Information regarding the Secure by Design principles for the field of AI can be found here: https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development
This article provides comprehensive guidelines for providers of AI systems, targeting large organizations, cyber security professionals, small and medium-sized organizations, and the public sector. It emphasizes the importance of developing AI systems securely and responsibly to realize their full potential and societal benefits.
The guidelines address unique security vulnerabilities in AI systems, urging security to be a primary consideration throughout the system’s life cycle, not just during development. To mitigate risks, the document outlines four key areas in the AI system development life cycle: secure design, development, deployment, and operation and maintenance.
- Secure Design: This section focuses on understanding risks, threat modeling, and system and model design considerations. It emphasizes assessing risks and making informed trade-offs during the design stage.
- Secure Development: Guidelines here cover supply chain security, comprehensive documentation, and managing assets and technical debt. This stage emphasizes maintaining security integrity during the development process.
- Secure Deployment: This section involves guidelines for protecting infrastructure and models from threats, developing incident management processes, and ensuring responsible release. It stresses the importance of safeguarding the deployment stage against compromises and losses.
- Secure Operation and Maintenance: Focusing on post-deployment, this section provides guidance on logging and monitoring, update management, and information sharing. It highlights the importance of continuous vigilance in system operation.
The guidelines advocate a ‘secure by default’ approach, aligning with practices from the NCSC’s Secure development and deployment guidance, NIST’s Secure Software Development Framework, and CISA’s secure by design principles. They prioritize security ownership, transparency, accountability, and organizational leadership in embedding security as a top business priority.