Skip to main content
Case studies

Microsoft SSPA DPR Case Study II

Microsoft SSPA DPR Case Study II

Requirement

Assist a large European based Microsoft supplier for ensuring it was fully compliant with Microsoft’s Supplier Security and Privacy Assurance (SSPA) program as prescribed by the Microsoft Supplier Data Protection Requirements (DPR).

Issues

The supplier recently began working with Microsoft, and due to the sensitivity of data being stored and processed, Microsoft requested an independent audit. The audit findings highlighted notable information security and data privacy deficiencies. Microsoft wanted the deficiencies immediately remediated, or the client would incur heavy contractual fines from Microsoft.

Additional issues for the client

Lack of Experience with Compliance at this Level: While the client had performed annual SOC 2 audits, the scope and requirements of Microsoft’s SSP DPR were much more detailed and granular as it applied to the actual data the client was processing.

Deficient Security Documentation: The client had no more than a handful of existing information security policies and procedures, and they were written years ago. Additionally, the client had not taken the time to formalize any programs or plans relating to incident response, contingency planning, and other critical IT areas as needed for the MS DPR requirements.

Deficient Privacy Documentation: Additionally, the client had no formalized policies and procedures relating to data privacy, and no data privacy program measures in place that were documented.

Unclear Roadmap: Naturally, senior management wanted the deficiencies corrected immediately, yet there was a lack of internal manpower - and overall understanding - on where to even begin.

Solution

Centris deployed a team of experts specializing in the Microsoft Supplier Data Protection Requirements (DPR) program that successfully accomplished the following:

  • Performed a comprehensive gap analysis for determining areas requiring remediation and other necessary measures.
  • Defined project scope and client participation in terms of developing an action-plan for remediation.
  • Completely reviewed all current information security, cybersecurity, and data privacy policy documentation, making necessary updates as required.

Outcome

  • Built and deployed an all-new set of information security and cybersecurity policies, procedures, and processes as required by Microsoft’s DPR.
  • Created all new security and privacy documentation in three different languages (i.e., English, French, and Spanish).
  • Created a true culture of compliance where employees now understand and value information security, cybersecurity, data privacy and the importance of protecting consumer information.
  • Implemented a continuous monitoring program for ensuring data privacy controls are properly monitored long after the consultants are gone.

Duration: 5 Months

Get the case study

Download the case study
Why Centris
As an internationally recognized business consulting firm, our highly trained employees work in every conceivable industry/sector in the global business arena. Centris has the knowledge and expertise you need for solving the challenges you’re facing. Our professionals are at the forefront of many of today’s most pressing risk, privacy, cybersecurity and compliance issues affecting organizations. We have a deep bench of talented professionals ready to go to work for you.
Ready to talk?