Outsourcing and Service Provider Management
Introduction
- Service Providers (vendors, contractors, consultants and other non-UBC employees who provide services to UBC) may access, process, store or transmit UBC Electronic Information and Systems in order to deliver agreed-upon services. The increased security risk when access is extended outside of the organization needs to be managed appropriately. This standard is not intended to cover collaborations with other research institutions for research purposes.
- This standard explains the information security requirements applicable to all Service Providers. The Administrative Head of Unit who engages a Service Provider is responsible for ensuring compliance with all of these requirements.
- The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
Security and Privacy Risk Assessment
- Before Service Providers provision software applications or are granted access to UBC Electronic Information and Systems, information security risks must be assessed and managed using the Service Provider Security Checklist.
- In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. For academic research projects, a Security Threat Risk Assessment (STRA) may be required in place of a PIA when the tool is used solely for research purposes, as outlined in UBC's research-specific guidelines. Please refer to the PIA & STRA webpage for more information.
Cloud Service Providers
- Cloud services providers (e.g. AWS, Azure) raise significant privacy and information security concerns as they store data outside of the custody of the University. Therefore it is essential to complete a PIA in each situation where these providers will be used.
Compliance with Policies and Standards
- Before access is granted to UBC Electronic Information and Systems, the Service Provider must be made aware that it will be subject to Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems, and its accompanying standards.
Contractual Requirements
- Before being granted access to Medium, High or Very High Risk Information, Service Providers must do one of the following:
- enter into a service agreement with UBC that includes a Privacy Appendix in the form prescribed by Procurement Services;
- sign a Security and Confidentiality Agreement (SACA) in the form prescribed by the Office of the University Counsel; or
- obtain a waiver from the Office of the University Counsel.
- Further information about these requirements is available from the Office of the University Counsel.
Storage and Transmission of Information
- Service Providers must store UBC Electronic Information in a logically separated environment, ensuring that the information is not mixed with information belonging to or accessed by other parties. If this is not possible, Service Providers may use alternative controls, with the written approval of the Administrative Head of Unit, to ensure that the data is secure and can be destroyed after the project is completed.
- Service Providers must ensure that they store and transmit UBC Electronic Information in accordance with the Encryption Requirements and Transmission and Sharing of UBC Electronic Information standards.
Access Controls
- All Service Provider access to UBC Electronic Information and Systems must be granted as follows:
- access must be authenticated and role based;
- access must be granted on a Principle of Least Privilege (only the minimum level of access that is required to perform their duties); and
- wherever possible, access to UBC Systems containing High or Very High Risk Information should be logged.
Ongoing Monitoring
- The work of Service Providers must be monitored and reviewed to ensure that privacy, confidentiality and information security requirements are being satisfied.
End of Services and Data Destruction
- Immediately upon completion of the project or termination of the agreement, whichever first occurs, the following must take place:
- the Administrative Head of Unit must ensure that the Service Provider’s access to UBC Electronic Information and Systems is revoked; and
- the Service Provider must stop accessing UBC Electronic Information and Systems.
- Within seven days of the completion of the project or termination of the agreement, whichever first occurs, the following must take place:
- the Service Provider must return all UBC assets (including access control cards and keys), equipment and UBC Electronic Information in their possession; and
- the Service Provider must destroy all UBC Electronic Information and hard copies of this information in its possession in compliance with the Destruction of UBC Electronic Information standard.
Related Documents and Resources
- Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
- Service Provider Security Checklist
- Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA)
- Security and Confidentiality Agreement (SACA)
- BC Freedom of Information and Protection of Privacy Act (FIPPA)
- Encryption Requirements standard
- Transmission and Sharing of Electronic Information standard
- Destruction of UBC Electronic Information standard
Standard Last Revised: 2025-03