Skip to content

index.md

Latest commit

 

History

History
124 lines (98 loc) · 8.97 KB

index.md

File metadata and controls

124 lines (98 loc) · 8.97 KB

Control Catalog

The FSI Copilot Governance Framework contains 58 controls organized across four lifecycle-based pillars, providing comprehensive governance coverage for Microsoft 365 Copilot in US financial services.

Control Index

Pillar 1: Readiness & Assessment (16 controls)

Pre-deployment data hygiene, oversharing detection, permission audits, and license planning.

ID Control Governance Level
1.1 Copilot Readiness Assessment and Data Hygiene Baseline
1.2 SharePoint Oversharing Detection and Remediation (DSPM for AI) Baseline
1.3 Restricted SharePoint Search Configuration Recommended
1.4 Semantic Index Governance and Scope Control Recommended
1.5 Sensitivity Label Taxonomy Review for Copilot Baseline
1.6 Permission Model Audit Baseline
1.7 SharePoint Advanced Management Readiness for Copilot Recommended
1.8 Information Architecture Review Recommended
1.9 License Planning and Copilot Assignment Strategy Baseline
1.10 Vendor Risk Management for Microsoft AI Services Regulated
1.11 Organizational Change Management and Adoption Planning Baseline
1.12 Training and Awareness Program Baseline
1.13 Extensibility Readiness Recommended
1.14 Item-Level Permission Scanning Recommended
1.15 SharePoint Permissions Drift Detection Recommended
1.16 Copilot Tuning Governance Regulated

Pillar 2: Security & Protection (16 controls)

DLP, sensitivity labels, conditional access, encryption, information barriers, and Defender integration.

ID Control Governance Level
2.1 DLP Policies for M365 Copilot Interactions Baseline
2.2 Sensitivity Labels and Copilot Content Classification Baseline
2.3 Conditional Access Policies for Copilot Workloads Recommended
2.4 Information Barriers for Copilot (Chinese Wall) Regulated
2.5 Data Minimization and Grounding Scope Recommended
2.6 Copilot Web Search and Web Grounding Controls Baseline
2.7 Data Residency and Cross-Border Data Flow Governance Regulated
2.8 Encryption (Data in Transit and at Rest) Baseline
2.9 Defender for Cloud Apps — Copilot Session Controls Recommended
2.10 Insider Risk Detection for Copilot Usage Patterns Recommended
2.11 Copilot Pages Security and Sharing Controls Baseline
2.12 External Sharing and Guest Access Governance Baseline
2.13 Plugin and Graph Connector Security Governance Recommended
2.14 Declarative Agents from SharePoint — Creation and Sharing Governance Recommended
2.15 Network Security and Private Connectivity Regulated
2.16 Federated Copilot Connector and MCP Governance Baseline

Pillar 3: Compliance & Audit (13 Controls)

Audit logging, retention, eDiscovery, communication compliance, and regulatory reporting.

ID Control Governance Level
3.1 Copilot Interaction Audit Logging Baseline
3.2 Data Retention Policies for Copilot Interactions Baseline
3.3 eDiscovery for Copilot-Generated Content Recommended
3.4 Communication Compliance Monitoring Recommended
3.5 FINRA Rule 2210 Compliance for Copilot-Drafted Communications Regulated
3.6 Supervision and Oversight (FINRA Rule 3110 / SEC Reg BI) Regulated
3.7 Regulatory Reporting Recommended
3.8 Model Risk Management Alignment (SR 11-7 / OCC Bulletin 2011-12) Regulated
3.9 AI Disclosure, Transparency, and SEC Marketing Rule Recommended
3.10 SEC Reg S-P — Privacy of Consumer Financial Information Regulated
3.11 Record Keeping and Books-and-Records Compliance Baseline
3.12 Evidence Collection and Audit Attestation Recommended
3.13 FFIEC IT Examination Handbook Alignment Regulated

Pillar 4: Operations & Monitoring (13 Controls)

Feature management, per-app toggles, usage analytics, cost tracking, and incident response.

ID Control Governance Level
4.1 Copilot Admin Settings and Feature Management Baseline
4.2 Copilot in Teams Meetings Governance Recommended
4.3 Copilot in Teams Phone and Queues Governance Recommended
4.4 Copilot in Viva Suite Governance Recommended
4.5 Copilot Usage Analytics and Adoption Reporting Baseline
4.6 Microsoft Viva Insights — Copilot Impact Measurement Recommended
4.7 Copilot Feedback and Telemetry Data Governance Recommended
4.8 Cost Allocation and License Optimization Baseline
4.9 Incident Reporting and Root Cause Analysis Baseline
4.10 Business Continuity and Disaster Recovery for Copilot Dependency Recommended
4.11 Microsoft Sentinel Integration for Copilot Events Regulated
4.12 Change Management for Copilot Feature Rollouts Baseline
4.13 Copilot Extensibility Governance Recommended

Control Statistics

Pillar Controls Baseline Recommended Regulated
1. Readiness & Assessment 16 7 7 2
2. Security & Protection 16 7 6 3
3. Compliance & Audit 13 3 5 5
4. Operations & Monitoring 13 5 7 1
Total 58 22 25 11

How to Use This Catalog

  1. Identify your governance level — See Governance Fundamentals to determine if your organization needs Baseline, Recommended, or Regulated controls
  2. Start with Pillar 1 — Complete readiness assessments before enabling Copilot
  3. Implement by priority — Within each pillar, Baseline controls should be implemented first
  4. Use playbooks — Each control has 4 implementation playbooks (portal walkthrough, PowerShell, verification, troubleshooting)

FSI Copilot Governance Framework v1.4.0 - April 2026