Provide AI security training to AI builders and deployers

HITRUST CSF requirement statement [?] (13.02eAISecOrganizational.1)

The organization provides training no less than annually on AI security topics (e.g., 
vulnerabilities, threats, organizational policy requirements) for all teams involved in 
AI software and model creation and deployment, including (as applicable) 
(1) development, 
(2) data science, and 
(3) cybersecurity 
personnel.

Evaluative elements in this requirement statement [?]

1. The organization provides training no less than annually on AI security topics 
(e.g., vulnerabilities, threats, organizational policy requirements) to development 
personnel.

2. The organization provides training no less than annually on AI security topics 
(e.g., vulnerabilities, threats, organizational policy requirements) to data science 
personnel.

3. The organization provides training no less than annually on AI security topics 
(e.g., vulnerabilities, threats, organizational policy requirements) to cybersecurity 
personnel.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, review the AI security training documentation to confirm that training is conducted no less than annually on AI security topics (e.g., vulnerabilities, threats, organizational policy requirements) for all teams involved in AI software and model creation and deployment. Further, confirm the training includes all development, data science, and cybersecurity personnel.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate the percentage of personnel in AI system roles who have received AI security training. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and confirm that all personnel in AI system roles receive AI security training no less than annually.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 13 Education, Training and Awareness
• Control category: 02.0 – Human Resources Security
• Control reference: 02.e – Information Security Awareness, Education, and Training
  
  

Specific to which parts of the overall AI system? [?]

• N/A, not AI component-specific
  
  

Discussed in which authoritative AI security sources? [?]

• ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system
  2023, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • 7. Support > 7.2. Competence
    • 7. Support > 7.3. Awareness
      
      
• OWASP 2023 Top 10 for LLM Applications
  Oct. 2023, © The OWASP Foundation
  • Where:
    • LLM04: Model denial of service > Prevention and mitigation strategies > Bullet #7
      
      

• OWASP Machine Learning Security Top 10
  2023, © The OWASP Foundation
  • Where:
    • ML06:2023 AI supply chain attacks > How to prevent > Bullet #7
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #SECEDUCATE
    • #SECDEVPROGRAM
      
      

• LLM AI Cybersecurity & Governance Checklist
  Feb. 2024, © The OWASP Foundation
  • Where:
    • 3. Checklist > 3.3. AI Asset Inventory > Bullet #6
    • 3. Checklist > 3.4. AI Security and Privacy Training > Bullet #5
      
      

• MITRE ATLAS
  2024, © The MITRE Corporation
  • Where:
    • AML.M0018
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 1. Secure design > Raise staff awareness of threats and risks
      
      

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Secure AI operation and maintenance > Ensure user awareness and training
      
      

• Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector
  March 2024, U.S. Department of the Treasury
  • Where:
    • 5. Best practices for managing AI-specific security risks > 5.9. Cybersecurity best practices closely apply to AI systems
      
      

• Securing Machine Learning Algorithms
  2021, © European Union Agency for Cybersecurity (ENISA)
  • Where:
    • 4.1- Security Controls > Specific ML > Integrate ML specificities to awareness strategy and ensure all ML stakeholders are receiving it
      
      

Discussed in which commercial AI security sources? [?]

• The anecdotes AI GRC Toolkit
  2024, © Anecdotes A.I Ltd.
  • Where:
    • Control 6.1: Training
      
      
• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • Control DASF 41: Platform security — secure SDLC
    • Resources and Further Reading > AI and Machine Learning on Databricks
      
      
• Google Secure AI Framework
  June 2023, © Google
  • Where:
    • Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Retrain and retain
      
      
• HiddenLayer’s 2024 AI Threat Landscape Report
  2024, © HiddenLayer
  • Where:
    • Part 4: Predictions and recommendations > 5. Secure development practices > Bullet 1
      
      
• Snowflake AI Security Framework
  2024, © Snowflake Inc.
  • Where:
    • Backdooring models (insider attacks) > Mitigations > Secure development practices
    • Attacks on the infrastructure hosting AI services > Mitigations > Security awareness training
      
      

Control functions against which AI security threats? [?]

• Control function: Variance reduction
  • Denial of AI service
  • Prompt injection
  • Evasion
  • Model inversion
  • Model extraction and theft
  • Data poisoning
  • Model poisoning
  • Compromised 3rd-party training datasets
  • Compromised 3rd-party models or code
  • Confabulation
  • Excessive agency
  • Sensitive information disclosed in output
  • Harmful code generation
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • No (dual responsibility). The AI application provider and its AI service providers (if used) are responsible for independently performing this requirement outside of the AI system’s technology stack.