Security management: Implementing cybersecurity controls

This sub-guideline is part of the guideline Security management. Refer to the main guideline for context and an overview.

Based on the main security frameworks, parliaments should gradually implement controls in the following four areas, according to their specific structure, needs and threat risks:

• Technical controls
• Organizational controls
• Human controls
• Physical controls

Together, measures across these four areas – which are discussed in turn below – enable parliaments to enhance the protection of their AI systems.

Technical controls are measures and processes designed to protect AI systems, data and algorithms from unauthorized access, tampering and exploitation.

Network security

• Use firewalls to segment the network into different zones based on security requirements, implementing strict access controls between zones.
• Consider deploying intrusion prevention systems (IPS) to detect and block malicious activities in real time as soon as possible.
• Ensure that all communication channels – including data transfers, model updates and application programming interface (API) calls – are encrypted in order to protect data in transit.
• Use robust encryption protocols such as transport layer security (TLS) and secure sockets layer (SSL).
• Use virtual private networks (VPNs) to secure remote access to AI systems and data.

System security

• Regularly update and patch all software, operating systems and AI algorithms to protect against known vulnerabilities.
• Be careful to test patches in a controlled environment before deploying them to production systems to ensure they do not introduce new vulnerabilities or cause system instability.
• Deploy robust and regularly updated antivirus and anti-malware solutions on all endpoints, including servers, workstations and mobile devices.
• Enable real-time protection features to detect and block malware and other threats as they occur.

Data security

• Make sure training data sets are reliable and keep these data sets secure, as they are one of the most important assets of the AI system.
• Use data from reliable and verified sources to ensure the authenticity and accuracy of the information.
• If using third-party data, ensure that the data provider has undergone rigorous security audits.
• Remove personally identifiable information from data sets to ensure privacy.
• If this is not possible, replace sensitive data with pseudonyms that can be traced back to the original data only through secure means.
• Encrypt data stored in databases, and in cloud-storage and backup systems, using strong encryption algorithms.
• Use encryption protocols such as TLS or SSL to protect data when it is transmitted between systems or users.
• Pre-process the data to apply sanitization using a variety of methods such as data anonymization, pseudonymization and data masking (for further discussion of this subject, see the guideline Data management).
• Where necessary, establish data-sharing agreements and protocols with trusted partners (such as other parliaments) to ensure the integrity and security of shared data sets, and use secure communication channels when sharing data or collaborating with external parties.

Application security

• Implement systems development best practices to resolve known vulnerabilities and be ready for unknown ones (for further discussion of this subject, see the guideline Systems development).

Organizational controls focus on internal policies, procedures and practices.

Security policy development

• Develop and implement security policies covering data protection, user behaviour, system access and incident response (for further discussion of this subject, see the guideline Systems development).

Security risk management

• Assess the inherent risks involved in all projects in order to maximize the chances of success (for further discussion of this subject, see the guideline Risk management).

Incident response

• Establish well-defined procedures at a time when the system is not under any real threat. That way, the team can think, discuss and come up with a response plan that is not rushed by the imminent danger.

Humans are one of the weakest links in the chain of an AI system, or indeed of any system. Human controls focus on managing this risk through a range of different measures and procedures.

Training and awareness

• Provide security training to the AI team, and ensure that security practices are applied in all stages of the AI system development process within the organization (for further discussion of this subject, refer to the guideline Training for data literacy and AI literacy).

Access management

• Develop a strict role-based access model, implementing the principle of least privilege (PoLP) in order to minimize the risk of unauthorized access and data breaches.

Accountability

• Monitor security incidents and suspicious activities, and implement clear channels for reporting such incidents and activities (for further discussion of this subject, see the guidelines Ethical principles and Systems development).

Physical controls focus on protecting physical assets and infrastructure that support AI systems from unauthorized access, damage or interference.

Facility security

• Ensure that only authorized people have physical access to the AI system.
• Implement at least two ways to allow access the computer room, and apply proper visitor management to sensitive areas.

Environmental controls

• Ensure that facilities hosting IT hardware and staff are protected against fire.
• Install fire detection systems and have an evacuation plan in place.
• If possible, use a climate control system to keep all computers at appropriate temperature and humidity levels.

The Guidelines for AI in parliaments are published by the IPU in collaboration with the Parliamentary Data Science Hub in the IPU’s Centre for Innovation in Parliament. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International licence. It may be freely shared and reused with acknowledgement of the IPU. For more information about the IPU’s work on artificial intelligence, please visit www.ipu.org/AI or contact [email protected].