This Control directly supports the implied Control(s):
Systems design, build, and implementation, CC ID: 00989
This Control has the following implementation support Control(s):
Retain technical documentation on the premises where the artificial intelligence system is located., CC ID: 15104
Include all required information in the technical documentation., CC ID: 15094
Include information that demonstrates compliance with requirements in the technical documentation., CC ID: 15088
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
It is necessary to formulate plans for the planning, development, and operation of the system (hereinafter referred to as the "medium- to long-term system plan") with a medium- to long-term perspective, considering the fact that system development requires considerable management resources and time. (C2.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
When cryptographic keys need to be stored after their expiration, it is necessary to define the procedures for storage and to keep storage management documentation under the strict control of officers. (P30.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
A secure record is maintained for the life of each system covering: (Security Control: 0407; Revision: 4, Australian Government Information Security Manual, March 2021)
draw-up the technical documentation of the high-risk AI system; (Article 16 ¶ 1(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
Providers of high-risk AI systems shall draw up the technical documentation referred to in Article 11 in accordance with Annex IV. (Article 18 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
the provider has drawn up the technical documentation in accordance with Annex IV; (Article 26 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date. (Article 11 1. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
During failures or security incidents it must be possible to restore the desired target status of the business processes and the related IT. Technical details and workflows must therefore be documented in such a way that this can be achieved within a reasonable amount of time. (§ 4.2 Bullet 4(1) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Here, the current state of business processes and the correspondingly connected IT systems and applications is described. Often, the level of detail of technical documentations is an issue of dispute. A more practical approach is that other persons with comparable expertise in such area must be able… (§ 5.2.2 ¶ 2 Bullet 2 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Upon completion of a change, all relevant PCI DSS requirements must be verified on all new or changed systems and networks, and documentation must be updated as applicable. Examples of PCI DSS requirements that should be verified include, but are not limited to: (A3.2.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Intended purposes, potentially beneficial uses, context-specific laws, norms and expectations, and prospective settings in which the AI system will be deployed are understood and documented. Considerations include: the specific set or types of users along with their expectations; potential positive … (MAP 1.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
