Body
Issue/Question
What is USD's IT Security Policy on AI and Microsoft Copilot
Environment
- AI
- Artificial intelligence
- Machine Learning
- Microsoft Copilot
- CIS
Cause
Protect USD data while allowing for the improved outcomes AI provides
Resolution
USD Microsoft Copilot IT Security Policy
Policy Statement:
This policy is designed to uphold the integrity, confidentiality, and availability of Copilot-generated data across diverse domains. Microsoft Copilot revolutionizes problem-solving across various sectors, enhancing outcomes in business, education, and research.
While embracing our commitment to innovation and improved outcomes, we will also uphold our commitment to security and regulatory compliance, ensuring adherence to industry standards and legal obligations.
Compliance and Enforcement:
This policy applies to all employees, contractors, and third-party vendors who have access to Microsoft Copilot within our organization. It encompasses the handling, processing, and storage of data used by and generated with Copilot regardless of the platform or environment in which Copilot is deployed. Compliance with this policy is mandatory for all individuals involved in AI activities using Copilot at the University.
Policy Implementation:
- Inventory and Control of Hardware Assets (CIS Control 1):
- Identify and maintain an inventory of hardware assets used for AI development, including servers and workstations hosting Copilot.
- Implement device health attestation to ensure that only trusted devices can access Copilot resources.
- Inventory and Control of Software Assets (CIS Control 2):
- Maintain an inventory of software assets, including Copilot, associated tools, and user accounts ensuring timely updates and patches to mitigate vulnerabilities.
- Utilize Microsoft Defender for Endpoint to continuously monitor and protect Copilot-enabled devices from threats.
- Data Protection (CIS Control 3):
- Data Classification and Labeling:
- Utilize Microsoft Information Protection to classify and label sensitive data used by Copilot, ensuring appropriate access controls and data handling.
- Implement a data classification policy that defines categories of sensitive data and specifies how each category should be handled and protected.
- Apply labels to Copilot-generated content based on their sensitivity level, facilitating better data management and protection.
- Data Loss Prevention (DLP):
- Deploy Microsoft 365 Data Loss Prevention (DLP) policies to prevent the unauthorized disclosure of sensitive data used by Copilot.
- Configure DLP policies to monitor and enforce controls on Copilot-generated content, ensuring that sensitive information such as intellectual property or personally identifiable information (PII) is not inadvertently shared or leaked.
- Configure DNS security based DLP to provide defense in depth.
- Enforce strict access controls to prevent unauthorized access to Copilot-generated content or any training data.
- Utilize Azure Active Directory (Azure AD) to manage user access and permissions, ensuring that only authorized individuals can access sensitive data.
- Implement role-based access controls (RBAC) to grant permissions based on job roles and responsibilities, limiting access to Copilot data to only those who require it for their tasks.
- Ensure compliance with data privacy regulations such as GDPR, CCPA, FERPA, and HIPAA when processing and storing Copilot-generated content and training data.
- Conduct regular audits and assessments to verify compliance with data privacy requirements and address any gaps or deficiencies identified.
- Provide training and awareness programs to employees and contractors on their responsibilities regarding data privacy and the protection of Copilot-generated data.
- Secure Configuration of Enterprise Assets and Software (CIS Control 4):
- Configure Copilot and related software according to security best practices to reduce the attack surface and mitigate potential security risks.
- Utilize Microsoft Secure Score to assess and improve the security posture of Copilot-enabled devices and configurations.
- Follow Microsoft's recommended approach for the secure deployment of Copilot, including access control, encryption, and continuous monitoring.
- Utilize Azure Security Center to assess and monitor the security posture of Copilot-enabled environments, and remediate security vulnerabilities in real-time.
- Account Management (CIS Control 5):
- Enforce strong authentication mechanisms, including multi-factor authentication (MFA), for access to Copilot resources, and enforce least privilege access controls.
- Implement Azure AD Conditional Access policies to control access to Copilot based on user identity, device health, and location.
- Data Recovery (CIS Control 11):
- Implement data backup and recovery mechanisms to ensure the availability and integrity of Copilot-generated content.
- Leverage VEEAM or Azure Backup to implement robust data protection and disaster recovery solutions for Copilot-enabled environments.
- Secure Communication and Network Protection (CIS Control 13):
- Encrypt communication channels used by Copilot to protect sensitive information transmitted over the network, and implement network segmentation and firewall rules.
- Utilize Microsoft Defender for Cloud to monitor and protect network traffic in Copilot-enabled environments, and detect and respond to network-based threats.
- Security Awareness and Training (CIS Control 14):
- Provide comprehensive security awareness and training programs to employees and contractors involved in AI development, emphasizing the security risks associated with Copilot.
- Leverage Microsoft Security Training and Awareness resources to educate users on the latest threats and best practices for secure usage of Copilot.
- Incident Response (CIS Control 17):
- Develop and maintain an incident response plan specific to Copilot-related security incidents, including procedures for detecting, reporting, and responding to incidents.
- Utilize Microsoft Sentinel to orchestrate and automate incident response workflows, enabling rapid detection and remediation of security incidents involving Copilot.
- Penetration Testing and Red Team Exercises (CIS Control 18):
- Conduct regular penetration testing and red team exercises to identify and address vulnerabilities in Copilot and associated systems.
- Utilize Microsoft Threat Intelligence to proactively identify and mitigate potential threats targeting Copilot-enabled environments.
Conclusion:
By mapping key points from Microsoft's Zero Trust approach to Copilot to relevant CIS critical controls, our organization ensures the alignment of security practices with industry standards, mitigating risks and enhancing the overall security posture of our AI implementation.