U9, Outsourcing and Service Provider Management

Information Security Standard

1. Introduction

  • 1.1 Service Providers (vendors, contractors, consultants, and other non-UBC employees who provide services to UBC) may access, process, store, or transmit UBC Electronic Information and Systems in order to deliver agreed-upon services. The increased security risk when access is extended outside of the organization needs to be managed appropriately. This standard is not intended to cover collaborations with other research institutions for research purposes.
  • 1.2 This standard explains the information security requirements applicable to all Service Providers. The Administrative Head of Unit who engages a Service Provider is responsible for ensuring compliance with all of these requirements.
  • 1.3 The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems Questions about this standard may be referred to information.security@ubc.ca.

2. Security and Privacy Risk Assessment

  • 2.1 Before Service Providers provision software applications or are granted access to UBC Electronic Information and Systems, information security risks must be assessed and managed using the Service Provider Security Checklist.
  • 2.2 In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. For academic research projects, a Security Threat Risk Assessment (STRA) may be required in place of a PIA when the tool is used solely for research purposes, as outlined in UBC's research-specific guidelines. Please refer to the PIA & STRA webpage for more information.

3. Cloud Service Providers

  • 3.1 Cloud services providers (e.g., AWS, Azure) raise significant privacy and information security concerns as they store data outside of the custody of the University. Therefore, it is essential to complete a PIA in each situation where these providers will be used.

4.Compliance with Policies and Standards

5. Contractual Requirements

  • 5.1 Before being granted access to Medium, High, or Very High Risk Information, Service Providers must do one of the following:
    • 5.1.1 enter into a service agreement with UBC that includes a Privacy Appendix in the form prescribed by Procurement Services;
    • 5.1.2 sign a Security and Confidentiality Agreement (SACA) in the form prescribed by the Office of the University Counsel; or
    • 5.1.3 obtain a waiver from the Office of the University Counsel.
  • 5.2 Further information about these requirements is available from the Office of the University Counsel.

6. Storage and Transmission of Information

  • 6.1 Service Providers must store UBC Electronic Information in a logically separated environment, ensuring that the information is not mixed with information belonging to or accessed by other parties. If this is not possible, Service Providers may use alternative controls, with the written approval of the Administrative Head of Unit, to ensure that the data is secure and can be destroyed after the project is completed.
  • 6.2 Service Providers must ensure that they store and transmit UBC Electronic Information in accordance with the Encryption Requirements and Transmission and Sharing of UBC Electronic Information standards.

7. Access Controls

  • 7.1 All Service Provider access to UBC Electronic Information and Systems must be granted as follows:
    • 7.1.1 access must be authenticated and role based;
    • 7.1.2 access must be granted on a Principle of Least Privilege (only the minimum level of access that is required to perform their duties); and
    • 7.1.3 wherever possible, access to UBC Systems containing High or Very High Risk Information should be logged.

8. Ongoing Monitoring

  • 8.1 The work of Service Providers must be monitored and reviewed to ensure that privacy, confidentiality and information security requirements are being satisfied.

9. End of Services and Data Destruction

  • 9.1 Immediately upon completion of the project or termination of the agreement, whichever first occurs, the following must take place:
    • 9.1.1 the Administrative Head of Unit must ensure that the Service Provider’s access to UBC Electronic Information and Systems is revoked; and
    • 9.1.2 the Service Provider must stop accessing UBC Electronic Information and Systems.
  • 9.2 Within seven days of the completion of the project or termination of the agreement, whichever first occurs, the following must take place:
    • 9.2.1 the Service Provider must return all UBC assets (including access control cards and keys), equipment and UBC Electronic Information in their possession; and
    • 9.2.2 the Service Provider must destroy all UBC Electronic Information and hard copies of this information in its possession in compliance with the Destruction of UBC Electronic Information standard.

Related Documents and Resources

Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems

Service Provider Security Checklist

Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA)

Security and Confidentiality Agreement (SACA)

BC Freedom of Information and Protection of Privacy Act (FIPPA)

Encryption Requirements standard

Transmission and Sharing of Electronic Information standard

Destruction of UBC Electronic Information standard

Standard Last Revised: 2025-03

Page last updated on January 26, 2026

Office of the CIO

6356 Agricultural Road
Vancouver, BC Canada
V6T 1Z2
604 822 3634
E-mail ubc.cio@ubc.ca

Related Sites

Need Help?

Urgent Message An exclamation mark in a speech bubble. Bluesky The logo for the Bluesky social media service. Bookmark A bookmark in a book. Browser A web browser window. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Time A clock. Chats Two speech clouds. E-commerce Cart A shopping cart. Facebook The logo for the Facebook social media service. Help A question mark in a circle. Home A house in silhouette. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Locked A locked padlock. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Pencil A pencil indicating that this is editable. Telephone An antique telephone. Play A media play button. Plus A plus symbol indicating more or the ability to add. Print A printer pushing out a piece of paper. Search A magnifying glass. Settings A single gear. Arrow indicating share action A directional arrow. Speech Bubble A speech bubble. Star An outline of a star. Twitter / X The logo for the X (aka, Twitter) social media service. User A silhouette of a person. Vimeo The logo for the Vimeo video sharing service. Youtube The logo for the YouTube video sharing service.