The top 5 SSPA compliance gaps

19 August 2020

Nick Norton, Audit Principal, BDO USA |
Mark Griffiths, Partner, Risk Advisory |

What are the top five areas many suppliers must address before working with Microsoft? BDO’s Risk Advisory team outline key compliance gaps and how businesses can resolve them.

Suppliers who wish to initiate or renew contracts with Microsoft may need to undergo an SSPA Independent Assessment to ensure that they are complying with the latest Microsoft SSPA program requirements. Independent Assessments often identify potential security and privacy gaps, which suppliers will need to resolve before completing the Independent Assessment and commencing or continuing work with Microsoft.

As a Microsoft Preferred Assessor, BDO has conducted SSPA Independent Assessments for businesses of all sizes and industries. As a result, our experts have encountered a wide range of gaps that can prevent or delay a supplier from working with Microsoft. Based on this experience, we have identified five SSPA compliance gaps that we frequently uncover during our Independent Assessments.

This list is intended to help suppliers prepare for the SSPA assessment process and ensure an efficient and valuable experience for our clients.

Find out more about BDO SSPA Independent Assessments for Microsoft Suppliers:

Download our SSPA services guide

1. Data classification, retention & deletion

Suppliers need formal data retention and disposal policies that identify:

  • Types of data being collected – is the information personal, confidential or of another nature?
  • Means for storage – what systems and processes are in place to ensure the data is kept safe?
  • Data retention - how long will the data be kept and what will it be used for?
  • Disposal schedule – when and how will the business dispose of/destroy the data?

In addition to developing these policies, suppliers must implement them consistently across their business or businesses.

We also recommend that suppliers develop and implement a process to document the deletion or disposal of any Microsoft Personal or Confidential Data related to the performance of services for Microsoft. This process should describe the circumstances for retention, how data age will be tracked, how files will be securely deleted or returned to Microsoft, and how data destruction or disposal will be recorded.

When developing such data retention and disposal policies, the supplier should verify that its practices align with retention requirements specified in their contracts with Microsoft and any other legal or regulatory requirements.

For businesses operating in Australia, this means complying with several laws including the Australian Privacy Act 1988 and the Australian Government’s business records and retentions policy.

2. User access management

Suppliers should perform regular reviews of users’ system access. Neglecting to perform such reviews increases the risk of unauthorised users gaining or retaining access to sensitive data.

We recommend that suppliers implement formal user access review procedures to help ensure that an individual’s access to Microsoft Personal or Confidential Data is limited in scope and duration according to what is permitted under the terms of the supplier’s contract with Microsoft. Suppliers should ensure that documentation supports the business need for access.

 3. Threat identification and response and data-loss prevention

In Australia, businesses regulated under the Privacy Act 1988 must ensure they are compliant with the notifiable data breaches scheme, requiring a business to report if they experience an actual or suspected breach. According to the Office of the Australian Information Commissioner, a data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure.

As such, a formal incident response plan helps ensure that data privacy and security threats are detected and responded to promptly.

An effective incident response plan should identify:

  • The employee or employees responsible for handling a breach
  • The specific actions to be taken (communications, as well as legal and contractual requirements)
  • The specific parties to be notified (or to consider notifying)
  • How incidents will be logged and tracked through remediation.

We recommend that suppliers educate all employees who could be involved in such incidents on the business’s incident response policy and supporting processes to help ensure that they are aware of the appropriate policies and procedures.

4. Data protection requirement oversight

Suppliers are required to formally identify the individual or group of individuals who are assigned responsibility for compliance with the Microsoft Supplier Data Protection Requirements (DPR).  Documentation should include the authority granted and the responsibilities assigned to that role.

We recommend that suppliers ensure that the individual or group of individuals with assigned responsibility are fully aware of their roles and responsibilities.

5. Business continuity and disaster recovery planning and testing

A formal business continuity and disaster recovery plan can help ensure that suppliers are prepared to effectively respond and recover in an unexpected event. An effective plan includes the following key attributes, at a minimum:

  • Inventory hardware and software (including third-party applications)
  • Identify operational processes dependent on each hardware and software
  • Identify data type or types processed using each hardware and software
  • Define tolerance for downtime and data loss (for each application)
  • Define key response and recovery roles and responsibilities (including third parties)
  • Develop a communication plan, including key contacts and contact information
  • Define response procedures for key systems/applications, including alternative operating procedures
  • Perform testing and provide training, at least annually.

The benefits of working with a Microsoft preferred assessor

While these are the five areas where we most commonly see performance gaps, this list is far from exhaustive. There are many aspects of a business’s security and privacy practices that can fall out of SSPA compliance - and the appropriate remediation approach can vary depending on a business’s size, services, and industry. It is beneficial to work with an assessor that understands that complying with SSPA is not a one-size-fits-all proposition and that can tailor recommendations to each business’s needs and resources.

As a Microsoft Preferred Assessor and a collaborative partner with Microsoft, BDO continually monitors and reviews the latest SSPA program updates and compliance requirements. Our Risk Advisory team is equipped - and trusted by Microsoft - to counsel you through each stage of the compliance process. We can help suppliers understand the evolving SSPA program, educate and coach on security and privacy gaps, and maximize the engagement to support ongoing data protection efforts.

To find out more, see our Risk Advisory services or contact your local adviser.