Governance Doc v1.1 update (#284)

* updated with 0.9 version changes

* updated to move the owasp resource images to the front of the owasp section

* updated with 1.0 release info

* 1.0 release

* fixed date typo on changelog

* updated changelog now in the correct pdf filename

* updating with typo and grammar fixes

* v1.1 update

---------

Co-authored-by: Jason Ross <[email protected]>

llm-top-10-governance-doc/LLM_AI_Security_and_Governance_Checklist.tex

@@ -26,7 +26,7 @@
 %%% Project Name
 \def\projectName{LLM AI Cybersecurity \& Governance Checklist}
 \def\projectSubName{From the OWASP Top 10 \\ for LLM Applications Team}
-\def\docVersion{1.0}
+\def\docVersion{1.1}
 
 %%% Project Type
 \def\projectType{OWASP Project Document}

llm-top-10-governance-doc/fragments/changelog.tex

@@ -9,5 +9,6 @@
   \vhEntry{0.5}{2023-12-06}{SD, Team}{public draft}
   \vhEntry{0.9}{2023-02-15}{SD, Team}{pre-release draft}
   \vhEntry{1.0}{2024-02-19}{SD, Team}{public release v 1.0}
+  \vhEntry{1.1}{2024-04-10}{SD, Team}{public release v 1.1}
 \end{versionhistory}
 \end{figure}

llm-top-10-governance-doc/fragments/resources/owasp.tex

@@ -20,14 +20,7 @@
 
 \clearpage
 \textbf{OWASP Resources}
-Using LLM solutions expands an organization's attack surface and presents new
-challenges, requiring special tactics and defenses. It also poses problems that
-are similar to known issues, and there are already established cybersecurity
-procedures and mitigations. Integrating LLM cybersecurity with an organization's
-established cybersecurity controls, processes, and procedures allows an
-organization to reduce its vulnerability to threats. How they integrate with
-each other is available at the
-\href{https://owasp.org/www-project-integration-standards/}{OWASP Integration Standards}.
+Using LLM solutions expands an organization\'s attack surface and presents new challenges, requiring special tactics and defenses. It also poses problems that are similar to known issues, and where there are already established cybersecurity procedures and mitigations. Integrating LLM cybersecurity with an organization\'s established cybersecurity controls, processes, and procedures allows an organization to reduce its vulnerability to threats. How they integrate is available at the \href{https://owasp.org/www-project-integration-standards/}{OWASP Integration Standards}.
 %%% TABLE FORMATTING
 \setlength\LTleft{0pt}
 \setlength\LTright{0pt}
@@ -51,12 +44,7 @@
   %%% TABLE DATA GOES HERE
   \href{https://owasp.org/www-project-samm/}{OWASP SAMM}&
   Software Assurance Maturity Model &
-  Provides an effective and measurable way to analyze and improve an
-  organization's secure development lifecycle. SAMM supports the complete
-  software lifecycle. It is interative and risk-driven, enabling organizations
-  to identify and prioritize gaps in secure software development so resources
-  for improving the process can be dedicated where efforts have the greatest
-  improvement impact. \\
+  Provides an effective and measurable way to analyze and improve an organization's secure development lifecycle. SAMM supports the complete software lifecycle. It is iterative and risk-driven, enabling organizations to identify and prioritize gaps in secure software development so resources for improving the process can be dedicated where efforts have the greatest improvement impact. \\
   \hline
   \href{https://owasp.org/www-project-ai-security-and-privacy-guide/}{OWASP AI Security and Privacy Guide} &
   OWASP Project with a goal of connecting worldwide for an exchange on AI

llm-top-10-governance-doc/sections/llm-strategy.tex

@@ -6,49 +6,27 @@
 
 \headerimage
 \chapter{Determining LLM Strategy}
-The rapid expansion of Large Language Model (LLM) applications has heightened
-the attention and examination of all AI/ML systems used in business operations,
-encompassing both Generative AI and long-established Predictive AI/ML systems.
-This increased focus exposes potential risks, such as attackers targeting
-systems that were previously overlooked and governance or legal challenges that
-may have been disregarded in terms of legal, privacy, liability, or warranty
-issues. For any organization leveraging AI/ML systems in its operations, it's
-critical to assess and establish comprehensive policies, governance, security
-protocols, privacy measures, and accountability standards to ensure these
-technologies align with business processes securely and ethically.
-
-Attackers, or adversaries, provide the most immediate and harmful threat to
-enterprises, people, and government agencies. Their goals, which range from
-financial gain to espionage, push them to steal critical information, disrupt
-operations, and damage confidence. Furthermore, their ability to harness new
-technologies such as AI and machine learning increases the speed and
-sophistication of attacks, making it difficult for defenses to stay ahead of
-attacks.
-
-The most pressing non-adversary LLM threat for many organizations stem from
-"Shadow AI": employees using unapproved online AI tools, unsafe browser
-plugins, and third-party applications that introduce LLM features via updates
-or upgrades, circumventing standard software approval processes.
-
-\begin{figure}[h]
+The rapid expansion of Large Language Model (LLM) applications has heightened the attention and examination of all AI/ML systems used in business operations, encompassing both Generative AI and long-established Predictive AI/ML systems. This increased focus exposes potential risks, such as attackers targeting systems that were previously overlooked and governance or legal challenges that may have been disregarded in terms of legal, privacy, liability, or warranty issues. For any organization leveraging AI/ML systems in its operations, it's critical to assess and establish comprehensive policies, governance, security protocols, privacy measures, and accountability standards to ensure these technologies align with business processes securely and ethically.
+
+Attackers, or adversaries, provide the most immediate and harmful threat to enterprises, people, and government agencies. Their goals, which range from financial gain to espionage, push them to steal critical information, disrupt operations, and damage confidence. Furthermore, their ability to harness new technologies such as AI and machine learning increases the speed and sophistication of attacks, making it difficult for defenses to stay ahead of attacks.
+
+The most pressing non-adversary LLM threat for many organizations stem from "Shadow AI": employees using unapproved online AI tools, unsafe browser plugins, and third-party applications that introduce LLM features via updates or upgrades, circumventing standard software approval processes.
+
+\begin{figure}[ht]
   \centering
   \includegraphics[width=\textwidth]{ai_deployment_strategy}
-  \caption{Image of options for deployment strategy}
+  \caption{Image of options for deployment strategy: credit sdunn}
   \label{fig:llm-deployment-strategy}
 \end{figure}
 
 \clearpage
 
 \section{Deployment Strategy}
-The scopes range from leveraging public consumer applications to training
-proprietary models on private data. Factors like use case sensitivity,
-capabilities needed, and resources available help determine the right balance
-of convenience vs. control. However, understanding these five model types
-provides a framework for evaluating options.
+The scopes range from leveraging public consumer applications to training proprietary models on private data. Factors like use case sensitivity, capabilities needed, and resources available help determine the right balance of convenience vs. control. However, understanding these five model types provides a framework for evaluating options.
 
-\begin{figure}[h]
+\begin{figure}[ht]
   \centering
-  \includegraphics[width=\textwidth]{ai_deployment_types}
-  \caption{Image of options for deployment types}
+  \includegraphics[width=\textwidth]{Deployment_3.28.24}
+  \caption{Image of options for deployment types: credit sdunn}
   \label{fig:llm-deployment-types}
 \end{figure}