HITRUST CSF requirement statement [?] (07.10mAISecOrganizational.4)
The information system
(1) applies output encoding to textual AI model output to prevent traditional injection attacks
(e.g., remote code execution) which can create a vulnerability when processed.- Evaluative elements in this requirement statement [?]
-
1. The information system applies output encoding to textual AI model output to prevent traditional injection attacks (e.g., remote code execution) which can create a vulnerability when processed.
- Illustrative procedures for use during assessments [?]
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
- Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
- For example, obtain and examine evidence to confirm the information system applied output encoding on text based model output.
- For example, obtain and examine evidence to confirm the information system applied output encoding on text based model output.
- Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
- For example, measures indicate the percentage of text based model output that is encoded. Reviews, tests, or audits are completed by the information system applies output encoding to textual AI model output to prevent traditional injection attacks (e.g., remote code execution) which can create a vulnerability when processed.
- For example, measures indicate the percentage of text based model output that is encoded. Reviews, tests, or audits are completed by the information system applies output encoding to textual AI model output to prevent traditional injection attacks (e.g., remote code execution) which can create a vulnerability when processed.
- Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Placement of this requirement in the HITRUST CSF [?]
- Assessment domain: 07 Vulnerability Management
- Control category: 10.0 – Information Systems Acquisition, Development, and Maintenance
- Control reference: 10.m – Control of Technical Vulnerabilities
- Specific to which parts of the overall AI system? [?]
-
- AI application layer:
- Application AI safety and security systems
- AI platform layer
- Model safety and security systems
- AI application layer:
- Discussed in which authoritative AI security sources? [?]
-
- OWASP 2023 Top 10 for LLM Applications
Oct. 2023, © The OWASP Foundation- Where:
- LLM02: Insecure output handling > Prevention and Mitigation Strategies > Bullet #3
- LLM02: Insecure output handling > Prevention and Mitigation Strategies > Bullet #3
- Where:
- OWASP 2025 Top 10 for LLM Applications
2025, © The OWASP Foundation- Where:
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #2
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #3
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #4
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #5
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #6
- Where:
- OWASP AI Exchange
2024, © The OWASP Foundation- Where:
- LLM AI Cybersecurity & Governance Checklist
Feb. 2024, © The OWASP Foundation- Where:
- 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #5
- 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #5
- Where:
- Guidelines for Secure AI System Development
Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)- Where:
- 1. Secure design > Design your system for security as well as functionality and performance
- 1. Secure design > Design your system for security as well as functionality and performance
- Where:
- OWASP 2023 Top 10 for LLM Applications
- Discussed in which commercial AI security sources? [?]
-
- Databricks AI Security Framework
Sept. 2024, © Databricks- Where:
- Control DASF 54: Implement LLM guardrails
- Control DASF 54: Implement LLM guardrails
- Where:
- Databricks AI Security Framework
- Control functions against which AI security threats? [?]
-
- Control function: Preventative
- Additional information
-
- Q: When will this requirement included in an assessment? [?]
- This requirement is only included when the assessment’s in-scope AI system leverages a generative AI model.
- The
Security for AI systemsregulatory factor must also be present in the assessment.
- Q: When will this requirement included in an assessment? [?]