HITRUST CSF requirement statement [?] (New in v11.4.0, coming in Nov. 2024)
The organization encrypts at rest
(1) the datasets used to train, test, and validated AI models;
(2) the data used to tune AI models;
(3) embeddings (if used); and
(4) AI models.
This is performed in observance of the organization’s encryption policies relating to
(5) encryption strength and
(6) key management.
- Evaluative elements in this requirement statement [?]
-
1. The organization encrypts AI training, testing, and validation data at rest.
2. The organization encrypts AI tuning data at rest.
3. The organization encrypts embeddings at rest (if used).
4. The organization encrypts AI models at rest.
5. This is performed in observance of the organization’s encryption policies relating to encryption strength.
6. This is performed in observance of the organization’s encryption policies relating to key management.
- Illustrative procedures for use during assessments [?]
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
- Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
- For example, review the AI system to ensure the organization encrypts at rest the datasets used to train, test, and validate AI models; the data used to tune AI models; embeddings (if used); and AI models. Further, confirm this is performed in observance of the organization’s encryption policies relating to encryption strength and key management.
- For example, review the AI system to ensure the organization encrypts at rest the datasets used to train, test, and validate AI models; the data used to tune AI models; embeddings (if used); and AI models. Further, confirm this is performed in observance of the organization’s encryption policies relating to encryption strength and key management.
- Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
- For example, measures indicate if the organization encrypts at rest the datasets used to train, test, and validate AI models; the data used to tune AI models; embeddings (if used); and AI models. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that encryption is deployed in observance of the organization’s encryption policies relating to encryption strength and key management.
- For example, measures indicate if the organization encrypts at rest the datasets used to train, test, and validate AI models; the data used to tune AI models; embeddings (if used); and AI models. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that encryption is deployed in observance of the organization’s encryption policies relating to encryption strength and key management.
- Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Placement of this requirement in the HITRUST CSF [?]
- Assessment domain: 11 Access Control
- Control category: 01.0 – Access Control
- Control reference: 01.v – Information Access Restriction
- Specific to which parts of the overall AI system? [?]
-
AI platform layer
- Model tuning and associated datasets
- The deployed AI model
- AI datasets and data pipelines
- Discussed in which authoritative AI security sources? [?]
-
- OWASP Machine Learning Security Top 10
2023, © The OWASP Foundation- Where:
- ML02:2023 Data poisoning attack > How to prevent > Bullet #2
- ML05:2023 Model theft > How to prevent > Bullet #1
- ML10:2023 Model poisoning > How to prevent > Bullet #3
- Where:
- OWASP AI Exchange
2024, © The OWASP Foundation
- MITRE ATLAS
2024, © The MITRE Corporation- Where: AML.M0012
- Where: AML.M0012
- Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
Apr 2024, National Security Agency (NSA)- Where: Secure the deployment environment > Harden deployment environment configurations > Bullet 3
- Where: Secure the deployment environment > Harden deployment environment configurations > Bullet 3
- Securing Machine Learning Algorithms
2021, © European Union Agency for Cybersecurity (ENISA)- Where: 4.1- Security Controls > Organizational > Ensure ML applications comply with data security requirements
- Where: 4.1- Security Controls > Organizational > Ensure ML applications comply with data security requirements
- OWASP Machine Learning Security Top 10
- Discussed in which commercial AI security sources? [?]
-
- Databricks AI Security Framework
Sept. 2024, © Databricks- Where:
- Control DASF 8: Encrypt data at rest
- Control DASF 30: Encrypt models
- Control DASF 46: Store and retrieve embeddings securely
- Where:
- Snowflake AI Security Framework
2024, © Snowflake Inc.- Where:
- Multitenancy in ML environments > Mitigations > Data encryption
- Attacks on the infrastructure hosting AI services > Mitigations > Data encryption
- Where:
- Databricks AI Security Framework
- Helps to prevent, detect, and/or correct which AI security threats? [?]
-
- Additional information
-
- Q: When will this requirement included in an assessment? [?]
- This requirement is included when confidential and/or sensitive data was used for model training, model tuning, and/or prompt enhancement via RAG for the assessment’s in-scope AI systems.
- This requirement is also included when the assessment’s in-scope AI system(s) leverage models with technical architectures that are confidential to the organization.
- The
Cybersecurity for deployed AI systems
regulatory factor must also be present in the assessment.
- Q: Will this requirement be externally inheritable? [?] [?]
- Yes, fully. This requirement may be the sole responsibility of the AI platform provider and/or model creator. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI platform provider and/or model creator apply.
- Yes, fully. This requirement may be the sole responsibility of the AI platform provider and/or model creator. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI platform provider and/or model creator apply.
- Q: When will this requirement included in an assessment? [?]
Post your comment on this topic.