Data Protection by Design and Default

[All Actors]
1. Apply security controls (encryption, RBAC, logging, vulnerability patching) to every hop identified in the data-flow map for components the actor operates.

2. Verify that protections remain effective after system changes (e.g., new API, new storage location).

3. Document residual risks and mitigation plans.

[Shared among: MP, OSP, CSP]
1. Encrypt training data at rest, restrict access to authorised service roles, and monitor for anomalous reads/writes in training pipelines.

1. Examine whether the CSP’s policy, standards, and procedures create a framework that fosters a culture and expectation of data protection by design and default.

2. Establish whether the CSP has documented the roles and responsibilities involved.

3. Review the CSP’s data breaches log, security incidents log, and project change failure records for examples of this requirement not being followed correctly. Further, confirm that action plans were identified and carried out.

4. Verify that security controls are embedded at every stage of the system development lifecycle.

5. Verify the effectiveness of technical measures such as secure coding practices, encryption, and access controls.

6. Verify that regular assessments and audits are conducted to evaluate the effectiveness of security measures and identify potential risks.

7. Verify that all processes, procedures, and technical measures related to security by design are thoroughly documented and regularly updated to reflect changes in industry best practices and regulations

8. Examine the CSP's policy, standards, and procedures, and determine if third-party data protection practices are considered.

9. Examine system design documentation to verify that security requirements were incorporated during the infrastructure design phase rather than added later, with particular focus on AI-specific processing requirements.

10. Verify that the infrastructure implements a defense-in-depth strategy with multiple security layers, including network segmentation, access controls, encryption, monitoring, and physical security appropriate for AI workloads.

11. Review the secure configuration baseline for infrastructure components, confirming it aligns with industry standards (e.g., CIS benchmarks, NIST guidelines) and is implemented by default across the environment.

12. Assess the infrastructure design review process, verifying that security assessments are conducted during design phases and that findings are addressed before deployment.

13. Evaluate how security considerations for high-performance computing environments typical in AI workloads are balanced with protection requirements without compromising either.

14. Verify that infrastructure monitoring capabilities are designed to detect security events specific to AI operations, including unusual data access patterns or resource utilization.