Remote SSPA assessment challenges tackled

sspa-audit-evidence-checklist

Remote SSPA assessment challenges tackled

Whilst COVID-19 means we may be working from home, the need to manage the Microsoft supply chain has not changed. Our clients are still being challenged with meeting the compliance requirements set out in the Microsoft Supplier Security & Privacy Assurance Program (SSPA). The assessment deadlines are still in place as is the need for some, to have a third-party attestation of compliance to the Data Protection Requirements (DPRs).

We are aware that the SSPA Team at Microsoft have been granting some extensions to deadlines, but the ability for Microsoft to issue POs with suppliers still requires they have an 'SSPA status Green'.

At iCompli we have been working hard to ensure that we can still provide all the assistance required to help clients manage their SSPA program, including submitting self-attestation results and providing independent 'third-party attestations'.

Using Microsoft Teams (and Google hangouts) we have been able to assist clients to re-evaluate their 'Supplier Profiles' to ensure that they are being asked to complete the correct (and relevant) DPRs. On a number of occasions, suppliers have unwittingly ticked incorrect options e.g. processing Highly Confidential data when in fact they do not. This can lead to a requirement for third party assessment, delaying achieving 'Status Green' and releasing POs. Using screen sharing functionality we are able to help clients quickly complete their supplier profiles and ensure that SSPA requirements are correctly applied for their profile.

Third party attestations can also be completed remotely. It requires careful planning to ensure the assessor has access to all the evidence they require, but experience shows that this can be readily achieved using a combination of screen sharing and pre-audit access to relevant supporting documentation e.g. training records, policy documents, server logs etc. The assessment pre-planning phase pays particular attention to the employees who have the in-depth knowledge of a particular function, making sure that they are available to join the conference call, and have pre-configured any VPNs etc that will allow them to access/share the relevant evidential documents during the call.

Many of our assessment 'audits' can be completed in one day, providing the pre-planning phase has been carried out diligently. We recognize that a whole day on a conference call can be challenging, so we ensure that the audit is broken down in to manageable time 'chunks'! By carefully planning who will be required for each section of the DPRs, we can ensure that staff are only on the call for as long as necessary. If you're a solopreneur or micro-business; sorry but it might be just you on the call!

At iCompli we will have a solution to help you with your SSPA requirements. One-one and one-to few consultancy sessions are conducted on Microsoft Teams, allowing us to guide you through the latest (version 6) SSPA requirements and ensure that your self-attestation documents are accepted first time by the Microsoft SSPA Team.

Need help? Drop us a line at info@icompli.co.uk