Microsoft SSPA DPRs version 10 coming! What you need to know.

Microsoft SSPA DPRs version 10 coming! What you need to know.

Overview

Microsoft continues to update its data protection requirements (DPRs) for its Supplier Security & Privacy Assurance program (SSPA), to keep pace with technical and legal challenges. It has now published a 'PREVIEW' of the upcoming version 10 (effective September 23, 2024).

As with previous updates, many of the DPRs remain unchanged. In this 10th iteration, 39 of the previous requirements remain unchanged along with 18 NEW REQUIREMENTS, 17 of those in a new section focused on artificial intelligence (AI) and one in the data subject requirements.

The focus of the version 10 update is AI-centric. Microsoft has introduced 17 new DPRs for suppliers who use ‘AI Systems’ to process Microsoft personal or confidential data. This includes identifying the use of AI in potentially harmful situations. The use of AI Systems triggers the requirement for independent assurance of compliance.

The ‘Quick read’

  • VERSION 9 REMAINS CURRENT, Version 10 effective 23.9.24
  • Seventeen new DPRs are introduced for those who use AI Systems
  • Use of AI Systems requires both an external assessment and the use of ‘Red teams’ to complete attack and penetration testing of the system.
  • A new 90-day record retention requirement has been set for some DPR evidence requirements i.e., DPR36 and DPR40 relating to information security and patch management records.
  • Data subject access requests have a new requirement i.e., requirement to supply a list of all actual recipients and possible third-party recipients of Microsoft Personal Data. This could be an onerous requirement for suppliers who do not have a complete GDPR record of processing activity (RoPA).
  • Data incident response and remediation procedures have come under the spotlight. Microsoft now requires information on the potential compromise, and a documented incident review.
  • The requirements for annual training have been amended to remove duplication that was present in version 9 of the DPRs. Note that training remains an important element of compliance.
  • For those creating software on behalf of Microsoft, new controls are required to protect against the potential release of confidential information (secrets). This includes a requirement to use some form of automated code scanning solution to identify errors and unintended inclusions and use of a supported and current version of a credential exposure prevention tool.

New AI requirements

SSPA now requires controls for the use of AI whenever processing Microsoft personal and/or confidential data using ‘AI Systems’

  • An ‘AI System’ means an engineered system that applies an optimized model so that the system can, for a given set of human-defined objectives, make predictions (see below), recommendations, or decisions influencing the environments it interacts with. Such a system may operate with varying levels of automation
  • “Sensitive Use” of AI is when the reasonably foreseeable use or misuse of an AI System could affect an individual in the following ways:
    • Consequential impact on legal position or life opportunities.
    • Risk of physical or psychological injury.
  • AI Systems should be regularly assessed by attack and penetration testing (so-called Red Teams).
  • This not only covers probing for security vulnerabilities, but also includes probing for other system failures, such as the generation of potentially harmful content.
    • Recognition that AI systems come with new risks, and red teaming is core to understanding those novel risks, such as prompt injection and producing ungrounded content.

For those who are involved in attack and penetration testing Microsoft has a new definition, “Red Teaming”, and associated resources at https://learn.microsoft.com/en-us/security/ai-red-team/.

Version 9/10 comparison chart

For your free comparison chart or help on meeting your Microsoft compliance requirements,  drop us an email at info@icompli.co.uk

 

iCompli Ltd SSPA Services.