cyBARR Chats Episode 8: Navigating Microsoft SSPA and DPR

By June 18, 2021Videos
In this episode of cyBARR Chats, we discuss details of Microsoft SSPA and Microsoft DPR, how it is related to ISO 27001, and BARR’s approach to helping companies meet those requirements.


Michelle Smith: [00:00:00] Hi everyone. And welcome to this episode of cyBARR Chats today. We’re with Angela Carpenter manager at BARR and Cody Howell senior consultant, and we’ll be discussing some details of Microsoft SSPA and Microsoft DPR, how it’s related to ISO 27001 and BARR’s approach to helping companies meet those requirements.

So let’s dive right in with our first question. What is Microsoft SSPA and DPR, and to whom did these requirements apply?

Angela Carpenter: [00:00:30] So Microsoft’s supplier security and privacy assurance program, or otherwise known as the SSPA is a program that set up by Microsoft to deliver data processing instructions to suppliers of Microsoft and the data protection requirements or otherwise known as the DPR.

These are requirements that members of the program are often required to conform to.  And the requirements themselves consist of two main sections. The first being the privacy controls and example controls in this section include notice to data subjects, choice, and consent data retention. Those are just some examples and security controls.

Examples include access management, vulnerability management, DLP, et cetera. And typically the Microsoft suppliers that are required to participate in the program are those who collect, store, or process Microsoft personal or confidential data. These suppliers must enroll in the program before they can even start working with Microsoft.

And sometimes depending on the rating of the data that they work with, they are required to provide independent assurance to Microsoft through a report produced by the third party against the requirements in the DPR. The report that’s produced by a third party is actually one of the services that we offer at BARR.

Michelle Smith: [00:01:59] Awesome. And what are the three categories that the Microsoft SSPA attestation reporting guidelines group vendors into?

Cody Hewell: [00:02:06] So when an organization becomes supplier of Microsoft on, they’re actually asked to complete an MPI, uh, known as a Microsoft personal information inventory. So depending on the type of data handled, per that inventory, The Microsoft SSPA attestation reporting guidelines, group them into three different categories, which are high business impact, moderate business impact, and low business impact.

So a low business impact, if Microsoft data is handled by the suppliers determined to really not include any personal information or really has a low business impact, typically no other further, no further action is really required from the supplier moderate business impact. Uh, that’ll usually include personally identifiable information.

PII is not highly sensitive. That’s typically going to be a name, address, phone number, email. Um, different pieces of information along those lines. Anyone in the moderate business impact, must adhere to the Microsoft vendor data protection requirements or the DPR, and are required to certify compliance to GDPR, but the self-certification within 90 days of submission of the MPI inventory during their second compliance cycle and annually on after that.

And then finally we have high business impact. So this includes some of the following information. It’s not limited to this. That’ll include authentication, authorization, credentials, such as private cryptographic keys, highly sensitive PII that’s financial transactions, credit card number of financial profiles, such as consumer credit reports, medical profiles, such as biometric identifiers.

And then all high business impact organizations must also adhere to the DPR. Businesses that are considered high business impact must submit a letter of attestation from an approved third party within the 90 days of the submission of the annual MPI inventory.

Michelle Smith: [00:04:07] So how long does it take to get attestation against Microsoft DPR?

Angela Carpenter: [00:04:13] So this truly does vary from company to company, and it depends on a variety of factors, such as the client’s current security and privacy posture, the size of the company and the complexity of the organization. So for example, for a client that already has a SOC 2 report and is keeping up with those controls.

They’re likely already meeting most of the requirements in the security section of the DPR. So the time to implement the requirements would likely be reduced, but in general, for a brand new client with no previous soccer report or ISO 27001 certification, it typically takes about a month to complete a readiness assessment with us.

Two to three months after that to implement the requirements and then another month for us to perform the independent assessment over the DPR.

Michelle Smith: [00:05:06] Gotcha. So speaking of ISO 27001, how are Microsoft DPR and ISO 27001 related?

Cody Hewell: [00:05:16] Yeah. So Microsoft DPR has quite a lot of overlap with 2701 also known as the information security management standard and ISO 27701 the privacy extension to ISO 2701, so much so that in many cases, Microsoft will actually allow suppliers.

Uh, subject to the DPR to substitute an independent assessment over the DPR for ISO 2701 in 27701 certifications, uh, ISO certifications, definitely larger work. There is a large advantage to having an internationally recognized framework and you’ll receive certification that you can actually share with some of your customers.

And a great thing is BARR actually performs both Microsoft data protection, requirement audits, and ISO certification. So anyone looking for help to determine what is the best fit for your organization BARR can do that.

Michelle Smith: [00:06:10] Great. So last question. What is BARR’s approach to helping companies meet Microsoft DPR and SSPA requirements?

Angela Carpenter: [00:06:19] Yeah. So for companies who are considering working with Microsoft in the future, we recommend that you start our readiness assessment against the DPR with us as soon as possible to get you a headstart. Since we mentioned earlier, how you’ll need to show compliance with the DPR before you can even do any work with Microsoft, the sooner that your gaps are identified the better. And as part of the readiness assessment, we’ll dig into your environment. We’ll conduct process walk-throughs and identify any gaps that need to be remediated to meet the requirements. Something else to consider is even if your organization isn’t thinking about working with Microsoft in the future with GDPR compliance, becoming more and more of a goal for organizations compliance with the Microsoft DPR framework will actually get you fairly close to meeting their requirements of GDPR.

So a readiness assessment using the Microsoft DPR framework can provide organizations internal assurance that they’re meeting the GDPR requirements that they may be subject to. And additionally, as part of our readiness assessments, we can map your organization’s controls and identify gaps to other frameworks outside of the DPR.

So that you’ll know specifically what you’ll need to implement to meet additional framework. At BARR, we take a test once use many approach to our engagements so that you can work towards meeting the requirements of multiple frameworks after all, after just going through one readiness assessment. And after the readiness assessment occurs, as I mentioned earlier, you have time to remediate the gaps and then once you’re ready, everything has been remediated.

We’ll come in and do our independent assessment. And that process typically takes about a month to two months, depending on the scope and complexity of your organization.

Michelle Smith: [00:08:11] Well, Angela and Cody, thank you so much for these insights on Microsoft SSPA and Microsoft DPR. We look forward to seeing everyone next time on cyBARR Chats.

Have a great day.