Filed under: SSPA Compliance

Nearly a decade ago, Microsoft introduced a vendor compliance program – the Supplier Security and Privacy Assurance Program (SSPA) – to keep tabs on vendors that handle “personally identifiable information” of their employees or customers. PII, as it is known, would represent credit card numbers, social security numbers, and the like. In the age of cyber security attacks, it is comforting to know programs like this exist.

The compliance effort required by qualifying vendors is to establish internal controls for how this information is collected, used, retained, transmitted, destroyed, or disclosed, and to make sure those controls are functioning properly. Microsoft essentially established a bar for what they consider to be reasonable protection standards (the program’s foundation is based on Generally Accepted Privacy Principles promulgated by the AICPA and the Canadian Institute of Chartered Accountants). Check out the CPACanada’s website for more information.

Depending on the volume and type of information your company handles, you may be able to self-certify your compliance or you may have to engage an independent CPA to examine your controls and issue a report.

Compliance now includes Microsoft Sensitive Information

In the last few years, this vendor compliance program was expanded to include those vendors that handle what is termed Microsoft Sensitive Information. Microsoft Sensitive Information represents hardware and software products, internal line-of-business applications, pre-release marketing materials, product license keys, and technical documentations related to Microsoft products and services. The same guiding principles apply, but now they are focused on the handling, access, transmittal and destruction of Microsoft’s trade secrets. Vendors can qualify for either or both of these classifications. If you haven’t already been asked by Microsoft to categorize the information you handle, you likely will soon.

If you think you are a vendor that should comply with this program, I encourage you to contact Microsoft or Clark Nuber for more information and to better understand the systems requirements that may be expected of you.

© Clark Nuber PS and Focus on Fraud, 2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.