Auditing your (Big) Data StrategyPresented by:

Stewart Mantell

General Manager, Internal Audit

TAL

Intro

• Why is data important

• The new oil?

• Value of Data

• Data risk

Source: APRA

Understanding your data (strategy)

• Does your organisation understand its data• “knowing is half the battle”

• Data classification

• Context is key• What, why, where, how

Knowing where your data is

• Data sources and uses proliferate

• Is data held internally, or with providers

• Think laterally

• Shadow IT and growth of cloud services

Source: IIA

Data Classification – a foundation

• Data classification• Criticality and sensitivity

• Content, Context, User

• A number of general definitions• Generally available / public / unclassified

• Internal Use only

• Confidential /restricted

• Commercial in Confidence / highly restricted

• Tools can be used to gather information, but…Source: AWS

Auditing Considerations

• Regulatory Considerations• Consideration of approach / design in line with regulatory

guidance e.g. CPS 231,232, 234

• Vendor / legal risks• Privacy regime / jurisdiction

• Customer Consent

• Organisational Risk Appetite

• Termination of services and repatriation of data

Auditing Considerations (contd)

• Technology Considerations – what are the threats• Based on architecture, on prem vs cloud

• Look at layers – infrastructure and app

• Threat analysis: Data Breach, Malicious Encryption, Fraud, DoS, APT

• Operational Considerations – how is data being used• predictive vs reactive, system of record vs system of insight /

enquiry

• Governance, Monitoring, Testing

Cloud

• Increasing use of cloud as part of Big Data strategies

• Shared service model for controls

• Audit assurance over cloud providers

Source: AWSSource: APRA

CPS 234 – Information Security• Resilience against

information security incidents (including cyberattacks)

• Maintain an information security capability that is commensurate with information security vulnerabilities and threats.

Governance & Policy Framework

Information Security Capability

Defined Information Assets

Documented Controls

Systematic Testing Program

Internal Audit Review

Notification Process

Leveraging the use of Big Data

• Use Big Data for Internal Audit Analytics

• Rise in the use of Data and Big Data and harnessing that for Internal Audit

• Make the most of scarce audit resources

Guidance on managing and auditing (big) data risk

• IIA – GTAG Understanding and Auditing Big Data

• CPG 235

• CPS 234

• APRA Cloud guidance

• ISACA

Summary

• Context is key to understanding big data risk

• Data classification is a foundation

• There are specific considerations when using cloud

• CPS 234 is driving focus on security, but don’t forget about quality

• Harness data and big data for audit work

• Leverage industry thinking IIA, APRA, ISACA