Service Providers (vendors, contractors, consultants and other non-UBC employees who provide services to UBC) may access, process, store or transmit UBC Electronic Information and Systems in order to deliver agreed-upon services. The increased security risk when access is extended outside of the organization needs to be managed appropriately.
This standard explains the information security requirements applicable to all Service Providers. The Administrative Head of Unit who engages a Service Provider is responsible for ensuring compliance with all of these requirements.
Before access is granted to UBC Electronic Information and Systems, the Service Provider must be made aware that it will be subject to Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems, and its accompanying standards.
Contractual Requirements
Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.
Storage and Transmission of Information
Service Providers must store UBC Electronic Information in a separate system or database, ensuring that the information is not mixed with information belonging to or accessed by other parties. If this is not possible, Service Providers may use alternative controls, with the written approval of the Administrative Head of Unit, to ensure that the data is secure and can be destroyed after the project is completed.
Service Providers must not access or store Personal Information (PI) outside Canada, as that would violate the Freedom of Information and Protection of Privacy Act (FIPPA). It should be noted that UBC classifies PI as High or Very High Risk Information. As an exception, temporary access or storage outside of Canada is allowed, provided that this is:
necessary for installing, implementing, maintaining, repairing, trouble-shooting or upgrading an electronic system or recovering data from such a system; and
limited to the minimum amount of time necessary for that purpose.
All Service Provider access to UBC Electronic Information and Systems must be granted as follows:
access must be authenticated and role based;
access must be granted on a principle of 'least privilege' (only the minimum level of access that is required to perform their duties); and
wherever possible, access to UBC Systems containing High or Very High Risk Information should be logged.
Ongoing Monitoring
The work of Service Providers must be monitored and reviewed to ensure that privacy, confidentiality and information security requirements are being satisfied.
End of Services and Data Destruction
Immediately upon completion of the project or termination of the agreement, whichever first occurs, the following must take place:
the Administrative Head of Unit must ensure that the Service Provider's access to UBC Electronic Information and Systems is revoked; and
the Service Provider must stop accessing UBC Electronic Information and Systems.
Within seven days of the completion of the project or termination of the agreement, whichever first occurs, the following must take place:
the Service Provider must return all UBC assets (including access control cards and keys), equipment, and UBC Electronic Information in their possession; and
the Service Provider must destroy all UBC Electronic Information and hard copies of this information in its possession in compliance with the Destruction of UBC Electronic Information standard.