AI Cybersecurity Policy & Reference Guidance (a recap)

[Securing Things by M. Yousuf Faisal]

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community of CISOs / CIOs / CxOs / Security heads - have you been following latest developments in AI, typical business use cases that promises enhanced productivity, the proliferation of its usage across your enterprise - the “Shadow AI” - and the uncontrolled risks to your business / its information?

The complicated tasks of security & risk governance around AI (Gen-AI/LLMs etc.) falls typically over the CISOs / CIO business unit, and indeed its very difficult to cover all aspects of AI in a single policy. Broadly speaking such AI specific cybersecurity policies will need to be aligned with existing IT security, acceptable use, software development and acquisitions, access control, data security / classification, retention, audit, compliance, contracts, human resources and different aspects of the business operations.

In this newsletter edition, I’ll be covering some essential elements of drafting the AI cybersecurity policies, the approach to such policy build project execution and few useful AI resource references. So lets get started.

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks! Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

Artificial Intelligence (AI) Cybersecurity

1. AI Policy:

AI related corporate / enterprise cybersecurity policies must be established by those business that are using AI as part of doing business. It’s no longer optional. There are many businesses that don’t have any policy in place. For businesses that have policies in place are either choosing to add a policy statement on AI as line item only (where it doesn’t clarify what needs to be done by who, when and how) and or others that develop a separate AI security policy document. There’s also a less common approach for all related policy documents to include AI specific policies within them.

A good AI cyber policy builds a foundation for AI cybersecurity best practices in terms of managing and controlling acceptable use of AI related technology and address few key risks considerations related to:

  • AI output trustworthiness and validation for accuracy.

  • ensuring data classification policies are followed and no PII or other data subject to legal/regulatory protection are not used for training (large language models) LLMs and or other public AI tools.

  • restricting sensitive / confidential enterprise information with public AI platforms or 3rd party tools/solutions that would fall outside of the control of the enterprise environment.

Now, lets dig in on the elements of drafting/establishing a policy and high-level approach towards the AI policy creation project.

Policy (template guide)

Policy should include the following elements (but not limited) to:

  • Document Control - author / owner, publish, approval, enforcement and review dates.

  • Purpose - Document focus e.g. responsible use of AI resources.

  • Definitions - key terms used including lingo used in AI (e.g., Generative AI, LLMs, biasness/fairness, transparency, and accountability).‍

  • Scope - Applicability of the policy document.

  • A‍I Governance policies - defining clear roles & responsibility.

  • AI assets security controls policies - around AIBOMs (AI bill of materials) / inventory, vulnerability, change and configuration management, etc.)

  • AI Access control policies - rules to identify who is authorised to use which models, how often, and for what purposes.

  • AI Acceptable Use policies - for acceptable use of AI tools based on business use cases, handling data, sensitive information, and consent.‍

  • AI Acquisitions & Development (SaaS/Software) policies - security best practices for acquiring AI based SaaS platforms, AI model integrations, developing and selecting AI technology tools and vendors.‍

  • AI Cybersecurity Training and Awareness policies - requirements related to staff training on ethics, technical capabilities, and usage risks.

  • A‍I Reporting policies - policy statements listing out guidance for employees to report incidents, unethical uses of AI or policy violations.

  • AI Policy Review/update - document review and update frequency.

  • AI Monitoring and Compliance policies - logging & monitoring activities and status on compliance with relevant regulations and laws.

  • AI Policy exceptions policies - rules around exceptions, recording of risks, defining compensating controls (if any) and approvals.

  • Document references - references to other support policy documents.

AI Policy Build - Project Execution

Approach to building an AI specific cybersecurity policy:

  • Define project scope, assumptions, and outline any exclusions.

  • Arrange workshops to understand current practices - (if you are doing this in-house, still ensure you are arranging some workshops with business to understand the use cases).

  • Build AI business inventory - list of approved business use cases, tool stacks used across all business units (include all 3rd party SaaS, products, local or open models and their integrations).

  • Identify data and its classifications according to its usage and tool stack.

  • Identify risk ownership.

  • Review existing IT, information security and other relevant policies.

  • Review SaaS, vendor and other vendor contracts, policies etc.

  • Identify applicable regulatory requirements (local / global) and its implications.

  • Identify potential security controls (administrative and technical)

  • refer international AI standards and guidelines (ISO, NIST, OWASP etc.)

  • draft AI cybersecurity policies accordingly.

  • provide policy awareness to all stakeholders involved - communicate and get acceptance.

  • Get approve, sign-off, publish and enforce policy across the business.

  • track policy exceptions and or exclusions and relevant risk implications to the business.

  • Define policy review and update frequency - make it a living document.

Hope this helps you build your AI cybersecurity specific policies for your business.

STL-AI-Cybersecurity-Policy-for-Manufacturers-by-M Yousuf Faisal

Anything critical I missed? - Anything additional you’d like to add and or you’ve included in your policy that have helped businesses - please add below?

Few AI Cybersecurity predictions below:

  1. 2024 Cisco Cybersecurity Readiness Index, by Cisco suggests that five pillars of cybersecurity readiness that are most relevant to securing today’s organizations includes Artificial Intelligence (AI) Fortification.

  2. Gartner Identifies the Top Cybersecurity Trends for 2024 to be lead by Generative AI, and Gartner Unveils Top Eight Cybersecurity Predictions for 2024, with some bold predictions e.g., by 2028, the adoption of Gen-AI will collapse the skills gap, removing the need for specialized education from 50% of entry-level cybersecurity positions.

Standards, Guidance & Regulations

Below is a sample list (in no particular order / classification) of some key and important resources related to AI cybersecurity:

  • Databricks recently released a “Databricks AI Security Framework (DASF)”, covering 55 security risks across the three stages of any AI system, map these risks to common AI security frameworks and get actionable recommendations on 53 controls that apply to any data and AI platform.

  • A Primer on LLM Security – Hacking Large Language Models for Beginners - by Ingo Kleiber, who did a great job describing LLMs and red teaming and some basic attacks.

  • AI fairness in Practice by Alan Turing Institute, part of the AI Ethics and Governance in Practice Programme curriculum, which is composed of a series of eight workbooks, the first four published in 2023 and the second four to be published in 2024. At the heart of this is the Process-Based-Governance (PBG) Framework.

  • AI Safety vs. AI Security - Navigating the Commonality and Differences by Ken Huang.

  • OWASP AI Exchange Navigator - GitHub resource that allows users to quickly overview various threats (e.g. runtime application security) and controls (general, development time threats etc.) and how they relate.

    What was your best reads? type in comments below. What other important guidance and regulations you’ve seen in 2024 that’s not listed? comment below. Other thoughts?

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

B - IT & OT Cybersecurity Trainings & Education

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

Interested in knowing what’s happening in the world of AI, checkout AI Tool report - sponsoring this newsletter.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

My Ask

I invite #Securing Things community to share their insights, feedback. Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Take care and Best Regards,

M. Yousuf Faisal (Founder Securing Things).

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.

#securingthings #AI #AIpolicy #Aisecurity #aisecurityawareness #infosecpolicy #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.