data lifecycle risks considerations and controls

Data Lifecycle: Risk Considerations and Controls October, 2013

Data Lifecycle Risk Considerations and Controls

Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

Director Eastern Region

2@CarlosChalicoT

#ISACA_DDay

What´s in this for you?

By the end of this session you will:

• Understand the concept of data and general considerations regarding its classification.

• Know some of the risks data faces in a data management lifecycle.

• Challenge the relationship between business activities and human behaviour when managing data.

First things first

Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil

So, what does this mean?

@CarlosChalicoT #ISACA_DDay

Data (Wikipedia)Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.

6@CarlosChalicoT

#ISACA_DDay

Data (Wikipedia)

Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.

Data• Values of qualitative or quantitative variables.

• Represented in a structure:

- Tabular.

- Tree.

- Graph.

• Results.

• Lowest level of abstraction for information and knowledge.

• Numbers, words, images, accepted as they stand.8

Data + Value = Information

KnowledgeDecision Making

Failure

SuccessResults

Classifying Data

Process Sensitivity

IT Infrastructure@CarlosChalicoT

#ISACA_DDay

Classifying Data: Process

Financial

Commercial

Strategic

Operational

Personal

Raw Unnecesary...

Combined@CarlosChalicoT

#ISACA_DDay

Classifying Data: Sensitivity

Top Secret Secret

Sensitive Confidential Proprietary

Public12

Top Secret Secret Sensitive Confidential Proprietary Public

Financial

Classifying Data

Personal

Commercial

Strategic

Operational

OperationalRaw

Combined

Classifying Data

Understanding Data Classification Based on Business and Security RequirementsISACA Journal, 2006, Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil

Classifying Data

Data - conceptData - classification

Data Lifecycle

17@CarlosChalicoT

#ISACA_DDay

Data Lifecycle Risks

Before

During

Confidentiality

Integrity

Availability

Countermeasures

• Information Security Programs - COBIT

- ISO27000

- ISO38500

- ITIL

• Specific Controls - Data Loss Prevention

- Awareness

- Incident Response Management

• Compliance19

Governance

Corporate

Data@CarlosChalicoT

#ISACA_DDay

What about today?

New Trends

21@CarlosChalicoT

#ISACA_DDay

New Trends

22@CarlosChalicoT

#ISACA_DDay

New Trends

23@CarlosChalicoT

#ISACA_DDay

Data LifecycleRisks in data lifecycleCountermeasuresRisks in new trends

New Trends

25@CarlosChalicoT

#ISACA_DDay

Where are we going?

• Real stories:

- The ones capable of identifying who is pregnant.

- The ones capable of knowing where you are without letting you notice it.

- The ones using your personal data for not intended purposes without your consent.

- The ones tweetting without taking care of its company reputation.

26@CarlosChalicoT

#ISACA_DDay

Where are we going?

Values

Behavioral actions

Changing the Social Contract@CarlosChalicoT

#ISACA_DDay

Where are we going?

Identity

Reputation

Privacy

Ownership@CarlosChalicoT

#ISACA_DDaySource: Ethics of Big Data, Kord Davis

Where are we going?

Take care of the

LIFESTREAM

YoursYour

Organization’s@CarlosChalicoT

#ISACA_DDaySource: Ethics of Big Data, Kord Davis

Where are we going?

Inquiry

Analysis

Articulation

Action

Ethics of Big Data

Source: Ethics of Big Data, Kord Davis

Bibliography

31@CarlosChalicoT

#ISACA_DDay

What happensWhere we are going

Conclusions

• You need to know your data.

• Data needs to be protected according to the process they serve or support and also considering their sensitivity.

• COBIT 5 is a good framework to define controls related to data classification and protection.

• Data faces risks all over their lifecycle.

• Countermeasures defined shall be alligned to corporate and IT governance.

33@CarlosChalicoT

#ISACA_DDay

Conclusions

• New technologies and processes always, always (yes, always) bring new risks into the landscape.

• Big Data considerations are changing the social contract.

• You need to use your values and do what is right and should be considered right by others when managing data.

• You should take care of your lifestream and your company’s.

34@CarlosChalicoT

#ISACA_DDay

Final Thoughts

http://www.slideshare.net/sap/99-facts-on-the-future-of-business@CarlosChalicoT

#ISACA_DDay

Final Thoughts

36@CarlosChalicoT

#ISACA_DDay

Final Thoughts

37@CarlosChalicoT

#ISACA_DDay

Final Thoughts

38@CarlosChalicoT

#ISACA_DDay

Final Thoughts

39@CarlosChalicoT

#ISACA_DDay

Final Thoughts

40@CarlosChalicoT

#ISACA_DDay

Final Thoughts

SAP & Vuzix Augmented Reality

Final Thoughts

42@CarlosChalicoT

#ISACA_DDay

Final Thoughts

43@CarlosChalicoT

#ISACA_DDay

Final Thoughts

44@CarlosChalicoT

#ISACA_DDay

Questions and Answers

Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

carlos.chalico@ouestsolutions.com

(647)6388062

twitter: @CarlosChalicoT

LinkedIn: ca.linkedin.com/in/carloschalico/@CarlosChalicoT

#ISACA_DDay

Thank You!

data lifecycle risks considerations and controls

data data

raw data

concept of data

unprocessed data

word data

origin of data

field data

experimental data

Data & Analytics

flow lifecycle services sand calibration services...flow...

the network security policy management lifecycle … · the...

q12 technical and regulatory considerations for ... · q12...

distance education compliance risks and practical...

information technology system development life cycle · pdf...

controlling risks safety lifecycle · 2015-03-05 · iec...

cybersecurity: considerations for internal audit...

q12 step 2b technical and regulatory considerations for...

practical considerations and risks - portfolio trading...

development lifecycle and deployment …development...

simplilearn.com · the impact of service strategy on other...

medical device security considerations case study · pdf...

covid-19 and evolving risks for money ......• the staff...

critical considerations in choosing high …€¦ ·...

considerations for the management of operational risks...

anaesthetic considerations and peri-operative risks in...

q12 technical and regulatory considerations for...

job evaluation considerations and risks

assessing the hazards/risks herbicides pose to fish and...

job evaluation considerations risks accessible version july...