69³ÉÈ˵çÓ°Íø

1. Introduction

1. 1.1 Service Providers (vendors, contractors, consultants and other non-69³ÉÈ˵çÓ°Íø employees who provide services to 69³ÉÈ˵çÓ°Íø) may be required to access, process, store or transmit 69³ÉÈ˵çÓ°Íø Electronic Information in order to deliver agreed-upon services. The increased security risk when access is extended outside of the organization needs to be managed appropriately.

1. 1.2 This policy explains the information security requirements applicable to all Service Providers. All VP's applicable to all Service Providers. All VP's, Deans and Directors who engage a Service Provider for such services are responsible for ensuring compliance with all of these requirements.
2.  
3. 1.3 The Vice President, Finance and Administration has issued this document under the authority of the Use and Security of 69³ÉÈ˵çÓ°Íø Electronic Information and Information Systems Policy.  Questions about this standard may be referred to helpdesk@mta.ca

2. Definitions

1. 2.1 69³ÉÈ˵çÓ°Íø Contract Owner – is the employee of 69³ÉÈ˵çÓ°Íø University who is the primary point of contact for the vendor and is responsible for the function where the contracted work is being performed.

3. Compliance with Policies and Standards

1. 3.1 Before access is granted to 69³ÉÈ˵çÓ°Íø Electronic Information and/or Information Systems, the Service Provider must be made aware that it will be subject to the Use and Security of 69³ÉÈ˵çÓ°Íø Electronic Information and Information Systems policy, and its accompanying standards.

4. Contractual Requirements

1. 4.1 The Director of Information Technology must review and approve all contracts related to outsourcing and service provider access to 69³ÉÈ˵çÓ°Íø electronic information.

5. Storage and Transmission of Information

1. 5.1 Service Providers must store 69³ÉÈ˵çÓ°Íø Electronic Information in a separate system or database, ensuring that the information is not mixed with information belonging to or accessed by other parties. If this is not possible, Service Providers may use alternative controls, with the written approval of the Director of Information Technology to ensure that the data is secure and can be destroyed after it has been determined it is no longer needed in accordance with 69³ÉÈ˵çÓ°Íø’s Data Retention and Destruction Policy.

1. 5.2 Service providers must meet one of the following data security standards when storing 69³ÉÈ˵çÓ°Íø Personal Information (PI) on systems provided by them;

1. 1. 5.2.1  SSAE 16 SOC 2 or,

1. 1. 5.2.2  ISO 27001 or,

1. 1. 5.2.3  For payment card processing Payment Card Industry Data Security Standard (PCI DSS)

1. 5.3 Service Providers must not access or store Personal Information (PI) outside Canada.  It should be noted that 69³ÉÈ˵çÓ°Íø classifies PI as Confidential Information. As an exception, temporary access or storage outside of Canada is allowed, provided that:
2. 1.  
   2. 5.3.1 69³ÉÈ˵çÓ°Íø University is notified of this taking place in a timely manner, and ideally before it occurs;
3. 1.  
   2. 5.3.2 It is necessary for installing, implementing, maintaining, repairing, trouble-shooting or upgrading an electronic system or recovering data from such a system; and
4. 1.  
   2. 5.3.3 It is limited to the minimum amount of time necessary for that purpose.
   3.  
5. 5.4 Service Providers must ensure that they transmit 69³ÉÈ˵çÓ°Íø Electronic Information in a manner that provides end-to-end encryption.
6.  
7. 5.5 69³ÉÈ˵çÓ°Íø always retains ownership of its data.  Service Providers must demonstrate that they have in place a means by which 69³ÉÈ˵çÓ°Íø can retrieve its data including in the event that the Service Provider ceases operations.

6. Access Controls

1. 6.1 All Service Provider access to 69³ÉÈ˵çÓ°Íø Electronic Information and Systems must be granted as follows:

1. 1. 6.1.1 API’s used to transfer data between MtA and the vender must use a Web API Gateway setup by Computing Services Dept.

1. 1. 6.1.2 Access must be authenticated and role based;

1. 1. 6.1.3 Access must be granted on a principle of ‘least privilege’ (only the minimum level of access that is required to perform their duties); and

1. 1. 6.1.4 Wherever possible, access to 69³ÉÈ˵çÓ°Íø Systems containing Confidential Information should be logged

7. Ongoing Monitoring

1. 7.1 The work of Service Providers must be monitored by the 69³ÉÈ˵çÓ°Íø contract owner and reviewed to ensure that privacy, confidentiality, and information security requirements are being satisfied.

8. End of Services and Data Destruction

1. 8.1 Immediately upon completion of the project or termination of the agreement, whichever first occurs, the following must take place:

1. 1. 8.1.1  the 69³ÉÈ˵çÓ°Íø contract owner must ensure that the Service Provider’s access to 69³ÉÈ˵çÓ°Íø Electronic Information and Systems is revoked; and

1. 1. 8.1.2 the Service Provider must stop accessing 69³ÉÈ˵çÓ°Íø Electronic Information and Systems.

1. 8.2 Within seven days of the completion of the project or termination of the agreement, whichever first occurs, the following must take place:

1. 1. 8.2.1  the Service Provider must return all 69³ÉÈ˵çÓ°Íø assets (including access control cards and keys), equipment, and 69³ÉÈ˵çÓ°Íø Electronic Information in their possession; and

1. 1. 8.2.2 the Service Provider must destroy all 69³ÉÈ˵çÓ°Íø Electronic Information and hard copies of this information in its possession in compliance with the Destruction of 69³ÉÈ˵çÓ°Íø Electronic Information standard.

9. Related Documents

• Use and Security of 69³ÉÈ˵çÓ°Íø Electronic Information and Information Systems Policy

•  Data Retention and Destruction Policy
•  Security and Classification of 69³ÉÈ˵çÓ°Íø Information Policy