Professional Documents
Culture Documents
Artificial Intelligence, Intelligence
Artificial Intelligence, Intelligence
1
• What is and is not AI?
• What uses does AI have?
• Organizational AI security risks
• Explore the 4 c’s
• ISO Roles and Responsibilities
• WIIFM: AI as a tool for the ISO
• Examples of AI use as a tool
• Plan, Do, Check, Act (PDCA) for adopting AI
2
WHAT IS ARTIFICIAL INTELLEGENCE (AI)?
• AI is
o A complex information system that consumes enormous amounts of data so it can
perform cognitive-like functions.
o No better than the data
o Helpful
• AI is not
o Intelligence
o Automation
o Infallible
3
WHAT IS ARTIFICIAL INTELLEGENCE (AI)?
• AI – Artificial Intelligence
o Simulates human decision making, not thinking.
• ML – Machine Learning
o Machines learning from AI data, not you.
• Gen AI - Generative AI
o Algorithm that can create something new.
Text, 3D renderings, music, code, video, or
more data.
4
What uses does AI have?
5
WHAT IS BEING DONE WITH AI
6
WHAT IS THE BUSINESS DOING WITH AI (today)?
• Human resources (Candidate selection, staffing and planning, training, and more.)
• Finance
• Other area (driving cars, making sales, analyzing trends, and more.)
• Identifying risk
7
AI RISKS
“One of the main
• “AI is not infallible” cyber-risks is to
think they don’t
• Inaccurate information or flawed analysis
exist. The other is
• Incorrect or Improper use of AI
to try and treat all
• Data leakage potential risks.”
• Intelligent and Advanced Threats
-Stephane Nappo
• Inconsistencies
8
ISO Roles and Responsibilities
The Information Security Officer’s Role
9
INFORMATION SECURITY OFFICER
10
AI as an ISO Tool (WIIFM)
• Write code
• Predict vulnerabilities
11
“People will soon get tired of staring
at a plywood box every night. TV is a
passing fad.”
- Daryl Zanuck (1946)
Executive Producer at 20th Century Fox
12
The 4 C’s
The 4 Considerations for Organizational AI Programs
13
THE 4 C’s
Culture
Contracts
Competence
Compliance
14
cul-ture (noun)
The customs, arts, social institutions, and
achievements of a particular nation, people, or
other social group.
15
CULTURE
The ethos of your organization.
16
CONTRACTS (& AGREEMENTS)
Organizational covenants and commitments.
1. Pre-Contract Diligence
2. Inputs
“Read your contracts.
3. Outputs Up and down, left and
4. Compliance with Law right.”
5. Risk Allocation - Lauren Jaurequi
17
COMPETENCE (& CONFIDENCE)
Organizational proficiency and mastery.
18
COMPLIANCE
Organizational adherence and observance of rules.
19
COMPLIANCE CONT.
Other requirements and guidance.
• NIST
• Artificial Intelligence Risk Management Framework
• ISO
• Standard for AI Model Management (IEEE 2941-2021)
• New York
• Local Law 144
• California
• Automated decision rulemaking by CPPA
20
“Cellular phones will absolutely not
replace local wire systems.”
- Martin Cooper (1981)
Motorola Researcher and Executive
21
ISO Roles and Responsibilities
The Information Security Officer’s Role with
Organizational AI
22
THE INFORMATION SECURITY OFFICER’S ROLE w/ AI
23
ISO ROLE & RESPONSIBILITY: CULTURE (AI)
24
ISO ROLE & RESPONSIBILITY: CONTRACTS (AI)
• Paraphrase selections
• Ensure
• Review
• Contracts
• Agreements
• SOW’s
• Work Plans
• Project Plans
• MSA’s
25
ISO RESPONSIBILITY: CONTRACT REVIEW (ex.1)
Paraphrasing with ChatGPT4
“ You may install and use the Software on a single computer; OR install and store
the Software on a storage device, such as a network server, used only to install the
Software on your other computers over an internal network, provided you have a
license for each separate computer on which the Software is installed and run.
A license for the Software may not be shared, installed or used concurrently on
different computers. "
26
ISO RESPONSIBILITY: CONTRACT REVIEW (ex.1 cont.)
Paraphrasing with ChatGPT4
For every computer you want to use this software on, you need a separate
permission
(called a license).
You can't use the same permission to put the software on multiple computers at
the same time.
In essence, one license means you can use it on one computer. If you want to use it
on another computer, you need another license.
27
ISO RESPONSIBILITY: CONTRACT REVIEW (ex.2)
Clarification with ChatGPT4
Rewrite this policy and use words other than the words computer and software because
some people may misconstrue what a computer or software truly is. “[insert same text]”
28
ISO RESPONSIBILITY: CONTRACT REVIEW (ex.2 cont.)
Clarification with ChatGPT4
For every device you want to use this program on, you need distinct approval or a
separate authorization (called a license).
You can't use the same authorization to install the program on multiple devices
simultaneously.
In essence, one license allows you to use the program on one device. If you want
to use it on another device, you need another license."
29
ISO RESPONSIBILITY: IDENTIFY KEY CONDITIONS
Review of GoDaddy AI Terms of Use
https://www.godaddy.com/legal/agreements/ai-terms-of-use
30
ISO RESPONSIBILITY: IDENTIFY KEY CONDITIONS
Review of GoDaddy AI Terms of Use
•Usage Requirements: You must follow the Universal Terms of Service and the General Rules of
Conduct.
•Misuse Prohibitions: You can't use the AI Services for illegal activities, promoting harm or violence,
spamming, violating intellectual property or privacy rights, among others.
•Misrepresentation: The use of AI Services should not involve deceptive language or claims about
GoDaddy or its services.
•AI Outputs' Integrity: GoDaddy hasn't verified the outputs of the AI Services for their accuracy,
neutrality, clarity, or intellectual property clearance.
•No Guarantees: GoDaddy doesn't guarantee the AI Services' outputs' accuracy, reliability, or error-
free nature.
•Advice: It's suggested you seek independent legal advice before relying on AI-generated outputs.
•No Liability: GoDaddy won't be responsible for any kind of damages, including those from AI
Services' outputs.
•Max Liability: If GoDaddy were ever to be found responsible, the most they'd pay is $10,000.
•Longevity: These liability rules will continue to apply even if this agreement ends or if you stop using
their website or services.
In essence, GoDaddy is outlining rules for how to use their AI Services, stating they can't
guarantee the AI's outputs, and clarifying they're not liable for any potential damages from
using their services.
31
ISO RESPONSIBILITY: WRITING POLICY STATEMENTS
Input
“Our company employees are not to download attachments from emails sent by
external parties and from origins unknown when they cannot verify the source
or trust the source of origin of the email. Also they should not forward any
suspicious emails to anyone else whether that person is inside of our
organization or outside of our organizations. Our employees should also not
send any emails to anyone harassing, mocking, or insulting anyone even if it is
meant to be a joke. Our employees must not send any attachments or
information to anyone outside of our organization unless they have explicit
permission to send the information to that person or group.”
32
ISO RESPONSIBILITY: WRITING POLICY STATEMENTS
Results
1.Email Attachments: Employees are prohibited from downloading attachments from emails
that originate from external parties or unknown sources, unless the source of the email can
be verified and is deemed trustworthy.
2.Suspicious Emails: Employees must not forward suspicious emails to any individual,
regardless of whether the recipient is within or outside of our organization.
4.Sending External Attachments and Information: Employees are not permitted to send
attachments or any confidential information to individuals outside our organization unless
they have received explicit authorization to do so.
33
ISO ROLE & RESPONSIBILITY: COMPETENCE
• Analysis – Continue to understand how employees are using AI and how AI is evolving.
• Consider:
• AI Tool Selection
• AI Training Data Source
• End User’s Knowledge
• Use of Output
34
ISO ROLE & RESPONSIBILITY: COMPLIANCE
• Organizational requirements
• Acceptable Use
35
REMEMBER THIS!
AI is still evolving
Develop a plan
36
Plan – Do – Check - Act
Deming circle
37
Plan – Do – Check - Act
Plan
• Decide how to approach AI in your organization
• Learn how the business plans to leverage AI
• Conduct an AI RA
• Decide what controls are needed
• Determine what ISO continual AI support for the business looks like
• Review/Write requirements
Do
• Implement AI policies
• Set AI related standards
• Train users
Check
• Review how the internal business is using AI
• Review how the vendors are using AI
Act
• Update the policy
• Revise and/or strengthen controls
38
QUESTIONS?
THANK YOU FOR ATTENDING