Microsoft Vendors Must Meet Tough SSPA Security Standards; 360 Advanced Offers Audits to Assess Your MSSPA Compliance

prod360 June 16, 2015

As Microsoft continues to require its data management vendors to comply with its Supplier Security and Privacy Assurance Program (MSSPA), leading Tampa-based IT audit firm 360 Advanced is meeting increasing demand by offering Microsoft SSPA attestation services to help vendors achieve compliance.

The Microsoft SSPA initiative is designed to standardize and strengthen the handling of “Microsoft Sensitive Information and/or Microsoft Personal Information.”

Microsoft says the designation Sensitive Information includes, but is not limited to: Microsoft hardware and software products, internal line-of-business applications, pre-release marketing materials, product license keys, and technical documentations related to Microsoft products and services.

Microsoft defines the category of Personal Information to include, but is not limited to: name, address, phone number, fax number, email address, social security number, passport number, other government-issued identifiers, and credit card information.

“In terms of both sensitive and personal data security requirements and third parties, Microsoft is becoming one of the most attentive companies in the world, and that means its vendors must meet a set of rigorous standards of compliance that must be assessed and confirmed by an outside firm like ours with significant experience in more than a dozen levels of specialized IT audits,” commented Dan Collins, President of 360 Advanced, Inc., a national, multi-service, licensed Certified Public Accounting (CPA) and Qualified Security Assessor (QSA) firm that specializes in integrated compliance solutions for service providers.

“We are very good with educating our clients about this process and developing a strategy that meets short and long term goals and requirements. And, we can collaborate on an initiative that will keep Microsoft at bay until compliance can be properly achieved,” Collins said.

Collins explained that in lieu of compliance with MSSPA, Microsoft may accept alternative compliance attestation or assessments such a third-party Health Insurance Portability and Accountability Act (HIPAA) assessment, the American Institute of Certified Public Accountants Service Organization Control Reports (SOC 2), the Payment Card Industry Data Security Standard (PCI), and/or ISO 27001 certification depending on the nature and sensitivity of the data.