Kim Brian – Power Platform Solution Architect

What Is a System Security Plan – and Why It Matters in Your Dataverse Project

Kim Brian
What Is a System Security Plan – and Why It Matters in Your Dataverse Project

If you’ve ever felt overwhelmed by compliance jargon like ISO 27001, SOC 2, or NIST 800-53, you’re not alone. But if you’re delivering solutions on Microsoft’s Power Platform, especially for government, health, education, or finance clients, you’ve likely already been part of a System Security Plan (even if you didn’t realise it at the time).

So let’s demystify it.

🔐 What’s a System Security Plan (SSP)?

A System Security Plan (SSP) is a structured document that outlines how a system meets security and compliance requirements. It details what data is stored, who can access it, how it’s protected, and how the organisation ensures ongoing security.

Think of it as the security blueprint clients need to get — or stay — compliant with frameworks like:

  • ISO 27001 – Information Security Management
  • ISO 27017 / 27018 – Cloud & Privacy
  • SOC 2 – Security and availability for service orgs
  • NIST 800-53 / FedRAMP – Especially for U.S. government

Industries like healthcare, education, government, financial services, and critical infrastructure often require an SSP for internal governance or third-party audits.

📦 Where Dataverse Comes Into It

If your solution uses Microsoft Dataverse — the backbone of Power Platform — it’s part of the system that needs to be documented in the SSP.

That includes:

  • What types of data are stored (e.g., PII, student records, health data)
  • Who can access what (via Dataverse Security Roles and field-level permissions)
  • How access is logged and audited (Dataverse audit logs, retention)
  • Whether data is exported or queried externally (e.g., via Power BI, TDS endpoint, APIs)
  • How information flows in and out (Power Automate, custom connectors, integrations)

🛡️ Key Elements to Get Right in Your Dataverse Implementation

Here’s what I always double-check when involved in projects that touch security compliance:

1. Security Roles Are Your Foundation

Use the principle of least privilege — start with no access and layer up only what’s required. Include:

  • Table permissions
  • Field-level security (especially for sensitive fields like Tax File Numbers or DOB)
  • Business unit hierarchy awareness

2. Audit Logging Isn’t Optional

Enable auditing for key tables and fields. Set log retention appropriately (especially if working in public sector or regulated industries).

3. Power Automate Security Settings

Use:

  • Secure Inputs/Outputs on sensitive steps
  • Connection references that are environment-scoped
  • Service accounts where needed (not user-based automation)

4. Data Loss Prevention (DLP) Policies

Your DLP strategy should match the client’s data classification policies. For example:

  • Block business data from flowing into personal services (e.g., Gmail, Twitter)
  • Separate tenant-wide and environment-specific policies

5. TDS Endpoint Caution

Dataverse allows read-only SQL access via the TDS endpoint, but:

  • It’s off by default
  • Only enable for non-interactive, locked-down accounts
  • Restrict which tables are exposed and use IP filtering when possible

6. Network Isolation & IP Safelisting

For clients with strict perimeter requirements:

  • Use Power Platform VNet integration (for environments)
  • Enforce IP restrictions on connectors, portals, and Power BI
  • Understand shared vs. dedicated infrastructure in Microsoft cloud

🏁 How to Get Started – Even If You’re Not a Security Expert

You don’t need to become a certified ISO lead auditor to add value in this space. Instead, start with these actions:

  • Read the Microsoft Trust Center
    https://www.microsoft.com/trust-center
  • Use Compliance Manager in Microsoft 365 to see what frameworks your tenant aligns to
  • Ask early in the project: “Do you have any specific compliance requirements we should be aware of — ISO, IRAP, SOC, or internal SSPs?”
  • Involve your security or network team early, especially if the solution includes portals, custom connectors, or external data integrations
  • Document decisions as you go – even if you’re not writing the final SSP, your technical choices will feed into it

🧠 Final Thoughts

System Security Plans might feel like paperwork, but they’re a critical part of building trustworthy, scalable, and audit-ready solutions. Power Platform and Dataverse give us low-code flexibility — but we still need to treat data security with enterprise discipline.

You don’t need to know every ISO clause — just enough to partner with those who do, and build solutions they can confidently sign off.

Kim Brian, Modern Applications and Power Platform Solutions Architect and Australian East Coast Regional Practice Lead at Velrada. Technical Consultant helping organizations unlock the full potential of their Microsoft efficiency tools. Feel free to share your thoughts or connect with me to discuss women in tech, leadership strategies, AI or Microsoft efficiencies.
,
, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *