UC#3 I could not agree more, too many folks out there who just don't get it.
I am amazed at some of the lackadaisical security "best" practices by some of peers on this forum. My primary role is Cyber Security, everything else comes second. I hope you read the contracts with your customer very closely, you may be leaving your company open to some potential serious legal issues.
Any smart and reputable integrator will NOT do anything that would allow remote access of any kind, this includes on demand remote support tools like TV or LogMeIn etc. Let the end user provide you a VPN so they own the security and liability, if its a web based remote tool let the end user initiate all sessions. This is why the network folks do the network stuff, its their domain. I get it that there are more than qualified integrators who are network savvy and maybe that works at those smaller customers but in my world the integrator does not touch the network....period!
Here is some food for thought to chew on...
1. Integrator 'A' pulls the network infrastructure for the Security Devices, do you know what type of cable they are using, does it meet your Enterprise IT Specs? Are they "Certified" to do structured network cabling, do they have the right testing tools, can they produce a Pass/Fail Certification Report to ANSI/TIA-568 Standards?
2. Integrator 'B' provides the network switches for the project, do they meet the Enterprise IT Requirements? Can you meet the SLA for patching of the switch OS if there is a problem, do you really want to manage the switch? What PENN testing has been done on that inferior switch?
3. Joe installer/service guy brings his non-whitelisted laptop to program the IP Cameras, maybe he plugs directly into the core switch to find and discover all the camera on the subnet, maybe he plugs directly into the secondary NIC of the NVR to fire up his client......
I can go on and on.......any employee, vendor or supplier (myself incld) who does stuff like this would be terminated and banned. End of Story!