E001—AI failure plan for security breaches

>Control Description

Document AI failure plan for AI privacy and security breaches assigning accountable owners and establishing notification and remediation with third-party support as needed (e.g. legal, PR, insurers)

Application

Mandatory

Frequency

Every 12 months

Capabilities

Universal

>Controls & Evidence (1)

Operational Practices

E001.1

Documentation: AI failure plan for security breaches

Core - This should include:

- Assigning a breach response lead from existing staff. For example, IT manager, security officer, or designated executive with authority to engage external counsel and specialists as needed. - Defining breach notification procedures. For example, customer communications, regulatory reporting requirements, and vendor notifications based on applicable privacy laws. - Implementing security remediation measures. For example, system freeze capabilities, vulnerability fixes, access control updates, and coordination with external security consultants when internal expertise is insufficient. - Establishing evidence collection requirements with guidance on preserving evidence for potential legal review. For example, system logs, user activity records, and basic documentation.

Typical evidence: Can be standalone document or integrated in existing incident response procedures/policies

Location: AI failure plan

>Cross-Framework Mappings

NIST AI RMF

GOVERN-1.4

MANAGE-3.1

MEASURE-4.1

Ask AI

Configure your API key to use AI features.