Back to Policy Manual
C-710-AR: Vendor Risk Management
References:
- Alberta Education Act: Section 33, 54
Background
The procedure exists to ensure vendor partners who are connected to or are providing
infrastructure that houses division information assets are strategically aligned with the
division’s cyber security posture.
Procedures
- Vendor Selection Process
- Division staff procuring solutions connected to or housing personally
identifiable information shall ensure the vendor meets the following criteria:- Annual security audits such as SOC 2 Type 2, ISO or Nist reports
- Documented Cybersecurity incident response plan
- Documented Disaster recovery plan
- Documented Business continuity plan
- Documented Patching cadence
- Implementation of MFA
- Hold $2 million in third-party cyber liability insurance coverage
- A vendor risk assessment should be carried out to assist with shortlisting.
- Exceptions:
- Prior working relationship with the division
- Specialized service offering
- Division staff procuring solutions connected to or housing personally
- Contracts
- To establish clear expectations for vendors; contracts shall include the following clauses:
- Data Breach: If the vendor suspects or becomes aware of any unauthorized access to any division data by an unauthorized person or third party, or becomes aware of any other security breach relating to data held or stored by the vendor under this agreement, the vendor shall notify both the respective school and the board within 48 hours of breach in writing with the detail of the event and shall fully cooperate with the board at the vendor’s expense to prevent or stop such data breach. In the event of such data breach, the vendor shall fully and immediately comply with applicable laws, and shall take the appropriate steps to remedy such data breach. Any and all personal data to which the vendor has access under this agreement, as between vendor and the board will remain the property of the board. All personal data delivered to the vendor shall be stored in Canada or other jurisdictions approved by the board in writing.
- Technical Auditing - The Vendor Shall:
- on at least an annual basis, engage a third-party auditing firm to perform a statement on standards for attestation engagements (“SSAE”), or equivalent audit, on internal and external vendor procedures and systems that access or contain board data;
- adhere to the board’s or any division name school policy standards associated with audit compliance criteria and data security procedures (or any successor report of a similar nature that is generally accepted in the industry and utilized by the vendor), applicable to the vendor, whichever policy standard is more restrictive; and
- ensure that all security procedures materially conform to the description thereof set forth in this agreement and as further described in vendor’s most recently completed SSAE report (or any successor report of a similar nature that is generally accepted in the industry and utilized by the vendor).
- Upon the board’s request, the vendor will provide the board with a copy of the audit results set forth in the vendor’s audit report. The board shall have the right to terminate this agreement (together with any related agreements, including licences and/or statement(s) of work) and receive a full refund for all monies prepaid thereunder in the event that the vendor fails to produce an acceptable certification report.
- Penetration Testing - The vendor will provide the board and each school with an annual, third party penetration and vulnerability testing report (“Penetration Tests”). During the term of this agreement, the vendor will engage, at its own expense and at least one time per year, a third-party contractor reasonably acceptable to the board to perform the penetration tests with respect to the vendor’s systems. The objective of such penetration tests is to identify design and/or functionality issues in infrastructure of the vendor’s systems that could expose either the board’s data or any individual school’s data and its computer and network equipment and systems to risks from malicious activities. Penetration tests will probe for weaknesses in network perimeters or other infrastructure elements, as well as weaknesses in process or technical countermeasures relating to the vendor’s systems that could be exploited by a malicious party.
- Cyber-liability Insurance
- comprehensive general liability insurance in respect to the services and operations of the vendor for bodily injury and property damage with policy limits of not less than two million($2,000,000.00) dollars per occurrence, with the board named as an additional insured with respect to the performance of the services. Such policy shall include blanket contractual coverage and a cross liability clause, and shall provide for a minimum of thirty (30) days prior written notice to the board upon any cancellation or material change in coverage;
- third-party cyber liability insurance, including coverage for network security/data protection covering liabilities for financial loss resulting or arising from acts, errors, or omissions, in rendering technology/professional services or in connection with the specific services described in this agreement: Violation or infringement of any right of privacy, including breach of security and breach of security/privacy laws, rules or regulations globally, now or hereinafter constituted or amended; Data theft, damage, unauthorized disclosure, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, identity theft, theft of personally identifiable information or confidential corporate information in whatever form, transmission of a computer virus or other type of malicious code; and participation in a denial of service attack on third party computer systems; Loss or denial of service; No cyber terrorism exclusion; with a minimum limit of two million ($2,000,000) dollars per claim. Such coverage must include technology/professional liability including breach of contract, privacy and security liability, privacy regulatory defense and payment of civil fines, payment of credit card provider penalties, and breach response costs (including without limitation, notification costs, forensics, credit protection services, call center services, identity theft protection services, and crisis management/public relations services). Such insurance must include affirmative contractual liability coverage for the data breach indemnity in this agreement for all damages, defense costs, privacy regulatory civil fines and penalties, and reasonable and necessary data breach notification, forensics, credit protection services, public relations/crisis management, and other data breach mitigation services resulting from a breach of confidentiality or breach of security by or on behalf of the vendor.
- all risk insurance on any personal property, tools or equipment to be used in performing or providing the services, to full replacement value;
- Workers Compensation coverage for all employees, if any, engaged by the vendor;
- professional liability coverage for professional services liability with limits of not less than two million ($2,000,000.00) dollars per occurrence;
- standard automobile insurance providing coverage of at least one million ($1,000,000.00) dollars inclusive for bodily injury and property damage (if the vendor is required to use a vehicle in the performance of the Services); and
- any other insurance of such type and amount as may reasonably be required by the board.
- Right to Audit - Upon request the vendor agrees to provide St. Albert Public Schools with policies and procedures pertaining to cybersecurity, cyber incident response, disaster recovery, and business continuity plans. The vendor must provide the requested documentation within 30 business days of the request. If the vendor fails to comply, St. Albert Public Schools reserves the right to terminate this agreement (together with any related agreements, including licences and/or statements of work) and receive a full refund for all monies prepaid thereunder.
- To establish clear expectations for vendors; contracts shall include the following clauses:
- Auditing
- On a yearly basis, Information Services will carry out compliance audits. The audit will consist of an information security program assessment questionnaire, a review of the SSAE 16/18 SOC 1 (or SOC 2) Type 1/2 audit compliance, and a review of the pentesting results.