Data Security Working Group Meeting - 6/6/24
Data security within an AI Environment, Development - 6/15
Meeting Summary
The team discussed Rocco's work on the SOC 2 compliance report and the importance of data security in AI environments, with a focus on the recent major breach at AT&T and its implications. They also reviewed a survey on their company's security measures, discussed updates on a paper project, and planned the development of a document addressing data security risks specific to AI. Lastly, they deliberated on the connection of their current project to the CCM framework and the premature integration of AI into production systems.
SOC 2 Compliance Report
Alex, Rocco, and Gopi discussed the ongoing work Rocco was doing on the SOC 2 compliance report, a task that involves gathering evidence for the past six months. Rocco highlighted the constant audit process they undergo due to client requirements, even after obtaining proper certifications, and Gopi added that his experience in the healthcare sector, dealing with companies like Johnson and Johnson, Merrick, Picard, and Moderna, has taught him about different and sometimes more rigorous security standards. The group also touched on the significance of their work in managing assets and protecting information for their clients.
AI Security and Upcoming Summit Sessions
Alex discussed the importance of data security in AI environments and recommended a Generative AI and data resiliency in financial services sessions from the ongoing CSA Virtual Trust Summit for the team. The session, titled "5 ways cyber security leaders can leverage Gen. AI in 2024," was agreed upon by Gopi and Lazarus due to its relevance to their work. Additionally, a link was shared by Alex leading to a potential sign-up process for an event related to cyber resilience. Lastly, Alex briefly mentioned an AI-focused event scheduled for September, Sectember.ai.
Discussing Major Breaches and Cybersecurity Reputation
Rocco, Alex, and Gopi discussed the recent major breach at AT&T and its implications. Rocco questioned how companies could effectively preach cybersecurity after experiencing such breaches and highlighted the challenge of identifying the root cause when multiple departments are involved. Gopi suggested that large companies with a history of breaches should consider rebranding their cybersecurity divisions to improve their reputation. The conversation also touched on the effectiveness of remediation efforts following a breach, with each company preparing for potential future breaches.
Business Model, Security, and AI Considerations
The team discussed various aspects of their business model, focusing on the cost center for security and the potential for breaches and ransomware. They also reviewed recent document Information Technology Governance, Risk, and Compliance in Healthcare v2 from the Health Information Management group, emphasizing the importance of AI considerations in healthcare. Lastly, they discussed the release of new implementation guidelines for securing the cloud with a shared responsibility model, highlighting the importance of understanding and managing data security liability, even when outsourcing to third parties.
Survey Updates and Follow-Up Discussion
Alex, Rocco, and Gopi discussed updates related to a survey they had recently completed. The survey, which was based on the CSA guidelines, aimed to ensure their company's security measures were up to par. Rocco mentioned that this year's survey was a carbon copy of last year's but assured that next year's would be different and would require an updated CAIQ. The team also discussed an upcoming interview phase as part of the survey follow-up, with Gopi and Onyeka agreeing to be interviewed. Alex also shared that the data from the survey would be used to create a report, which would be viewable on their Circle page.
Paper Project Progress and Refinements
Alex led the discussion on the progress of a paper project, highlighting the current status of country participation and indicating that more detailed work was underway. The team discussed potential refinements for the project's naming conventions, and Alex provided an initial outline to guide the work. Lazarus volunteered to take on a specific section of the project. There was also a brief exchange regarding the location of certain project documents, which Alex agreed to label more clearly for easier access.
AI Data Security Risks Document Development
Gopi presented a plan to develop a document addressing data security risks specific to AI. The plan involved three main sections: inherent risks, risks learned from a major system attack, and a summary. Gopi also expressed a desire to incorporate content from other team members, particularly those with local regulatory requirements expertise. Additionally, Alex suggested that the team could reference regulatory frameworks from various regions, such as NIST, GDPR, and specific regulations from Japan and France. The team agreed to begin filling in the gaps and assessing the need for additional sections as Gopi progresses.
Compliance Frameworks and CSA Sector Agenda
The team deliberated on the necessity of including specific compliance frameworks in their paper, with Rocco and Gopi emphasizing the need for ISO 27001 and SOC 2. They also decided to include healthcare-specific details in their paper. Additionally, plans for the CSA sector agenda were discussed, with Gopi confirming the session duration and Alex ensuring there would be no issues with the CSA's September team's involvement. Gopi's strategy of adding content for the team to review was also discussed, with Alex expressing his intention to use this strategy for future meetings and reviews.
CSA CCM Framework and AI Integration
Gopi, Rocco, and Alex discussed the connection of their current project to the Compliance, Audit and Control (CSA CCM) framework and the need for a documentation section outlining this relationship. Gopi suggested adding a section about CSA CCM controls before the conclusion of the document. Rocco raised a concern about the rapidly evolving use of AI in threat detection and suggested including real use cases and who is currently using AI for this purpose. Alex agreed to include these suggestions and emphasized the need to provide context on the technology and tools addressing current regulatory requirements.
Concerns Over AI Integration and Security
Rocco voiced his concerns about the premature integration of AI into production systems due to potential security risks and the lack of proper vetting. He underscored the need to safeguard the result sets of AI analysis and noted that current AI models do not prioritize security, instead only protecting the AI system and external intruders. Rocco and Alex explored the challenges in implementing effective security measures and agreed that the current approach of vendor management and making exceptions is not sustainable. Rocco advocated for a Zero Trust approach and highlighted the high turnover rate among Chief Security Officers due to the complexity of the job. The conversation ended with a reminder by Alex about the availability of on-demand recordings of previous sessions, including a discussion on data resiliency in financial services.
------------------------------
Alex Kaluza
Research Analyst
Cloud Security Alliance
------------------------------