Additional Training Data Measures

HITRUST CSF requirement statement [?] (17.03bAISecOrganizational.3)

The organization evaluates the need to take additional measures against AI training data (e.g., 
adversarial training, using randomized smoothing techniques) to specifically ensure that the 
machine learning-based AI models it produces are more resistant to evasion and poisoning 
attacks. This evaluation is 
(1) documented, 
(2) performed regularly (at least semiannually) thereafter, and 
(3) revisited when security incidents related to the AI system occur. 
Additional measures deemed necessary as a result of this evaluation are 
(4) implemented by the organization. 

Evaluative elements in this requirement statement [?]

1. The organization documents an evaluation of the need to take additional measures against AI training 
data (e.g., adversarial training, using randomized smoothing techniques) to specifically ensure that the 
machine learning-based AI models it produces are more resistant to evasion and poisoning attacks. 

2. This evaluation is performed regularly (at least semiannually).

3. This evaluation is revisited when security incidents related to the AI system occur.

4. Additional measures deemed necessary as a result of this evaluation are implemented by the organization. 

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, inspect the documentation produced as a result of the evaluation described in this requirement and confirm that any measures deemed necessary as a result of the evaluation have been implemented. Further, evidence that the evaluation was revisited at the frequency described in the requirement.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate the percentage of the AI models produced by the organization subject to this evaluation of total.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 17 Risk Management
• Control category: 03.0 – Risk Management
• Control reference: 03.b – Performing Risk Assessments

Specific to which parts of the overall AI system? [?]

• AI platform layer:
  • AI datasets and data pipelines
    
    

Discussed in which authoritative AI security sources? [?]

• ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management
  2023, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • Part 6. Risk management process > 6.4 Risk assessment > 6.4.2 Risk identification > 6.4.2.5 Identification of controls
    • Part 6. Risk management process > 6.4 Risk assessment > 6.4.2 Risk identification > 6.5.2 Selection of risk treatment options
    • Annex A > A.9- Model Robustness
      
      

• OWASP 2025 Top 10 for LLM Applications
  2025, © The OWASP Foundation
  • Where:
    • LLM02: Sensitive Information Disclosure > Prevention and Mitigation Strategies > Federated Learning and Privacy Techniques > Bullet #2
    • LLM10: Unbounded consumption > Prevention and Mitigation Strategies > Bullet #11
      
      

• OWASP Machine Learning Security Top 10
  2023, © The OWASP Foundation
  • Where:
    • ML01:2023 Input manipulation attack > How to prevent > Bullet #1
    • ML01:2023 Input manipulation attack > How to prevent > Bullet #2
    • ML04:2023 Membership inference attack > How to prevent > Bullet #1
    • ML04:2023 Membership inference attack > How to prevent > Bullet #2
    • ML10:2023 Model Poisoning > How to prevent > Bullet #2
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #TRAINDATADISTORTION
    • #TRAINADVERSARIAL
    • #EVASIONROBUSTMODEL
      
      

• MITRE ATLAS
  2024, © The MITRE Corporation
  • Where:
    • AML.M0002
    • AML.M0003
      
      

• NIST AI 100-2 E2023: Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
  Jan. 2024, National Institute of Standards and Technology (NIST)
  • Where:
    • 2. Predictive AI taxonomy > 2.2. Evasion attacks and mitigations > 2.2.4. Mitigations
    • 2. Predictive AI taxonomy > 2.3. Poisoning attacks and mitigations > 2.3.1. Availability poisoning
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 3. Secure deployment > Protect your model continuously
      
      

• Securing Machine Learning Algorithms
  2021, © European Union Agency for Cybersecurity (ENISA)
  • Where:
    • 4.1- Security Controls > Specific ML > Apply modifications on inputs
    • 4.1- Security Controls > Specific ML > Add some adversarial examples to the training dataset
      
      

Discussed in which commercial AI security sources? [?]

• Snowflake AI Security Framework
  2024, © Snowflake Inc.
  • Where:
    • Lack of explainability / transparency > Mitigations > Adversarial training
    • Prompt injection > Mitigations > Adversarial training
    • Indirect prompt injection > Mitigations > Bullet 2
    • Adversarial samples > Mitigations > Robust model training
    • Sponge samples > Mitigations > Adversarial training
    • Fuzzing > Mitigations > Adversarial training
    • Model poisoning > Mitigations > Bullet 4
    • Training data poisoning > Mitigations > Robust model training
      
      

Control functions against which AI security threats? [?]

• Control function: Resistive, Preventative
  • Evasion
  • Data Poisoning
  • Model inversion
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • The Security for AI systems regulatory factor must also be present in the assessment.
  • However, this is only included when non-generative machine learning models are in-scope, as these are the only types of models this requirement applies to.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • Yes, fully. This requirement may be the sole responsibility of the AI model creator. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI model creator apply.