5 Common SSPA Compliance Gaps

July 2020

5 Areas Many Suppliers Must Address Before Working with Microsoft


Suppliers who wish to initiate or renew contracts with Microsoft may need to undergo an SSPA Independent Assessment to ensure that they are in compliance with the latest Microsoft SSPA program requirements. Independent Assessments often identify potential security and privacy gaps, which suppliers will need to resolve before completing the Independent Assessment and commencing or continuing work with Microsoft.
 
As a Microsoft Preferred Assessor, BDO has conducted SSPA Independent Assessments for companies of all sizes and specialties. As a result, our professionals have encountered a wide range of gaps that can prevent or delay a supplier from working with Microsoft. Based on this experience, we have identified five SSPA compliance gaps that we frequently uncover during our Independent Assessments. We discuss these gaps and provide general recommendations for how to remediate them.
 
This list, along with our Beginner’s Guide to Microsoft’s SSPA Program and Independent Assessments, is intended to help suppliers prepare for the SSPA assessment process and ensure an efficient and valuable experience for our clients.
 

1. Data classification, retention, and deletion

Suppliers need formal data retention and disposal policies that identify types of data collected, means of storage, data retention, and a disposal schedule. In addition to developing these policies, it is important that suppliers implement them consistently. We also recommend that suppliers develop and implement a process to document the deletion or disposal of any Microsoft Personal or Confidential Data related to performance of services for Microsoft. That process should describe the circumstances for retention, how data age will be tracked, how files will be securely deleted or returned to Microsoft, and how data destruction or disposal will be recorded. When developing such data retention and disposal policies, the supplier should verify that its practices align with retention requirements specified in Microsoft contracts and with any other legal or regulatory requirements.
 

2. User access management

Suppliers should perform regular reviews of users’ system access. Neglecting to perform such reviews increases the risk of unauthorized users gaining or retaining access to sensitive data. We recommend that suppliers implement formal user access review procedures to help ensure that an individual’s access to Microsoft Personal or Confidential Data is limited in scope and duration according to what is permitted under the terms of the supplier’s contract with Microsoft. Suppliers should ensure that documentation supports the business need for access.
 

3. Data protection requirement oversight

Suppliers are required to formally identify the individual or group of individuals who are assigned responsibility for compliance with the Microsoft Supplier Data Protection Requirements (DPR).  Documentation should include the authority granted and the responsibilities assigned to that role. We recommend that suppliers ensure that the individual or group of individuals with assigned responsibility are fully aware of their roles and responsibilities.
 

4. Threat identification and response and data-loss prevention

A formal incident response plan helps ensure that data privacy and security threats are detected and responded to promptly. An effective incident response plan should identify the employee(s) responsible for handling a breach, the specific actions to be taken (communications, as well as legal and contractual requirements), the specific parties to be notified (or to consider notifying), and how incidents will be logged and tracked through remediation. We recommend that suppliers educate all employees who could be involved in such incidents on the company’s incident response policy and supporting processes to help ensure that they are aware of the appropriate policies and procedures.
 

5. Business continuity and disaster recovery planning and testing

A formal business continuity and disaster recovery plan helps ensure that suppliers are prepared to effectively respond and recover in an unexpected event. An effective plan includes the following key attributes, at a minimum:

  • Inventory hardware and software (including third-party applications)

  • Identify operational processes dependent on each hardware and software

  • Identify data type(s) processed using each hardware and software

  • Define tolerance for downtime and data loss (for each application)

  • Define key response and recovery roles and responsibilities (including third parties)

  • Develop a communication plan, including key contacts and contact information

  • Define response procedures for key systems/applications, including alternative operating procedures

  • Perform testing and provide training, at least annually

 

The benefits of working with a Microsoft preferred assessor

While these are the five areas where we most commonly see performance gaps, this list is far from exhaustive. There are many aspects of a company’s security and privacy practices that can fall out of SSPA compliance—and the appropriate remediation approach can vary depending on a company’s size, services, and industry. It is beneficial to work with an assessor that understands that complying with SSPA is not a one-size-fits-all proposition and that is able to tailor recommendations to each company’s needs and resources.
 
As a Microsoft Preferred Assessor and a collaborative partner with Microsoft, BDO continually monitors and reviews the latest SSPA program updates and compliance requirements. Our team of professionals is equipped—and trusted by Microsoft—to counsel clients through each stage of the compliance process. BDO can help suppliers understand the evolving SSPA program, educate and coach on security and privacy gaps, and maximize the engagement to support ongoing data protection efforts.


Contacts