Outsourcing & Service Provider Management
16. Security & Confidentiality Agreement
Is the Service Provider Security Checklist reviewed, and the Security and Confidentiality Agreement (SACA) signed (when required) before any Service Provider is granted access to UBC Electronic Information and Systems?
Why is this Essential?
The Service Provider Security Checklist support you in ensuring the minimum required controls for managing privacy/information security risk have been considered when engaging with a vendor.
Signed SACAs both set clear expectations with vendors on their responsibilities relating to UBC information and systems as well a transfer some legal responsibility in the event of a breach not caused by UBC.
Reference Links
Information Security Standards – U9 Outsourcing and Service Provider ManagementService Provider Security Checklist
Security and Confidentiality Agreement
Instructions
Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.
What is Acceptable?
There is a process in place to ensure service providers are reviewed against the checklist, SACAs are signed and that there is knowledge or awareness in the IT support community.
17. Privacy Impact Assessment
Are Privacy Impact Assessments conducted on all projects handling personal information (Note: Guidance is available on when to conduct a PIA and exceptions for research projects)?
Why is this Essential?
Privacy and information security at UBC is a shared responsibility. A Privacy Impact Assessment (PIA) is a risk management and compliance review process used to identify and address potential information privacy and security issues, thus avoiding costly program, service, or process redesign and minimizing exposure to potential privacy breaches.
Furthermore, British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies such as UBC to conduct a PIA for all new or substantially modified projects. For additional information, please refer: Privacy-impact-assessment
Reference Links
Information Security Standards – U1 Security Classification of UBC Electronic InformationInformation Security Standards – U9 Outsourcing and Service Provider Management
Information Security Standards – U11 Securing Internet of Things (IoT) Devices
Information Security Standards – M11 Development and Modification of Software Applications
Privacy Matters @UBC - Personal Information, How to protect personal information online
Privacy Matters @UBC – Privacy Impact Assessment
Instructions
N/A
What is Acceptable?
The importance of assessing privacy/information security risk is part of the unit's culture. Staff are educated and encouraged to "prepare for" and "complete" Privacy Impact Assessments.