IT SERVICE PROVIDER ASSESSMENT

Transcription

1 IT SERVICE PROVIDER ASSESSMENT PURPOSE The purpose of this document is to provide guidance to assess and evaluate risks related to the engagement of an IT service provider. Refer to the IT Service Provider Policy for additional information. Note: if Brock University Private Information is / will be under the care or control of the IT Service Provider, Brock s Privacy Impact Assessment (PIA) questionnaire may need to be completed. Please check with Brock s Freedom of Information and Privacy Coordinator. If a PIA is completed, portions of this checklist may overlap with the PIA. Where necessary information has already been provided in the PIA, please refer to the section(s) of the PIA as applicable when completing this questionnaire. INSTRUCTIONS The IT Controller, Information Technology Services, will work with the area interested in engaging an IT service provider to complete this document. KEY CONTACT INFORMATION Name Title Extension Area First name, Last name

2 KEY STAKEHOLDERS Name Title Extension Area BACKGROUND INFORMATION RELATED TO IT SERVICE PROVIDER ENGAGEMENT IT Service Provider Purpose Duplication of services Asset evaluation (risk) Data Area(s) Identify the purpose for engaging the IT service provider Will the proposed IT service provider duplicate a similar service / solution / product already provided to or available at the University? Evaluate the importance of the asset for which the IT service provider will be engaged. Consider how Brock would be harmed if: 1. The asset became widely public and / or widely distributed, if applicable 2. An employee of the IT service provider accessed the asset in an unauthorized manner 3. The data / process / function / hardware / software / service were manipulated by an outsider 4. The process / function / hardware / software / service failed to provide expected results 5. The information /data / hardware / software / service were unexpectedly changed 6. The asset was unavailable for a period of time Identify the Brock University data fields that will be stored / processed / controlled or otherwise affected by the IT service provider IT Service Provider Assessment Page 2 of 10

3 BACKGROUND INFORMATION RELATED TO IT SERVICE PROVIDER ENGAGEMENT impacted Number of users Proposed go-live / engagement date [enter if applicable] [enter if applicable] IT Service Provider Assessment Page 3 of 10

4 IT SERVICE PROVIDER ASSESSMENT QUESTIONNAIRE Please complete the questions below. Note that depending on the service for which the IT service provider is contemplated, some questions may not apply. In this case, please state N/A as the response and provide clarification where necessary. 1. IT service provider 1.1 Is the IT service provider an industry leader, small player, niche player or new-comer? 1.2 What is the size of the IT service provider s operations consider number of employees, annual revenues, etc. 1.3 History: how long has the IT service provider been in business? 1.4 Are there current issues of concern, e.g., negative media / press, data breach, etc. 1.5 List the IT service provider s current / prior higher education clients, if known. 2. Terms of service 2.1 Explain the limitations to Brock s use of the IT service provider as outlined in the IT service provider s acceptable usage policies, licensing rights or other IT service provider usage restrictions. 2.2 What advance notice will be provided by the IT service provider for any change of terms? IT Service Provider Assessment Page 4 of 10

5 2. Terms of service 2.3 Does the contract / terms of service outline meaningful liability for the IT service provider in the event that the Brock data centre is harmed and / or Brock s environment / data is breached? 2.4 Is there a cap on liability? 3. Service-level agreement 3.1 Does the IT service provider have an active SLA in place that identifies minimum performance (e.g., up time, etc.)? 3.2 Describe the SLA. 3.3 Describe penalties associated with SLA non-compliance. 4. IT service provider administration 4.1 Who at the IT service provider can access Brock s data centre / environment and/ or data? 4.2 How is their access controlled? 5. IT service provider continuity IT Service Provider Assessment Page 5 of 10

6 5.1 Does the IT service provider have a continuity plan? If so, attach, if possible. 5.2 Does the plan address, at a minimum, critical service failure? 5.3 What service-level guarantee does the IT service provider offer under recovery conditions? 6. Third party 6.1 Does the IT service provider use a third party to provide the required services? If so, explain the services to be provided by the third party and the type of relationship between the IT service provider and the third party. 7. Compliance 7.1 Have all regulatory requirements been identified? If so, by whom? Outline all regulatory requirements. 7.2 Provide / attach evidence of PCI-DSS compliance, if applicable. Does the contract state that the IT service provider will provide evidence of compliance to Brock as soon as finalized? If not, why not? 7.3 Do the proposed services meet current AODA requirements? If so, provide / attach evidence. IT Service Provider Assessment Page 6 of 10

7 8 Maintenance and support 8.1 What are the IT service provider s customer support hours? Do they work for the University area considering the services? 8.2 Does the IT service provider have meaningful problem response and resolution commitments? 8.3 Does the IT service provider give notice of material reductions in service? 9 Pricing 9.1 What are the pricing terms: Pay as you go? Upfront payments? Other? 9.2 When can the IT service provider increase rates? 9.3 Identify all other costs associated with this proposed solution (e.g., consulting / additional hardware / software / training / related services, etc.) 10 Termination 10.1 Describe the process to terminate the IT service provider. IT Service Provider Assessment Page 7 of 10

8 10 Termination 10.2 What happens to Brock data at service termination? 10.3 Can Brock data and the service be moved / transferred to another IT service provider at any time? 10.4 Specify any fees that may be incurred at the end of the service Does Brock have the right to terminate if the IT service provider introduces material modifications to service terms? 10.6 Is there a right of termination for material breach of applicable privacy and security obligations? 11 Application security 11.1 What standards does the IT service provider follow for application development? Do these include rigorous testing and acceptance protocols? 11.2 How is data integrity assured? What controls exist over internal processing? 12 Authentication Note: The proposed solution must integrate with the current Brock University user authentication protocols in order to be considered. IT Service Provider Assessment Page 8 of 10

9 12 Authentication Sign-off by the AVP, ITS is required as evidence that ITS agrees on the integration of the proposed solution with Brock s user authentication protocols Can the IT service provider s user authentication be integrated with the current Brock University user authentication protocols? 13 Data access 13.1 Does the IT service provider have access to Brock data, and if so, what restrictions are there over this level of access? 13.2 Is there secondary uses of the area s account information or Brock data by the IT service provider and / or affiliates without the area s knowledge or consent? 13.3 Does the service provider share Brock s data with other organizations for marketing or other purposes? 13.4 Can any third party access Brock data, and if so, how? 14 Data transmission 14.1 What security features exist for data transmitted back and forth between the area and the IT service provider, e.g., IT Service Provider Assessment Page 9 of 10

10 14 Data transmission encryption? 14.2 Are data transfers manual or automated? 14.3 What are the IT service provider s data leak prevention capabilities? 15 Relationship management 15.1 Will the area assign a Vendor Relations Manager (VRM) to oversee the relationship with the IT service provider? 15.2 Has an internal process been established to formally review the IT service provider s performance at least annually against the contract and Service Level Agreement in collaboration with Information Technology Services? If so, attach the Procedure. 16 Area s business continuity 16.1 Will the area be developing a business continuity plan for when the IT service provider s services are not available? If so, by when? If not, why not? Date submitted: IT Service Provider Assessment Page 10 of 10