Data Security

 View Only
Back to discussions
Expand all | Collapse all

Data Security Working Group Meeting - 5/22/25

  • 1.  Data Security Working Group Meeting - 5/22/25

    Posted May 22, 2025 02:22:00 PM

    Data Security Working Group Meeting - 5/22/25

    Development:

    • Data security within an AI Environment - June 2025
      • Development continues on the AI data security paper, with focus on refining gaps across DSP01–DSP24 controls in the AI Controls Matrix. Recent discussions emphasized integrating AI into DLP systems, secure transmission methods, and privacy-enhancing technologies for PHI/PII protection. The working group is exploring content updates on regulatory frameworks, SMPC, and confidential computing. Contributions are being considered for future AICM versions. The goal is to complete revisions and have ready for peer review later this month.

    Proposed:

    Data Security Publications:

    Meeting Summary:

    • Alex and Vashti discussed updates and improvements to a paper on AI controls, including revisions to various sections, formatting changes, and the inclusion of new content. They reviewed the document's structure, focusing on areas such as prompt guardrails, ethical considerations, and AI regulations, while also planning to add case studies and references to relevant frameworks. The conversation ended with plans for further refinement, review by additional experts, and preparation for upcoming publication deadlines.

    Paper Updates and Formatting Review

    • Alex provides updates on the latest paper they are working on, focusing on filling out various sections. He shows the revised overview section, which has been condensed and rewritten to align better with the rest of the paper. Alex also discusses the formatting approach, using a hybrid of bullet points and paragraphs for easier information presentation. Vashti confirms that all 24 items from the matrix document are now included in the paper. Alex presents a simplified table format to replace a previously complex chart, which Vashti approves.

    AI Controls Matrix Future-Proofing:

    • Alex discusses the AI controls matrix, which is expected to be published in June after a lengthy publication and design process. He explains that the document includes future recommendations and identifies potential gaps in controls. Alex emphasizes that he thoroughly questioned the AI to ensure the proposed controls were appropriate and not duplicative of existing entries. The document aims to future-proof the AI controls matrix by incorporating defense mechanisms for attack vectors and use patterns not captured by traditional data security controls. Alex also mentions including references to OWASP Top 10 risks and considers adding CSA references. He discusses the balance between providing relevant information and avoiding information overload, and invites Vashti to provide feedback or comments on the document.

    Document Review and Deep Seek Update:

    • Alex and Vashti discuss their approach to reviewing and refining a document. Vashti plans to clear her head and then review the document as if it were published, looking for flow issues and repetitions. They also talk about the recent Deep Seek database exposure, which they had added to their document during a team meeting. Alex expresses interest in reordering and possibly adding more details about the Deep Seek incident, noting its sudden and significant impact on the industry.

    Document Restructuring and Content Enhancement:

    • Alex and Vashti discuss reorganizing and expanding the document's structure, particularly focusing on the sections about prompt guardrails and ethical and legal considerations. They agree to redefine prompt guardrails as boundaries or limitations on what a prompt can provide to users. Alex plans to add a new section on this topic and rework the existing content to improve clarity and coherence. They also discuss enhancing the ethical and legal considerations section, including adding more information on HIPAA, GDPR, and CCPA regulations, and formatting the content with a mix of sentences and bullet points for better readability.

    AI Regulations Framework Update:

    • Alex and Vashti discuss improving the presentation of AI regulations and frameworks in their document. They agree to replace a section on US regulations with a broader category of emerging global and state-level AI laws. Alex suggests adding more information about the NIST AI Risk Management Framework and other relevant frameworks. Vashti proposes creating a table to present AI-specific frameworks, with columns for the framework name and a brief description. They both agree this would be a beneficial addition, making the information more accessible and easier to update in future versions of the publication.

    Project Progress and Publication Timeline:

    • Alex discusses the progress on a project, mentioning that while it's not perfect, they are making incremental improvements. He plans to clean up the work and get it ready for review by other groups. Vashti reminds Alex of an upcoming target publication date, which is only a couple of weeks away. Alex acknowledges this and suggests that even if they don't meet the exact date, publishing within a few weeks of it would be good. He also mentions that there are similar projects in the works, such as AICM mapping to NIST standards, and that their work could be considered an overview with these other projects as subcategories.

    Document Review and Integration Discussion:

    • Alex and Vashti discuss the ongoing document review process. Alex plans to continue working on the document and welcomes Vashti's input through comments to avoid formatting issues. They review the privacy-enhancing technologies section and consider adding references to specific CSA groups. The conversation then shifts to case studies at the end of the document, with both agreeing on their value. They discuss potential ways to integrate or reference these case studies within the main text to ensure coherence and completeness.

    Document Content Organization Strategy:

    • Alex and Vashti discuss organizing and improving the content of a document. They agree to sort case studies chronologically, with the most recent (2025) appearing first to emphasize relevance. They plan to review and fill in gaps in various sections, including frameworks and specific security standards. Alex notes the need to clean up duplicate content and ensure consistent depth across entries. They also consider adding more content to explain how certain principles apply in practice.

    Document Review and Collaboration Planning:

    • Alex and Vashti review and refine the structure of a document, discussing the inclusion of sections on ethical considerations and future trends. They decide to reach out to Rocco for a review and consider involving Michael Rosa for his expertise in cybersecurity and AI. The meeting concludes with plans to share the updated document with others and potentially re-engage previous participants as the paper progresses.


    ------------------------------
    Alex Kaluza
    Research Analyst
    Cloud Security Alliance
    ------------------------------