Along with being one of the largest employers in the greater Seattle area, Microsoft has also helped create a wide network of local vendors and suppliers — all of which are required to meet compliance standards. These standards are included in the Microsoft Supplier Security and Privacy Assurance (SSPA) Program in the form of the Microsoft Supplier Data Protection Requirements (DPR), which EXP has experience helping clients with. There are 56 requirements in all, and many can be bewildering to non-technical readers. Companies must confirm compliance with each one, and any noncompliance can put the company in danger of losing its vendor status — a major concern to say the least.
Microsoft’s corporate program for delivering data processing instructions is called Supplier Security and Privacy Assurance (SSPA), with the instructions coming in the form of the Microsoft Supplier Data Protection Requirements (DPR). Vendors who want to work with Microsoft must participate in the SSPA program, which includes annual compliance reports.
The SSPA and DPR compliance requirements focus primarily on two things:
Microsoft wants suppliers to take great care with Microsoft users’ personal data if they collect it. Among other things, they are primarily concerned with:
Microsoft wants suppliers to distinctly assign responsibility for cybersecurity and data protection, and the DPR includes a requirement to provide privacy and security awareness training. EXP is here to help your company meet these requirements and implement the best practices in cybersecurity.
The good news is that all Microsoft cybersecurity requirements align with the NIST (National Institute for Standards in Technology) recommendations we at EXP have been advocating to Microsoft vendors in the Seattle area over the last three years. These include:
Fortunately, most of the tools required to meet these requirements are now available in Office 365 and we can help suppliers identify the correct subscription and fill any compliance gaps you may have. A relevant illustration can be found in our case study, "Agency Vendor Compliance."
For more information, email info@exptechnical.com or contact Pat Cooke, CISSP, EXP’s security practice leader.