable to the client for any misrepresentation or violation of security controls.


Sub-contracted engagements are subject to the same Security Standards and Controls required by Connor Group. A non-exhaustive list of these controls include:

  • Endpoint (Hard disk encryption, Antivirus, Endpoint Firewall, Content Filtering, Logging, Local account access, VPN, OS Patching, Application Inspection)
  • Network (Encryption Protocols, Certificate Enforcement, Network Firewall, Network Inspection/Limiting)
  • Data (Classification, Encryption, Data Loss Prevention, Backup, Access Reviews, Approval and Access Provisioning, Segregation)
  • Identity (Password complexity, multi-factor authentication, Single-User Accounts, Conditional Access Rules, Account Lifecycle)
  • Communication (email provisioning/filtering/continuity/encryption/routing/discovery/retention/logging/troubleshooting, collaboration provisioning/integration/protection)
  • Employee Resourcing (Security and Privacy Training, Background Checks, Identity Vetting, Application Training, Process Training)
  • IT/Information Security (Incident Response, Audit Logging and Alerting, Business Continuity, Ransomware Defense, System Hardening, Vulnerability Management, Change Control, Tech Support)

Subcontracting companies using their own equipment and identities are required to show compliance to these controls prior to work being performed on behalf of Connor Group.