Control 2.13: Plugin and Graph Connector Security — Verification & Testing

Test cases and evidence collection for validating plugin and connector security.

Test Cases

Objective: Verify user consent is disabled and admin consent is required
Steps:
Run Script 3 to verify consent policy settings
As a standard user, access an app requiring consent — verify admin consent is required
Submit an admin consent request and verify it routes correctly
Expected Result: Admin consent required for all app permission grants
Evidence: Consent policy configuration and test results

Objective: Confirm Graph connector ACLs correctly restrict content access
Steps:
For each active connector, verify the ACL mapping configuration
Test with a user who should not have access — verify content is not returned by Copilot
Test with an authorized user — verify content is returned
Expected Result: Connector ACLs enforce access restrictions correctly
Evidence: Access test results for authorized and unauthorized users

Evidence Item	Format	Storage Location	Retention
Plugin permission audit	CSV	Compliance evidence repository	7 years
Connector security audit	CSV	Compliance evidence repository	7 years
Consent policy verification	Screenshot	Compliance evidence repository	7 years
ACL test results	PDF	Compliance evidence repository	7 years

Regulation	Requirement	How This Control Supports It
OCC Heightened Standards	Third-party risk management	Plugin security supports compliance with third-party technology risk requirements
FINRA Rule 3110	Technology oversight	Plugin governance supports compliance with supervisory technology controls
NIST CSF	PR.IP-1 Baseline configuration	Plugin restrictions establish and maintain secure baseline configurations