Close
Close

Microsoft supplier compliance: Assess for success

Be prepared to comply with data protection requirements

RFP
Assess for success Strong privacy and security practices are at the top of the agenda for today’s businesses to solve. Not only are they essential to customer trust but new regulations intended to protect consumers’ privacy require strict compliance.

The European Union’s General Data Protection Regulations (GDPR), which took effect in May 2018, together with recent high-profile incidents involving compromised consumer data at large U.S. organizations have helped to drive new privacy regulations.

Doing business with Microsoft Technology companies, in particular, are taking steps to strengthen privacy and security policies associated with their products. Since GDPR has gone into effect, Microsoft has updated requirements for its suppliers. Microsoft suppliers who handle personal or confidential information as part of the execution of services provided under the terms of a purchase order or contract with the company must comply with the Microsoft Supplier Data Protection Requirements (DPR).

The European Union’s General Data Protection Regulations (GDPR), which took effect in May 2018, together with recent high-profile incidents involving compromised consumer data at large U.S. organizations have helped to drive new privacy regulations.
The requirements are part of Microsoft’s Supplier Security and Privacy Assurance (SSPA) corporate program which involves an annual compliance cycle for current suppliers; for new suppliers, work cannot begin until compliance is complete.

Microsoft requires that many of its suppliers demonstrate independent assessment of compliance with this policy within 90 days of signing a contract with Microsoft and on an annual basis thereafter. Those suppliers are required to provide a third-party assessment of their compliance. The Independent Assessment helps demonstrate a Supplier’s compliance with the new DPR and is performed by an Independent Assessor based on the Supplier’s Self-Assessment of their DPR compliance.

In addition to improving the integrity of the data, the change in supplier requirements allows Microsoft to better validate assessments of its large network of vendors. David Bright, Grant Thornton’s senior manager, Controls Advisory, explained that with an estimated 17,000 vendors, the requirement change allows Microsoft to more efficiently and consistently assess vendor compliance.

Bright added, “Microsoft has outlined 56 different control objectives that suppliers must meet. Depending on the type of information they’re holding, a supplier may have to meet all 56 requirements or a subset of those requirements.”

Getting requirement-ready In order to comply with Microsoft’s updated supplier requirements, vendors should take the following proactive steps to prepare for the third-party assessment.

  • Gather the necessary documentation. Prior to the assessment check the Data Protection Requirements and make any necessary changes to meet the criteria and assess whether there are any gaps. Make sure you can provide your third-party assessor with documentation supporting your work and controls. If chosen as your assessor, Grant Thornton can identify areas for improvement as well as weaknesses in your current practice to avoid compliance issues.
  • Be prepared to answer five key questions:
  1. What is the Microsoft data classification for the information you hold (Personal, Confidential or both)?
  2. In approximately how many locations in your organization are you in possession of Microsoft personal or confidential data?
  3. What is the average number of processes per location that are associated with Microsoft personal or confidential data?
  4. Do you have an ISO27001 or SOC2 report that covers the locations and departments handling the Microsoft data you hold?
  5. What is your deadline for the assessment?
  • Identify a qualified third-party assessor. Make sure to select an Independent Assessor that can not only conduct the assessment and prepare the assessment letter, but who can also provide value-add expertise to identify gaps and suggest areas for improvement.
  • Review audit needs to determine the feasibility of combining IT audits. If your organization is subject to multiple IT audits, discuss with your Independent Assessor the option of combining the Microsoft DPR assessment with other assessments to avoid an overlap in testing efforts or reduce the burden of documentation.

Choosing an assessor: The Grant Thornton advantage Those organizations that must adhere to Microsoft’s data protection requirements must submit a letter from an approved third party within 90 days of the submission of its annual information update. An approved third party must be:

  • A member in good standing with the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC)
  • Qualified to conduct a Generally Accepted Privacy Principles (GAPP) assessment

As a licensed CPA firm and approved third-party attestation body, Grant Thornton is well positioned to help your organization meet the Microsoft SSPA Attestation requirements by performing the following activities:

  • Evaluating your organization’s controls as they relate to the Microsoft SSPA requirement criteria
  • Identifying any gaps against the SSPA requirements
  • Determining any areas of weakness or opportunities for improvement based on gap findings
  • Issuing the assessment letter

“As a firm with global reach and deep expertise, Grant Thornton provides value-add insights that go beyond basic validation to help businesses comply with Microsoft requirements in a timely and cost-effective manner.”

David Bright
Senior Manager, Controls Advisory
Grant Thornton LLP
“As a firm with global reach and deep expertise, Grant Thornton provides value-add insights that go beyond basic validation to help businesses comply with Microsoft requirements in a timely and cost-effective manner,” Bright said. “It’s not just a check-the-box exercise. With a readiness assessment, Grant Thornton helps you identify control gaps where your organization may not be meeting the criteria. ”

Backed by regional and global resources and in-depth experience with risk management attestation and data privacy practices, Grant Thornton delivers more than 1,000 attestations and third-party risk management assessments annually. The firm’s global team holds relevant certifications including CIPP, CIPT, CISM and CISA among others. Moreover, representing a global organization with 50,000 professionals in 135 countries, Grant Thornton is able to efficiently serve organizations of any size quickly and cost-effectively.

Upon determining the scope and complexity of your Microsoft DPR engagement, Grant Thornton will identify the documentation needed and connect you with a local, common language Grant Thornton International member firm that can quickly and efficiently complete the assessment. The local assessment team will schedule an onsite visit (generally two days) to perform inquiries to identify gaps and communicate observations.

If your organization is a designated Microsoft supplier that handles personal and confidential data, it is imperative that you meet the privacy principles defined in Microsoft’s SSPA guidelines. Reach out to Grant Thornton’s privacy and compliance professionals below to help you comply with Microsoft’s data protection requirements.

Contacts:
Scott Peyton
Partner, Cyber Risk
T +1 303 813 3971

David Bright
Senior Manager, Controls Advisory
T +1 602 474 3419