Table of Contents

• Artificial Intelligence (AI) Cybersecurity

  • 1. AI Policy:

    • Policy (template guide)

    • AI Policy Build - Project Execution

  • 2. AI Cybersecurity Trends, Guidance & Regulations …

    • Trends & Predictions

    • Guidance & Regulations

• My Ask

Hi Securing Things Community of CISOs / CIOs / CxOs / Security heads - have you been following latest developments in AI, typical business use cases that promises enhanced productivity, the proliferation of its usage across your enterprise - the “Shadow AI” - and the uncontrolled risks to your business / its information?

The complicated tasks of security & risk governance around AI (Gen-AI/LLMs etc.) falls typically over the CISOs / CIO business unit, and indeed its very difficult to cover all aspects of AI in a single policy. Broadly speaking such AI specific cybersecurity policies will need to be aligned with existing IT security, acceptable use, software development and acquisitions, access control, data security / classification, retention, audit, compliance, contracts, human resources and different aspects of the business operations.

In this newsletter edition, I’ll be covering some essential elements of drafting the AI cybersecurity policies, the approach to such policy build project execution and few useful AI resource references. So lets get started.

Artificial Intelligence (AI) Cybersecurity

1. AI Policy:

AI related corporate / enterprise cybersecurity policies must be established by those business that are using AI as part of doing business. It’s no longer optional. There are many businesses that don’t have any policy in place. For businesses that have policies in place are either choosing to add a policy statement on AI as line item only (where it doesn’t clarify what needs to be done by who, when and how) and or others that develop a separate AI security policy document. There’s also a less common approach for all related policy documents to include AI specific policies within them.

A good AI cyber policy builds a foundation for AI cybersecurity best practices in terms of managing and controlling acceptable use of AI related technology and address few key risks considerations related to:

• AI output trustworthiness and validation for accuracy.

• ensuring data classification policies are followed and no PII or other data subject to legal/regulatory protection are not used for training (large language models) LLMs and or other public AI tools.

• restricting sensitive / confidential enterprise information with public AI platforms or 3rd party tools/solutions that would fall outside of the control of the enterprise environment.

Now, lets dig in on the elements of drafting/establishing a policy and high-level approach towards the AI policy creation project.

Policy (template guide)

Policy should include the following elements (but not limited) to:

• Document Control - author / owner, publish, approval, enforcement and review dates.

• Purpose - Document focus e.g. responsible use of AI resources.

• Definitions - key terms used including lingo used in AI (e.g., Generative AI, LLMs, biasness/fairness, transparency, and accountability).‍

• Scope - Applicability of the policy document.

• A‍I Governance policies - defining clear roles & responsibility.

• AI assets security controls policies - around AIBOMs (AI bill of materials) / inventory, vulnerability, change and configuration management, etc.)

• AI Access control policies - rules to identify who is authorised to use which models, how often, and for what purposes.

• AI Acceptable Use policies - for acceptable use of AI tools based on business use cases, handling data, sensitive information, and consent.‍

• AI Acquisitions & Development (SaaS/Software) policies - security best practices for acquiring AI based SaaS platforms, AI model integrations, developing and selecting AI technology tools and vendors.‍

• AI Cybersecurity Training and Awareness policies - requirements related to staff training on ethics, technical capabilities, and usage risks.

• A‍I Reporting policies - policy statements listing out guidance for employees to report incidents, unethical uses of AI or policy violations.

• AI Policy Review/update - document review and update frequency.

• AI Monitoring and Compliance policies - logging & monitoring activities and status on compliance with relevant regulations and laws.

• AI Policy exceptions policies - rules around exceptions, recording of risks, defining compensating controls (if any) and approvals.

• Document references - references to other support policy documents.

AI Policy Build - Project Execution

Approach to building an AI specific cybersecurity policy:

• Define project scope, assumptions, and outline any exclusions.

• Arrange workshops to understand current practices - (if you are doing this in-house, still ensure you are arranging some workshops with business to understand the use cases).

• Build AI business inventory - list of approved business use cases, tool stacks used across all business units (include all 3rd party SaaS, products, local or open models and their integrations).

• Identify data and its classifications according to its usage and tool stack.

• Identify risk ownership.

• Review existing IT, information security and other relevant policies.

• Review SaaS, vendor and other vendor contracts, policies etc.

• Identify applicable regulatory requirements (local / global) and its implications.

• Identify potential security controls (administrative and technical)

• refer international AI standards and guidelines (ISO, NIST, OWASP etc.)

• draft AI cybersecurity policies accordingly.

• provide policy awareness to all stakeholders involved - communicate and get acceptance.

• Get approve, sign-off, publish and enforce policy across the business.

• track policy exceptions and or exclusions and relevant risk implications to the business.

• Define policy review and update frequency - make it a living document.

Hope this helps you build your AI cybersecurity specific policies for your business.

Anything critical I missed? - Anything additional you’d like to add and or you’ve included in your policy that have helped businesses - please add below?

2. AI Cybersecurity Trends, Guidance & Regulations (A recap)

Trends & Predictions

Few AI Cybersecurity predictions below:

1. 2024 Cisco Cybersecurity Readiness Index, by Cisco suggests that five pillars of cybersecurity readiness that are most relevant to securing today’s organizations includes Artificial Intelligence (AI) Fortification.

2. Gartner Identifies the Top Cybersecurity Trends for 2024 to be lead by Generative AI, and Gartner Unveils Top Eight Cybersecurity Predictions for 2024, with some bold predictions e.g., by 2028, the adoption of Gen-AI will collapse the skills gap, removing the need for specialized education from 50% of entry-level cybersecurity positions.

Standards, Guidance & Regulations

Below is a sample list (in no particular order / classification) of some key and important resources related to AI cybersecurity:

• Global AI Legislation Tracker by IAPP Research and Insights - great reference resource to bookmark.

• Guidelines for secure AI system development became Global AI security guidelines endorsed by 18 countries listed (/22 countries).

• 2023 ended with the release of ISO 42001 (ISO standard for AI) - an international management system standard that provides guidelines for managing AI systems within organizations.

• Department of Homeland Security Report on Reducing the Risks at the Intersection of Artificial Intelligence and Chemical, Biological, Radiological, and Nuclear Threats.

• Mitigation Artificial Intelligence (AI) Risk: Safety and Security Guidelines for Critical Infrastructure Owners and Operators by Department of Homeland Security.

• Databricks recently released a “Databricks AI Security Framework (DASF)”, covering 55 security risks across the three stages of any AI system, map these risks to common AI security frameworks and get actionable recommendations on 53 controls that apply to any data and AI platform.

• A Primer on LLM Security – Hacking Large Language Models for Beginners - by Ingo Kleiber, who did a great job describing LLMs and red teaming and some basic attacks.

• AI fairness in Practice by Alan Turing Institute, part of the AI Ethics and Governance in Practice Programme curriculum, which is composed of a series of eight workbooks, the first four published in 2023 and the second four to be published in 2024. At the heart of this is the Process-Based-Governance (PBG) Framework.

• AI Safety vs. AI Security - Navigating the Commonality and Differences by Ken Huang.

• OWASP AI Exchange Navigator - GitHub resource that allows users to quickly overview various threats (e.g. runtime application security) and controls (general, development time threats etc.) and how they relate.

  What was your best reads? type in comments below. What other important guidance and regulations you’ve seen in 2024 that’s not listed? comment below. Other thoughts?

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

A - IT & OT Cybersecurity Advisory / Consulting services 

• vCISO / fractional CISO services, CISO security advisor, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements. (few examples - IT & OT Cybersecurity - Strategy, Program, Execution and Management, for SME manufacturers - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit, 3 step process for evaluating & implementing OT IDS / Anomaly detection / network security monitoring solutions → here; OT Cybersecurity Management System → OT CSMS and Cybersecurity SMB toolkits includes ISO 27001, etc.)

B - IT & OT Cybersecurity Trainings & Education

• General Security Awareness Training & Phishing Awareness Portal for SMBs. Start your cybersecurity journey with a free cyber heath check / questionnaire based review & build a cybersecurity strategy and security awareness program.

• Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.

• Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

Interested in knowing what’s happening in the world of AI, checkout AI Tool report - sponsoring this newsletter.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

My Ask

I invite #Securing Things community to share their insights, feedback. Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Take care and Best Regards,

M. Yousuf Faisal (Founder Securing Things).

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.

#securingthings #AI #AIpolicy #Aisecurity #aisecurityawareness #infosecpolicy #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security