Successfully Navigating a Microsoft SSPA and DPR Assessment

What is the SSPA and DPR Assessment?

Along with being one of the largest employers in the greater Seattle area, Microsoft has also helped create a wide network of local vendors and suppliers — all of which are required to meet compliance standards. These standards are included in the Microsoft Supplier Security and Privacy Assurance (SSPA) Program in the form of the Microsoft Supplier Data Protection Requirements (DPR), which EXP has experience helping clients with. There are 56 requirements in all, and many can be bewildering to non-technical readers. Companies must confirm compliance with each one, and any noncompliance can put the company in danger of losing its vendor status — a major concern to say the least.  

Microsoft’s corporate program for delivering data processing instructions is called Supplier Security and Privacy Assurance (SSPA), with the instructions coming in the form of the Microsoft Supplier Data Protection Requirements (DPR). Vendors who want to work with Microsoft must participate in the SSPA program, which includes annual compliance reports.  

The SSPA and DPR compliance requirements focus primarily on two things: 

 1.  Protection of Personal Data 

Microsoft wants suppliers to take great care with Microsoft users’ personal data if they collect it. Among other things, they are primarily concerned with: 

• Contractual coverage for personal data collection 
• “Required to perform” data collection only 
• Consent management 
• Privacy policy notification 
• Data retention and destruction 
• Data anonymization 
• Data subject rights (right to be forgotten, formal complaint process, etc.) 
• Breach notification 

2.  Cybersecurity 

Microsoft wants suppliers to distinctly assign responsibility for cybersecurity and data protection, and the DPR includes a requirement to provide privacy and security awareness training. EXP is here to help your company meet these requirements and implement the best practices in cybersecurity. 

How do I Comply with Microsoft SSPA and DPR?

The good news is that all Microsoft cybersecurity requirements align with the NIST (National Institute for Standards in Technology) recommendations we at EXP have been advocating to Microsoft vendors in the Seattle area over the last three years. These include: 

• A formalized cybersecurity program 
• Annual risk assessment and change control 
• On-going “evergreen” security plan 
• Mandatory security awareness training 
• Written security policy 
• Written cybersecurity incident response plan 
• Annually tested disaster recovery and business continuity plans 
• Firewall with intrusion prevention 
• Vulnerability scanning 
• Data encryption at rest and in transit 
• Asset management 
• Next-generation anti-virus and anti-malware 
• Data classification and data loss prevention 
• Rights management 
• Patch management 
• Multi-factor authentication 
• Mobile device management 

Fortunately, most of the tools required to meet these requirements are now available in Office 365 and we can help suppliers identify the correct subscription and fill any compliance gaps you may have. A relevant illustration can be found in our case study, "Agency Vendor Compliance."

For more information, email info@exptechnical.com or contact Pat Cooke, CISSP, EXP’s security practice leader.