Skip to content

Go-Live Security Checklist

Use this checklist alongside Scenario: Security Review Before Go-Live. Complete before deploying any Tier 2+ solution to production.

Applies To

Audience: Solution Maker · Fusion Team Lead · Security Architect · CoE Lead Frameworks: SHIELD · DIALOGE · BOLT

How to Use This Checklist

Complete the tier-appropriate section. Items marked [ALL] apply to all tiers. Items marked [T2+], [T3+], [T4] apply from that tier upward.

Section 1 — Identity & Access

  • [ ] [ALL] Solution sharing is restricted — not shared with "Everyone" or "All users in organisation" unless explicitly approved
  • [ ] [ALL] External sharing is disabled unless the solution is designed for external users and has been approved
  • [ ] [T2+] Connections use service accounts, not the maker's personal credentials
  • [ ] [T2+] Service accounts follow the least-privilege principle — only the permissions the solution actually needs
  • [ ] [T3+] App-level roles are defined — users are assigned roles, not given direct admin access
  • [ ] [T3+] Guest access has been reviewed and restricted if not required
  • [ ] [T4] Authentication is integrated with organisational identity provider (AAD / Entra ID)

Section 2 — Data Protection

  • [ ] [ALL] The data classification of all data accessed by the solution has been identified
  • [ ] [ALL] No sensitive data is stored in solution descriptions, titles, or environment variables in plain text
  • [ ] [T2+] Dataverse row-level security (Business Units / Security Roles) is configured for sensitive tables
  • [ ] [T2+] Column-level security is applied to sensitive fields (salary, health data, PII)
  • [ ] [T3+] Data residency requirements have been verified for all connected data sources
  • [ ] [T3+] Secrets and credentials are stored in Azure Key Vault — not hardcoded in flows or apps
  • [ ] [T4] Data retention and deletion policies are implemented and tested

Section 3 — Connector & Integration Security

  • [ ] [ALL] All connectors used are on the approved connector list for the target environment
  • [ ] [ALL] No blocked connectors are present in the solution
  • [ ] [T2+] Custom connectors have been reviewed and registered in the connector catalogue
  • [ ] [T2+] API connections use secure authentication (OAuth2, managed identity — not API keys in plain text)
  • [ ] [T3+] HTTP connectors are used only where necessary and have been reviewed
  • [ ] [T3+] Outbound connections to external services have been documented and approved

Section 4 — Application Security

  • [ ] [T2+] Solution checker has been run and all critical and high-severity findings are resolved
  • [ ] [T2+] Error handling is implemented — flows and apps fail gracefully without exposing system details
  • [ ] [T3+] Input validation is in place — user-supplied data is validated before use in queries or actions
  • [ ] [T3+] No sensitive data is logged in plain text in flow run history or application insights
  • [ ] [T4] Application has been peer-reviewed by a qualified solution engineer

Section 5 — Deployment & ALM

  • [ ] [ALL] Solution is deployed as a managed solution to production (not unmanaged)
  • [ ] [T2+] Solution has been deployed through the approved pipeline — not manually exported and imported
  • [ ] [T2+] Connection references are used (not hardcoded connection IDs)
  • [ ] [T2+] Environment variables are used for environment-specific configuration
  • [ ] [T3+] Solution is in source control with a documented version history
  • [ ] [T3+] A rollback procedure has been documented and tested
  • [ ] [T4] Deployment has been approved by the Change Advisory Board or equivalent

Section 6 — Monitoring & Observability

  • [ ] [T2+] Flow run history retention is configured
  • [ ] [T2+] A named owner is assigned to the solution in the CoE inventory
  • [ ] [T3+] Application Insights is configured for canvas apps or portals
  • [ ] [T3+] Alerts are configured for critical flow failures
  • [ ] [T4] Operational runbook exists — documented procedures for common issues

Section 7 — Compliance

  • [ ] [T3+] Applicable regulatory requirements have been identified (GDPR, ISO 27001, SOC2, sector-specific)
  • [ ] [T3+] Data subject access request (DSAR) process is documented if personal data is processed
  • [ ] [T4] Data Protection Impact Assessment (DPIA) has been completed if required
  • [ ] [T4] Legal and compliance sign-off obtained

Sign-Off

Role Name Date Signature
Solution Owner (Maker / Fusion Team Lead)
CoE Lead (Tier 2+)
Security Architect (Tier 3+)
CISO / Data Protection Officer (Tier 4)

Next Steps