Data Location

[Applicable to all providers]
1. Maintain list of all data assets, their owners, sensitivity, origin, and processing methods.

2. Create data flow diagrams (DFDs) to identify data sources, destinations, and storage points, and document the flow to trace data from origin to final destination.

3. Identify physical and logical data repositories,  AI models,  APIs, and data backups in DFDs and data maps, and use these maps and flow diagrams to identify potential security risks and exposure areas.

4. Determine where data will be stored (on-premises, cloud regions, or countries), who is processing it and ensure it is confined to specific geographic areas as required. Establish measures to limit data storage and processing to specific geographic areas.

5. Implement access controls to restrict data access based on user roles, permissions, and security policies.

6. Secure data at rest, in transit, and in use with encryption techniques.

7. Implement measures to mask and anonymize data to prevent data loss.

8. Establish backup and recovery processes are implemented to restore data in case of loss or system failures. 

9. Define data retention policies for how long data should be stored and when to securely dispose of it.

10. Establish a process for customers to specify where their data will be stored and notify them if data is replicated outside that area.

1. Verify that infrastructure policies and documentation cover the physical storage locations of AI workloads and associated data, and enforce ethical use standards for AI data processing and storage.

2. Verify documented roles and responsibilities related to managing AI system infrastructure, including physical storage governance.

3. Verify that policies cover jurisdictional restrictions and guidelines for data storage and processing on the infrastructure layer.

4. Verify that the organization maintains source(s) of record for all physical storage locations supporting AI workloads, with clear data lineage.

5. Verify accuracy and completeness of physical storage records as maintained and reported by infrastructure systems.

6. Verify that obligations of both the infrastructure provider and its suppliers regarding AI system storage and processing are documented.

7. Verify that AI infrastructure components used in data storage and processing meet organizational policy and ethical standards.

8. Verify procedures for continuous monitoring and auditing of AI storage systems to ensure compliance with ethical standards and regulations.

9. Verify that infrastructure risk management strategies include measures to mitigate bias and ensure transparency in AI system storage and processing.

10. Verify documented incident handling procedures for AI infrastructure-related data storage events, including reporting and remediation.