If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance (SSPA) program (previously called the Vendor Privacy Assurance Program). You might be wondering what this requirement means for your business and what to expect during a Microsoft Data Protection Requirements (MS DPR) assessment.
Before the attestation, check the Data Protection Requirements (DPR) and make any necessary changes to meet the criteria. Your auditor will ask for some evidence to show that you’ve met these requirements, so be sure to keep some documentation of your work and controls. When the assessment is complete, you’ll be given a letter of attestation which you can submit to Microsoft. If you choose Schellman as an assessor, your auditor can point out areas for improvement and help you identify weaknesses in your current practice to avoid jeopardizing your Microsoft contract. If your organization is subject to other types of IT audits, discuss the option of combining the Microsoft DPR attestation with other audits or assessments to determine if there is an overlap in testing efforts or documentation to ease the burden of multiple audits.
If you’re anticipating a requirement to provide a letter of attestation for the Microsoft DPR but aren’t yet prepared, Schellman can help you identify control gaps where your organization doesn’t meet the criteria with a readiness assessment. You’ll have an opportunity to identify potential issues before committing to a formal attestation. When you’ve remediated the gaps, your auditor can return to complete the formal attestation. A readiness assessment could also be a benefit if you’re currently bidding on a Microsoft contract and want to show your competitive, proactive approach to privacy compliance.
Wherever you are in compliance with the Microsoft Supplier Security and Privacy Assurance Program requirements, Schellman can help. Speak with an SSPA specialist about your organization’s Microsoft Supplier needs today.
In this video, Debbie Zaller explains the cost for an MS DPR assessment as well as the two primary factors that could influence the price:
We begin each project with your end goals in mind and a thorough understanding of all key project activities. Effective communication and timely coordination throughout the engagement are central to our methodology with all clients.
The first phase of any engagement is planning. This ensures that we’re aligned on the who, what, where, when, why, before we kick off any actual testing.
Proper planning is imperative to the success of the project and Schellman has standard frameworks and processes that clearly outline the “how” and help us accelerate the work for the collective team. Once we’ve aligned on planning and finalized any outstanding items, we’re ready to kick-off the engagement in earnest.
This upfront work helps minimize the likelihood of any last-minute changes to the project or team and gives you a reliable plan prior to the testing and on-site visit (if applicable).
Testing and gathering are core components of any compliance engagement. Based on our aligned agreement during the planning and kickoff phase, we’ll gather the evidence required to meet the objectives.
Schellman has a “no surprise” policy and has daily contact with the stakeholders during the testing and gathering activities. What’s more, Schellman documents everything in real time and even starts to draft the final deliverable as findings become evident. This allows us to provide you with the draft report as efficiently as possible at the conclusion of this phase.
The final phase of the engagement is reporting. But again, we focus our entire assessment process on the timely delivery of a final report that’s clear, concise, and accurate.
We consider the entire process and customize our final reports for each Client. You can expect your final report within 30 days of the conclusion of the Testing and Gathering phase.
Chris is a Director and Privacy Technical Lead at Schellman based out of Atlanta, GA. With more than five years of experience in information assurance, Chris has a concentration in privacy-related engagements.