| DATA-01 | Training Data Governance: Ensure that training data is sourced, stored, and managed in accordance with privacy and quality standards. | 1. Review data sourcing and consent documentation.2. Assess data storage security controls (encryption, access controls).3. Verify that data quality and bias assessments are performed. | - Data is obtained with proper consent and documentation.- Storage is encrypted and access-controlled.- Regular bias and quality checks are performed. | - Data governance policies- Data source agreements and consent forms- Audit reports on data quality and bias mitigation | NIST SP 800-53 (SC-13), ISO/IEC 27001, GDPR guidelines (if applicable) |
|---|
| DATA-02 | RAG Data Management: Validate processes for managing data for retrieval augmented generation, including index updates and access controls. | 1. Review RAG architecture and indexing process documentation.2. Verify that data updates are tracked and secured.3. Check that retrieval queries are logged and monitored. | - RAG data is securely managed and updated.- Retrieval operations are logged for audit purposes.- Access to RAG systems is restricted. | - Architectural and process documentation- Logs from the RAG system- Access control records | NIST SP 800-53 (AU-2), OWASP ASVS |
|---|