Data Security

Data Security Working Group Meeting - 2/13/25

Data Security Publications:

• Cybersecurity and the Data Lifecycle - February 10, 2025*
• Data Security Glossary - January 22, 2024

Publications in Development:

• Data security within an AI Environment - Continue internal development before peer review. Utilize AI Controls Matrix as primary reference, focusing primarily on Data Security and Privacy Lifecycle Management controls DSP01-24. Q2 2025 release.

Proposed (2025):

• Protecting Sensitive Data in AI: Privacy-Enhancing Tools and PII Risk Mitigation - Combine 3 subtopics into 1 paper
  • Highly Sensitive/Confidential Data
  • Privacy Enhancing Technologies for AI
  • Perils of Personal Identifiable Information in LLMs
• DORA Guidelines & Objectives
• Data Loss Prevention Strategies: Safeguarding Sensitive Information

Meeting Summary:

The team discussed the upcoming Virtual Fin Cloud Security Summit and the release of the Cybersecurity and Data Lifecycle paper. They also explored the potential for more papers, focusing on core concepts and the integration of AI into data security. The meeting also covered the importance of data security, particularly in AI environments, and the potential implications of a significant change in the US government's data management and cybersecurity policies.

Virtual Fin Cloud Security Summit:

• Alex announced the upcoming Virtual FinCloud Security Summit 2025 on February 26th, which will focus on financial services and related content. He also highlighted the newest release from the Data Security working group of the Cyber Security and Data Lifecycle paper on February 10th led by Rocco, which was well-received and has received positive attention. Alex encouraged the team to share the paper on their LinkedIn pages to further promote it. The team also discussed the possibility of releasing more papers in the future, focusing on core concepts.

Combining Topics for AI Security Paper:

• Alex  reiterated the idea of connecting the AI Controls Matrix to Data Security within an AI Environment, which is currently in development. Rocco suggested combining three topics - highly sensitive confidential data, privacy enhancing technologies, and perils of PII and LLMs - into one paper. Onyeka agreed with this suggestion, emphasizing that these topics could stand on their own. Rocco also mentioned a blog post from 2023 that was slightly revised and reposted for the recent wildfires. Alex suggested potentially repackaging or adding more to this blog post, possibly tying it to the controls. Rocco agreed to work on the next paper, and the team seemed to agree on the idea of combining the three topics into one paper.

Data Security and AI Protection:

• Alex and Rocco discussed the importance of data security, particularly in AI environments. They agreed to broaden their focus to include corporate data security concerns and the protection of sensitive data, often referred to as "crown jewels." They also discussed the potential for fraud in insurance and real estate, and the need for data loss prevention (DLP) measures. Rocco shared his experience with Starlink, a satellite internet service, which he found to be reliable even in remote locations. They ended the conversation with plans to further explore these topics and consider how to incorporate them into their work.

DOGE and Recruitment:

• The group discusses a recent events involving DOGE, which is described as potentially the largest in history. Rocco expresses concern that the breach has created a database vulnerable to hackers, while Vashti points out that this breach, combined with previous ones, could be used to profile almost every human. The conversation touches on the recruitment process for DOGE, with Alex noting that younger, seemingly unbiased individuals are being targeted. The group also discusses the implications of this breach on data security and privacy, with Rocco suggesting that the administration may be allowing such breaches to occur.

US Government Data Security Concerns:

• The team discussed the potential implications of a significant change in the US government's data management and cybersecurity policies. They expressed concerns about the potential for increased breaches and the impact on data security. The conversation also touched on the potential for lawsuits and the need for tighter cybersecurity measures. The team agreed that the topic was sensitive and should not be taken further than their current discussion. They also discussed the potential for a blog post on the topic, but decided against it. The team also expressed interest in hearing perspectives from outside the US on the matter.

Refining AI Paper With Data Focus:

• Alex and Rocco discuss refining their AI-focused paper to make it more data-centric. They consider using the structure of another paper's controls matrix as a reference. Rocco suggests extracting categories related to data from the existing matrix, which includes topics like data collection, creation, storage, output, and disposal. They plan to focus on these data-related categories to distinguish their paper from other AI content while still tying it to the latest AI controls.

AI Integration and Privacy Concerns:

• In the meeting, Alex and Rocco discussed the integration of AI Control Matrix (AICM), and agreed to focus on the privacy aspect of the AICM as it is a significant concern in the AI environment. They also discussed the need for a clear definition of privacy lifecycle management and the potential for a data-centric perspective in their approach. The team decided to start building out the AICM related paper, with Rocco planning to work on it during the week. They also discussed the importance of considering privacy rights in the corporate environment.

------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------