版權(quán)說(shuō)明:本文檔由用戶(hù)提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
AIOrganizationalResponsibilities:
CoreSecurityResponsibilities
ThepermanentandofficiallocationfortheAIOrganizationalResponsibilitiesWorkingGroupis
/research/working-groups/ai-organizational-responsibilities
?2024CloudSecurityAlliance–AllRightsReserved.Youmaydownload,store,displayonyour
computer,view,print,andlinktotheCloudSecurityAllianceat
subjectto
thefollowing:(a)thedraftmaybeusedsolelyforyourpersonal,informational,noncommercialuse;(b)thedraftmaynotbemodifiedoralteredinanyway;(c)thedraftmaynotberedistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.Youmayquoteportionsofthedraftas
permittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,providedthatyouattributetheportionstotheCloudSecurityAlliance.
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.2
Acknowledgments
LeadAuthors
JerryHuangKenHuang
Contributors/Co-Chairs
KenHuang
NickHamiltonChrisKirschkeSeanWright
Reviewers
CandyAlexanderIlangoAllikuzhiErayAltili
AakashAlurkarRomeoAyalinRenuBedi
SauravBhattacharya
SergeiChaschinHongChen
JohnChiu
SatchitDokras
RajivGunja
HongtaoHao,PhDGraceHuang
OnyekaIlloh
KrystalJackson
ArvinJakkamreddyReddySimonJohnson
GianKapoor
BenKereopa-Yorke
ChrisKirschke
MaduraMalwatte
MadhaviNajana
RajithNarasimhaiah
GabrielNwajiaku
GovindarajPalanisamyMeghanaParwate
PareshPatel
RangelRodrigues
MichaelRoza
LarsRuddigkeit
DavideScatto
MariaSchwengerMj
BhuvaneswariSelvadurai
HimanshuSharmaAkshayShetty
NishanthSingarapuAbhinavSingh
Dr.ChantalSpleissPatriciaThaine
EricTierling
AshishVashishthaPeterVentura
JiewenWangWickeyWang
UdithWickramasuriyaSounilYu
CSAGlobalStaff
MarinaBregkouSeanHeide
AlexKaluza
ClaireLehnertStephenLumpe
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.3
TableofContents
Acknowledgments 3
TableofContents 4
ExecutiveSummary 6
Introduction 7
AISharedResponsibilityModel 7
KeyLayersinanAI-EnabledApplication 7
FoundationalComponentsofaData-CentricAISystem 9
Assumptions 13
IntendedAudience 13
ResponsibilityRoleDefinitions 14
ManagementandStrategy 14
GovernanceandCompliance 15
TechnicalandSecurity 16
OperationsandDevelopment 16
NormativeReferences 18
1.IncorporatingDataSecurity&PrivacyinAITraining 19
1.1DataAuthenticityandConsentManagement 19
1.2AnonymizationandPseudonymization 20
1.3DataMinimization 21
1.4AccessControltoData 22
1.5SecureStorage&Transmission 23
2.ModelSecurity 24
2.1.AccessControlstoModels 24
2.1.1AuthenticationandAuthorizationFrameworks 24
2.1.2.ModelInterfacesRateLimiting 25
2.1.3.AccessControlinModelLifecycleManagement 25
2.2.SecureModelRuntimeEnvironment 26
2.2.1.Hardware-BasedSecurityFeatures 26
2.2.2.NetworkSecurityControls 27
2.2.3.OS-LevelHardeningandSecureConfigurations 28
2.2.4.K8sandContainerSecurity 29
2.2.5.CloudEnvironmentSecurity 29
2.3VulnerabilityandPatchManagement 30
2.3.1MLCodeIntegrityProtections 30
2.3.2VersionControlSystemsforMLTrainingandDeploymentCode 31
2.3.3CodeSigningtoValidateApprovedVersions 32
2.3.4InfrastructureasCodeApproaches 32
2.4MLOpsPipelineSecurity 33
2.4.1.SourceCodeScansforVulnerabilities 33
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.4
2.4.2.TestingModelRobustnessAgainstAttacks 34
2.4.3.ValidatingPipelineIntegrityatEachStage 35
2.4.4.MonitoringAutomationScripts 36
2.5AIModelGovernance 37
2.5.1.ModelRiskAssessments 37
2.5.2.BusinessApprovalProcedures 37
2.5.3.ModelMonitoringRequirements 38
2.5.4.NewModelVerificationProcesses 39
2.6SecureModelDeployment 39
2.6.1.CanaryReleases 40
2.6.2.Blue-GreenDeployments 40
2.6.4.RollbackCapabilities 41
2.6.5.DecommissioningModels 41
3.VulnerabilityManagement 42
3.1.AI/MLAssetInventory 42
3.2.ContinuousVulnerabilityScanning 43
3.3.Risk-BasedPrioritization 44
3.4.RemediationTracking 45
3.5.ExceptionHandling 45
3.6.ReportingMetrics 46
Conclusion 48
Acronyms 49
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.5
ExecutiveSummary
ThiswhitepaperisaworkingdraftthatfocusesontheinformationsecurityandcybersecurityaspectsoforganizationalresponsibilitiesinthedevelopmentanddeploymentofArtificialIntelligence(AI)and
MachineLearning(ML)systems.Thepapersynthesizesexpert-recommendedbestpracticeswithincoresecurityareas,includingdataprotectionmechanisms,modelvulnerabilitymanagement,Machine
LearningOperations(MLOps)pipelinehardening,andgovernancepoliciesfortraininganddeployingAIresponsibly.
Keypointsdiscussedinthewhitepaperinclude:
●DataSecurityandPrivacyProtection:Theimportanceofdataauthenticity,anonymization,pseudonymization,dataminimization,accesscontrol,andsecurestorageandtransmissioninAItraining.
●ModelSecurity:Coversvariousaspectsofmodelsecurity,includingaccesscontrols,secureruntimeenvironments,vulnerabilityandpatchmanagement,MLOpspipelinesecurity,AImodelgovernance,andsecuremodeldeployment.
●VulnerabilityManagement:DiscussesthesignificanceofAI/MLassetinventory,continuousvulnerabilityscanning,risk-basedprioritization,remediationtracking,exceptionhandling,andreportingmetricsinmanagingvulnerabilitieseffectively.
Thewhitepaperanalyzeseachresponsibilityusingquantifiableevaluationcriteria,theResponsible,
Accountable,Consulted,Informed(RACI)modelforroledefinitions,high-levelimplementationstrategies,continuousmonitoringandreportingmechanisms,accesscontrolmapping,andadherenceto
foundationalguardrails.ThesearebasedonindustrybestpracticesandstandardssuchasNISTAIRMF,NISTSSDF,NIST800-53,CSACCM,andothers.
Byoutliningrecommendationsacrossthesekeyareasofsecurityandcompliance,thispaperaimstoguideenterprisesinfulfillingtheirobligationsforresponsibleandsecureAIdesign,development,anddeployment
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.6
Introduction
Thiswhitepaperfocusesonwhatwedefineasanenterprise's"coresecurityresponsibilities"around
ArtificialIntelligence(AI)andMachineLearning(ML),datasecurity,modelsecurity,andvulnerability
management.AsorganizationshavedutiestoupholdsecureandsafeAIpractices,thiswhitepaperandtwoothersinthisseriesprovideablueprintforenterprisestofulfillsuchorganizationalresponsibilities.
Specifically,thiswhitepapersynthesizesexpert-recommendedbestpracticeswithincoresecurityareas-dataprotectionmechanisms,modelvulnerabilitymanagement,MLOpspipelinehardening,and
governancepoliciesfortraininganddeployingAIresponsibly.TheothertwowhitepapersinthisseriesdiscussadditionalaspectsofsecureAIdevelopmentanddeploymentforenterprises.Byoutlining
recommendationsacrossthesekeyareasofsecurityandcomplianceinthreetargetedwhitepapers,thisseriesaimstoguideenterprisesinfulfillingtheirobligationsforresponsibleandsecureAIdesign,
development,anddeployment.
AISharedResponsibilityModel
TheAISharedResponsibilityModeloutlinesthedivisionoftasksbetweenAIplatformproviders,AIapplicationowners,AIdevelopersandAIusage,varyingbyservicemodels(SaaS,PaaS,IaaS).
ThesecureoperationofAIapplicationsinvolvesacollaborativeeffortamongmultiplestakeholders.InthecontextofAI,responsibilitiesaresharedbetweenthreekeyparties:theAIserviceusers,theAIapplicationownersanddevelopers,andAIplatformproviders.
WhenevaluatingAI-enabledintegration,itiscrucialtocomprehendthesharedresponsibilitymodelanddelineatethespecifictaskshandledbyeachparty.
KeyLayersinanAI-EnabledApplication
1.AIPlatform:
○ThislayerprovidestheAIcapabilitiestoapplications.Itinvolvesbuildingand
safeguardingtheinfrastructurethathostsAImodels,trainingdata,andconfigurationsettings.
○Securityconsiderationsincludeprotectingagainstmaliciousinputsandoutputs
generatedbytheAImodel.AIsafetysystemsshouldprotectagainstpotentialharmfulinputsandoutputslikehate,jailbreaks,andsoon.
○AIPlatformLayerhasfollowingtasks:
■Modelsafetyandsecurity
■Modeltuning
■Modelaccountability
■Modeldesignandimplementation
■Modeltrainingandgovernance
■AIcomputeanddatainfrastructure
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.7
2.AIApplicationLayer:
○TheAIapplicationlayerinterfaceswithusers,leveragingtheAIcapabilities.Itscomplexitycanvarysignificantly.Attheirmostbasiclevel,standaloneAIapplicationsserveasa
conduittoacollectionofAPIs,whichprocesstextualpromptsfromusersandrelaythemtotheunderlyingmodelforaresponse.MoresophisticatedAIapplicationsarecapableofenrichingthesepromptswithadditionalcontext,utilizingelementssuchasapersistencelayer,asemanticindex,orpluginsthatprovideaccesstoabroaderrangeofdatasources.ThemostadvancedAIapplicationsaredesignedtointegrateseamlesslywithpre-existingapplicationsandsystems,enablingamulti-modalapproachthatencompassestext,
audio,andvisualinputstoproducediversecontentoutputs.
○AsanAIapplicationowner,youensureseamlessuserexperiencesandhandleany
additionalfeaturesorservices.TosafeguardanAIapplicationfromharmfulactivities,itisessentialtoestablisharobustapplicationsafetysystem.AGenerativeAI(GenAI)systemshouldthoroughlyexaminethecontentutilizedinthepromptdispatchedtotheAImodel.Additionally,itmustscrutinizetheexchangeswithanyadd-onslikepluginsandfunctions,dataconnectors,andinteractionswithotherAIapplications,aprocessreferredtoasAIorchestration.ForthosedevelopingAIapplicationsonanInfrastructure-as-a-Service
(IaaS)orPlatform-as-a-Service(PaaS)services,integratingadedicatedAIcontent
safetyfeatureisadvisable.Dependingonspecificrequirements,additionalfeaturesmaybeimplementedtoenhanceprotection.
○AIApplicationhasthefollowingtasks:
■AIpluginsanddataconnections
■Applicationdesignandimplementation
■Applicationinfrastructure
■AIsafetysystem
3.AIUsage:
○TheAIusagelayeroutlinestheapplicationandconsumptionofAIfunctionalities.GenAIintroducesaninnovativeuser/computerinteractionmodel,distinctfromtraditional
interfaceslikeAPIs,commandprompts,andGUIs.Thisnewinterfaceisinteractiveandadaptable,moldingthecomputer’scapabilitiestotheuser’sintentions.Unlikeearlierinterfacesthatrequireduserstoconformtothesystem’sdesignandfunctions,the
generativeAIinterfaceprioritizesuserinteraction.Thisallowstheusers’inputstosignificantlyshapethesystem’soutput,emphasizingtheimportanceofsafety
mechanismstosafeguardindividuals,data,andcorporateresources.
○SecurityconsiderationsforAIusageareakintothoseforanycomputersystem,relyingonrobustmeasuresforidentityandaccessmanagement,devicesecurity,monitoring,datagovernance,andadministrativecontrols.
○Giventhesignificantimpactuseractionscanhaveonsystemoutputs,agreaterfocusonuserconductandresponsibilityisnecessary.Itisessentialtorevisepoliciesfor
acceptableuseandtoinformusersaboutthedistinctionsbetweenconventionalIT
applicationsandthoseenhancedbyAI.ThiseducationshouldcoverAI-specificissuesconcerningsecurity,privacy,andethicalstandards.Moreover,it’simportanttoraiseawarenessamongusersaboutthepotentialforAI-drivenattacks,whichmayinvolvesophisticatedlyfabricatedtext,audio,video,andothermediadesignedtodeceive.
○AIusagelayerhasthefollowingtasks:
■Usertrainingandaccountability
■Acceptableusagepolicyandadmincontrols
■IdentityandAccessManagement(IAM)anddevicecontrols
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.8
■Datagovernance
Rememberthatthissharedresponsibilitymodelhelpsdemarcaterolesandensuresaclearseparationofduties,contributingtothesafeandeffectiveuseofAItechnologies.Thedistributionofworkload
responsibilitiesvariesbasedonthetypeofAIintegrationbasedonservicemodels.
1.SoftwareasaService(SaaS):
○InSaaS-basedAIintegrations,theAIplatformproviderassumesresponsibilityfor
managingtheunderlyinginfrastructure,securitycontrols,andcompliancemeasures.
○Asauser,yourprimaryfocusliesinconfiguringandcustomizingtheAIapplicationtoalignwithyourspecificrequirements.
2.PlatformasaService(PaaS):
○PaaS-basedAIplatformsofferamiddleground.WhiletheprovidermanagesthecoreAIcapabilities,youretainsomecontroloverconfigurationsandcustomization.
○YouareresponsibleforensuringthesafeuseoftheAImodel,handlingtrainingdata,andadjustingmodelbehavior(e.g.,weightsandbiases).
3.InfrastructureasaService(IaaS):
○InIaaSscenarios,youhavegreatercontrolovertheinfrastructure.However,thisalsomeanstakingonmoreresponsibilities.
○Youmanagetheentirestack,includingtheAImodel,trainingdata,andinfrastructuresecurity.
FoundationalComponentsofaData-CentricAISystem
Thefoundationalcomponentsofadata-centricAIsystemencompasstheentirelifecycleofdataandmodelmanagement.ThesecomponentsworktogethertocreateasecureandeffectiveAIsystemthatcanprocessdataandprovidevaluableinsightsorautomateddecisions.
●RawData:Theinitialunprocesseddatacollectedfromvarioussources.
●Datapreparation:Theprocessofcleaningandorganizingrawdataintoastructuredformat.
●Datasets:Curatedcollectionsofdata,readyforanalysisandmodeltraining.
●DataandAIgovernance:PoliciesandprocedurestoensuredataqualityandethicalAIusage.
●MachineLearningalgorithms:Thecomputationalmethodsusedtointerpretdata.
●Evaluation:Assessingtheperformanceofmachinelearningmodels.
●MachineLearningModels:Theoutputofalgorithmstrainedondatasets.
●Modelmanagement:Overseeingthelifecycleofmachinelearningmodels.
●Modeldeploymentandinference:Implementingmodelstomakepredictionsordecisions.
●Inferenceoutcomes:Theresultsproducedbydeployedmodels.
●MachineLearningOperations(MLOps):PracticesfordeployingandmaintainingAImodels.
●DataandAIPlatformsecurity:Measurestoprotectthesystemagainstthreats.
DataOperations:Involvestheacquisitionandtransformationofdata,coupledwiththeassuranceofdatasecurityandgovernance.TheefficacyofMLmodelsiscontingentupontheintegrityofdata
pipelinesandafortifiedDataOpsframework.
ModelOperations:EncompassesthecreationofpredictiveMLmodels,procurementfrommodel
marketplaces,ortheutilizationofLargeLanguageModels(LLMs)suchasthoseprovidedbyOpenAIor
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.9
throughFoundationModelAPIs.Modeldevelopmentisaniterativeprocessthatnecessitatesasystematicapproachtodocumentandevaluatevariousexperimentalconditionsandoutcomes.
ModelDeploymentandServing:Entailsthesecureconstructionofmodelcontainers,theisolatedandprotecteddeploymentofmodels,andtheimplementationofautomatedscaling,ratelimiting,and
surveillanceofactivemodels.Italsoincludestheprovisionoffeaturesandfunctionsforhigh-availability,low-latencyservicesinRetrievalAugmentedGeneration(RAG)applications,aswellastherequisite
featuresforotherapplications,includingthosethatdeploymodelsexternallytotheplatformorrequiredatafeaturesfromthecatalog.
OperationsandPlatform:Coversthemanagementofplatformvulnerabilities,updates,model
segregation,andsystemcontrols,alongwiththeenforcementofauthorizedmodelaccesswithinasecurearchitecturalframework.Additionally,itinvolvesthedeploymentofoperationaltoolsforContinuous
Integration/ContinuousDeployment(CI/CD),ensuringthattheentirelifecycleadherestoestablishedstandardsacrossseparateexecutionenvironments—development,staging,andproduction—forsecureMLoperations(MLOps).
Table1alignstheoperationswiththecoreaspectsofadata-centricAIsystem,highlightingtheirrolesandinterdependencies
FoundationalComponent
Description
DataOperations
Ingestion,transformation,security,andgovernanceofdata.
ModelOperations
Building,acquiring,andexperimentingwithMLmodels.
ModelDeploymentandServing
Securedeployment,serving,andmonitoringofMLmodels.
OperationsandPlatform
Platformsecurity,modelisolation,andCI/CDforMLOps.
Table1:MappingData-CentricAISystemComponentsandTheirInterconnectedRoles
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.10
Table2providesasynthesizedviewofthepotentialsecurityrisksandthreatsateachstageofanAI/MLsystem,alongwithexamplesandrecommendedmitigationstoaddresstheseconcerns.
SystemStage
System
Components
Potential
SecurityRisks
Threats
Mitigations
DataOperations
RawData,DataPrep,Datasets
Dataloss:Unauthorizeddeletionorcorruptionofdata.Datapoisoning:
Deliberatemanipulationofdatatocompromisethemodel’sintegrity.
Compliancechallenges:Failuretomeet
regulatoryrequirementsfordataprotection.
Compromise/poisoningofdata:Attackersmayinjectfalsedataoralterexistingdata.
Implementrobustdatagovernanceframeworks.Deployanomaly
detectionsystems.Establishrecovery
protocolsandregulardatabackups.
Model
Operations
MLAlgorithms,
Model
Management
Modeltheft:Stealingofproprietarymodels.
Unauthorizedaccess:Gainingaccessto
modelswithoutpermission.
AttacksviaAPIaccess:ExploitingAPI
vulnerabilitiestoaccessormanipulatemodels.Modelstealing
(extraction):Replicatingamodelfor
unauthorizeduse.
Strengthenaccesscontrolsand
authentication
mechanisms.SecureAPIendpointsthrough
encryptionandratelimiting.Regularlyupdateandpatchsystems.
Model
Deploymentand
Serving
ModelServing,InferenceResponse
Unauthorizedaccess:Accessingthemodel
servinginfrastructurewithoutauthorization.Dataleakage:Exposingsensitiveinformationthroughmisconfiguredsystems.
Modeltricking
(evasion):Altering
inputstoreceivea
specificoutputfromthemodel.Trainingdata
recovery(inversion):Extractingprivate
trainingdatafromthemodel.
Securedeployment
practices,including
containerizationand
networksegmentation.Activemonitoringandloggingofmodel
interactions.Implementratelimitingand
anomalydetection.
OperationsandPlatform
MLOperations,
DataandAI
PlatformSecurity
Inadequatevulnerabilitymanagement:Not
addressingknown
vulnerabilitiesinatimelymanner.Modelisolationissues:Failureto
properlyisolatemodels,leadingtopotential
cross-contamination.
AttackingMLsupply
chain:Introducing
vulnerabilitiesor
backdoorsinthird-partycomponents.Model
contamination
(poisoning):Corruptingtrainingdatatocausemisclassificationor
systemunavailability.
Continuousvulnerabilitymanagementand
patching.CI/CD
processesforconsistentdeployment.Isolation
controlsandsecurearchitecturedesign.
Table2:AI/MLSecurityRiskOverview
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.11
Weanalyzeeachresponsibilityinthefollowingdimensions.
1.EvaluationCriteria:WhendiscussingAIresponsibility,considerquantifiablemetricsforassessingthesecurityimpactofAIsystems.Byquantifyingtheseaspects,stakeholderscanbetterunderstandthe
associatedrisksofAItechnologiesandhowtoaddressthoserisks.Organizationsmustfrequently
evaluatetheirAIsystemstoensuresecurityandreliability.Theyshouldassessmeasurablethingslikehowwellthesystemhandlesattacks(adversarialrobustness),whetheritleakssensitivedata,howoftenit
makesmistakes(false-positiverates),andwhetherthetrainingdataisreliable(dataintegrity).Evaluatingandmonitoringthesecriticalmeasuresaspartoftheorganization'ssecurityplanwillhelpimproveoverallsecuritypostureofAIsystems.
2.RACIModel:ThismodelhelpsclarifywhoisResponsible,Accountable,Consulted,andInformed
(RACI)regardingAIdecision-makingandoversight.ApplyingtheRACImodeldelineatesrolesand
responsibilitiesinAIgovernance.ThisallocationofresponsibilitiesisessentialforsecureAIsystems.Itisimportanttounderstandthatdependingonanorganization'ssizeandbusinessfocus,thespecificrolesandteamsdelineatedinthiswhitepaperareforreferenceonly.Theemphasisshouldbeonclearly
outliningthekeyresponsibilitiesfirst.Organizationscanthendeterminetheappropriaterolestomaptothoseresponsibilities,andsubsequently,theteamstofillthoseroles.Theremaybesomeoverlapping
responsibilitiesacrossteams.TheRACIframeworkdefinedhereinaimstoprovideinitialroleandteam
designationstoaidorganizationsindevelopingtheirowntailoredRACImodels.However,implementationmayvaryacrosscompaniesbasedontheiruniqueorganizationalstructuresandpriorities.
3.High-levelImplementationStrategies:ThissectionoutlinesstrategiesforseamlesslyintegratingcybersecurityconsiderationsintotheSoftwareDevelopmentLifecycle(SDLC).Organizationsmust
prioritizetheenforcementofCIAprinciples—ensuringtheconfidentiality,integrity,andavailabilityofdataandsystems.Accesscontrolmechanismsshouldbeimplementedrigorouslytomanageuserpermissionsandpreventunauthorizedaccess.Robustauditingmechanismsmusttracksystemactivityandpromptlydetectsuspiciousbehavior.Impactassessmentsshouldevaluatepotentialcybersecurityrisks,focusingonidentifyingvulnerabilitiesandmitigatingthreatstosafeguardsensitiveinformationinAIsystems
4.ContinuousMonitoringandReporting:ContinuousMonitoringandReportingensurestheongoingsecurity,safety,andperformanceofAIsystems.Criticalcomponentsincludereal-timemonitoring,alertsforpoormodelperformanceorsecurityincidents,audittrails/logs,andregularreporting,followedby
actiontoimplementimprovementsandresolveissues.ContinuousMonitoringandReportinghelpsorganizationsmaintaintransparency,enhanceperformanceandaccountability,andbuildtrustinAI
systems.
5.AccessControl:AccesscontroliscrucialforsecuringAIsystems.ThisincludesstrongAPI
authentication/authorizationpolicies,managingmodelregistries,controllingaccesstodatarepositories,overseeingcontinuousintegrationanddeploymentpipelines(CI/CD),handlingsecrets,andmanaging
privilegedaccess.BydefininguserrolesandpermissionsforvariouspartsoftheAIpipeline,sensitivedatacanbesafeguarded,andmodelscan'tbetamperedwithoraccessedwithoutproperauthorization.
ImplementingstrongidentityandaccessmanagementnotonlyprotectsintellectualpropertybutalsoensuresaccountabilitythroughoutAIworkflows.
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.12
6.AdherencetoFoundationalGovernance,RiskandCompliance,Security,Safety,andEthicalGuardrails:Emphasizeadherencetoguardrailsbasedonindustrybestpracticesandregulatory
requirementssuchasthefollowing:
●NISTSSDFforsecuresoftwaredevelopment
●NISTArtificialIntelligenceRiskManagementFramework(AIRMF)
●ISO/IEC42001:2023AIManagementSystem(AIMS)
●ISO/IEC27001:2022InformationSecurityManagementSystem(ISMS)
●ISO/IEC27701:2019PrivacyInformationManagementSystem(PIMS)
●ISO31700-1:2023ConsumerprotectionPrivacybydesignforconsumergoodsandservices
●OWASPTop10forLLMApplications
●NISTSP800-53Rev.5SecurityandPrivacyControlsforInformationSystemsandOrganizations
●GeneralDataProtectionRegulation(GDPR)ondataanonymizationandpseudonymizationandguidance
●Guidancefortokenizationoncloud-basedservices
Assumptions
Thisdocumentassumesanindustry-neutralstance,providingguidelinesandrecommendationsthatcanbeapplicableacrossvarioussectorswithoutaspecificbiastowardsaparticularindustry.
IntendedAudience
Thewhitepaperisintendedtocatertoadiverserangeofaudiences,eachwithdistinctobjectivesandinterests.
1.ChiefInformationSecurityOfficers(CISOs):ThiswhitepaperisspecificallydesignedtoaddresstheconcernsandresponsibilitiesofCISOs.ItprovidesvaluableinsightsintointegratingcoresecurityprincipleswithinAIsystems.PleasenotethattheroleofChiefAIOfficer(CAIO)isemerginginmanyorganizations,andit'santicipatedthatamajorityofrelatedresponsibilitiesdefinedinthiswhitepapermayshiftfromCISOtoCAIOinthenearfuture.
2.AIresearchers,engineers,dataprofessionals,scientists,analystsanddevelopers:ThepaperofferscomprehensiveguidelinesandbestpracticesforAIresearchersandengineers,aidingthemin
developingethicalandtrustworthyAIsystems.ItservesasacrucialresourceforensuringresponsibleAIdevelopment.
3.Businessleadersanddecisionmakers:Forbusinessleadersanddecision-makerssuchasCIO,CPO,CDO,CRO,CEOandCTOthewhitepaperoffersessentialinformationandawarenessforcybersecuritystrategiesrelatedtoAIsystemdevelopment,deployment,andlifecyclemanagement.
?Copyright2024,CloudSecurityAlliance.Allrightsreserved.13
4.Policymakersandregulators:Policymakersandregulatorswillfindthispaperinvaluableasit
providescriticalinsightstohelpshapepolicyandregulatoryframeworksconcerningAIe
溫馨提示
- 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶(hù)所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶(hù)上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶(hù)上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶(hù)因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 廣安職業(yè)技術(shù)學(xué)院《短片拍攝與剪輯》2023-2024學(xué)年第一學(xué)期期末試卷
- 三年級(jí)科學(xué)下冊(cè)第一單元土壤與生命3肥沃的土壤教案蘇教版
- 藥品知識(shí)培訓(xùn)課件
- 產(chǎn)品成本控制教學(xué)培訓(xùn)課件
- 《糖尿病足的預(yù)防》課件
- 確保培訓(xùn)課件內(nèi)容
- 《氧化硫滿(mǎn)意》課件
- 《漢字的演變過(guò)程》課件
- 培訓(xùn)課件專(zhuān)員
- 學(xué)校保衛(wèi)檢查考核獎(jiǎng)懲制度
- 暖通工程合同
- 2024年?duì)I銷(xiāo)部工作人員安全生產(chǎn)責(zé)任制(2篇)
- ISO 56001-2024《創(chuàng)新管理體系-要求》專(zhuān)業(yè)解讀與應(yīng)用實(shí)踐指導(dǎo)材料之3:4組織環(huán)境-4.1理解組織及其環(huán)境(雷澤佳編制-2025B0)
- 2024年國(guó)家低壓電工電工作業(yè)證理論考試題庫(kù)(含答案)
- 2025年上半年山西呂梁市柳林縣招聘畢業(yè)生70人到村(社區(qū))工作(第二批)重點(diǎn)基礎(chǔ)提升(共500題)附帶答案詳解
- 2024年非煤礦山年終安全生產(chǎn)工作總結(jié)
- 部編版2024-2025學(xué)年三年級(jí)上冊(cè)語(yǔ)文期末測(cè)試卷(含答案)
- 研發(fā)部年終總結(jié)(33篇)
- 一年級(jí)數(shù)學(xué)計(jì)算題專(zhuān)項(xiàng)練習(xí)1000題集錦
- 2024年高考物理模擬卷(山東卷專(zhuān)用)(考試版)
- 湖北省武漢市青山區(qū)2022-2023學(xué)年五年級(jí)上學(xué)期數(shù)學(xué)期末試卷(含答案)
評(píng)論
0/150
提交評(píng)論