Control 1.1: Copilot Readiness Assessment and Data Hygiene — Verification & Testing
Test cases and evidence collection procedures for validating Copilot readiness and data hygiene controls.
Test Cases
Test 1: Optimization Assessment Completeness
- Objective: Verify that the Copilot Optimization Assessment has run and all infrastructure findings have been reviewed
- Steps:
- Sign in to Microsoft 365 Admin Center as Global Administrator
- Navigate to Admin Center > Health > Copilot readiness
- Confirm the Optimization Assessment has completed and shows current results
- Verify network readiness, Office update channel compliance, and app compatibility sections are all reviewed
- Confirm that any "blocking" findings have been addressed or have documented remediation plans
- Expected Result: Optimization Assessment shows no blocking infrastructure issues, or all blocking issues have documented remediation timelines
- Evidence: Screenshot of Optimization Assessment results with timestamp; remediation plan document if findings exist
Test 1b: Readiness Dashboard Accessibility
- Objective: Verify that the Copilot readiness dashboard is accessible and returning data
- Steps:
- Sign in to Microsoft 365 Admin Center as Global Administrator
- Navigate to Health > Copilot readiness
- Confirm the dashboard loads and displays assessment categories
- Verify data freshness (last updated within 48 hours)
- Expected Result: Dashboard displays current readiness scores across all assessment categories
- Evidence: Screenshot of readiness dashboard with timestamp
Test 2: Oversharing Assessment Completeness
- Objective: Verify the oversharing assessment has scanned all relevant SharePoint sites
- Steps:
- Run PowerShell Script 2 (Data Hygiene Scan) to get total site count
- Compare against the DSPM oversharing report site count in Purview
- Verify coverage exceeds 95% of active sites
- Confirm high-sensitivity sites are all included in the scan
- Expected Result: DSPM report covers at least 95% of active SharePoint sites
- Evidence: Export of scan coverage comparison showing site counts
Test 3: Sensitivity Label Coverage Threshold
- Objective: Verify sensitivity label adoption meets the 85% target for FSI environments
- Steps:
- Open Microsoft Purview > Information Protection > Label Analytics
- Review the overall labeling rate for documents in SharePoint and OneDrive
- Check department-level breakdown for any groups below threshold
- Verify auto-labeling policies are active for common FSI content types
- Expected Result: Organization-wide label coverage is at or above 85%
- Evidence: Label analytics report export showing coverage percentages
- Objective: Confirm that identified permission anomalies have been remediated
- Steps:
- Reference the initial readiness assessment report findings
- Re-run PowerShell Script 1 against previously flagged sites
- Verify that "Anyone" links have been removed from sensitive sites
- Confirm sharing capabilities are set to appropriate levels
- Expected Result: Zero critical permission anomalies on sites containing regulated data
- Evidence: Before and after comparison of permission scan results
Test 5: Governance Committee Sign-off
- Objective: Verify that the readiness assessment has been formally reviewed and approved
- Steps:
- Locate the readiness assessment report in the governance document repository
- Verify it includes all required sections (oversharing, labels, permissions, recommendations)
- Confirm governance committee has reviewed and signed off
- Verify remediation plan is documented for any outstanding items
- Expected Result: Signed readiness assessment report with documented approval
- Evidence: Signed report copy with committee meeting minutes
Evidence Collection
| Evidence Item |
Format |
Storage Location |
Retention |
| Readiness dashboard screenshot |
PNG/PDF |
Compliance evidence repository |
7 years |
| Oversharing assessment export |
CSV/JSON |
Compliance evidence repository |
7 years |
| Label coverage analytics |
PDF |
Compliance evidence repository |
7 years |
| Permission scan results |
CSV |
Compliance evidence repository |
7 years |
| Governance committee sign-off |
PDF |
Governance document repository |
7 years |
Compliance Mapping
| Regulation |
Requirement |
How This Control Supports It |
| FINRA Rule 3110 |
Supervisory system review |
Readiness assessment documents supervisory review of AI data access |
| SEC Rule 17a-4 |
Records preservation |
Assessment reports serve as deployment decision records |
| OCC Heightened Standards |
Risk management governance |
Formal governance review supports compliance with risk management requirements |
| NIST AI RMF |
MAP 1.1 — Context established |
Readiness assessment maps the AI deployment context |
Next Steps
- See Troubleshooting for resolving failed test cases
- Proceed to Control 1.2 verification after all readiness tests pass