Off-Site Transfer Authorization Policy and Procedures
Specification
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually, or upon significant changes.
Threat coverage
Architectural relevance
Lifecycle
Data storage, Resource provisioning
Not applicable
Not applicable
AI Services supply chain, AI applications
Operations, Maintenance
Archiving, Data deletion, Model disposal
Ownership / SSRM
PI
Owned by the Cloud Service Provider (CSP)
The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)
The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Application
Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)
The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Implementation guidelines
Auditing guidelines
1. Examine the organization's policy and procedures related to relocation, transfer or retirement of assets. 2. Determine if policy has been approved, communicated, and reviewed. 3. Determine if the policy requires recorded authorisation of movements.
Standards mappings
42001: A.2.3 Alignment with other organizational policies 42001: A.4.2 Resource Documentation 27001: 5.1 Leadership and Commitment 27001: 5.2 Policy 27001: 7.3 Awareness 27001: 7.4 Communication 27001: 7.5 (7.5.1 to 7.5.3) Documentation Information 27001: 9.1 Monitoring measurement analysis and evaluation 27001: 9.3 Management review 27001: A.5.1 Policies for information security 27001: A.5.4 Management responsibilities 27001: A.5.14 Information transfer 27001: A.5.36 Compliance with policies rules and standards for information security 27001: A.5.37 Documented operating procedures 27001: A.7.8 Equipment siting and protection 27001: A.7.9 Security of assets off-premises 27001: A.7.10 Storage media 27001: A7.13 Equipment maintenance 27001: A7.14 Secure disposal or re-use of equipment 27002: 5.1 Policies for information security 27002: 5.4 Management responsibilities 27002: 5.14 Information transfer 27002: 5.36 Compliance with policies rules and standards for information security 27002: 5.37 Documented operating procedures 27002: 7.8 Equipment siting and protection 27002: 7.9 Security of assets off-premises 27002: 7.10 Storage media 27002: 7.13 Equipment maintenance 27002: 7.14 Secure disposal or re-use of equipment
Addendum
ISO 42001 should specifically require written or cryptographically verifiable authorization for such requests.
No Mapping
Addendum
Mandate that organizations have documented and approved policies and procedures for relocation/transfer of hardware, software, or data to offsite/alternate locations, with verifiable (written or cryptographic) authorization for each relocation/transfer request and regular (at least annual) review and update of these policies and procedures.
No Mapping
Addendum
No controls are established to approve, communicate, apply, evaluate, and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location.
AM-02 AM-04 AM-05
Addendum
N/A
AI-CAIQ questions (3)
Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location established, documented, approved, communicated, implemented, enforced, maintained?
Are the written or cryptographically verifiable authorization required for relocation or transfer request?
Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location reviewed and updated at least annually, or upon significant changes?