Cyber & IT Supervisory Forum - Additional Resources

GOVERN 6.2

About To mitigate the potential harms of third-party system failures, organizations may implement policies and procedures that include redundancies for covering third-party functions. Contingency processes are in place to handle failures or incidents in third party data or AI systems deemed to be high-risk. Suggested Actions Establish policies for handling third-party system failures to include consideration of redundancy mechanisms for vital third-party AI systems. Verify that incident response plans address third-party AI systems. To what extent does the plan specifically address risks associated with acquisition, procurement of packaged software from vendors, cybersecurity controls, computational infrastructure, data, data science, deployment mechanics, and system failure? Did you establish a process for third parties (e.g., suppliers, end users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system? If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets? Organizations can document the following: Transparency & Documentation GAO-21-519SP: AI Accountability Framework for Federal Agencies & Other Entities. WEF Model AI Governance Framework Assessment 2020. WEF Companion to the Model AI Governance Framework- 2020. AI policies and initiatives, in Artificial Intelligence in Society, OECD, 2019. AI Transparency Resources

47