Data Lifecycle: Risk Considerations and Controls October, 2013
Data Lifecycle Risk Considerations and Controls
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador
Ouest Business Solutions Inc.
Director Eastern Region
2@CarlosChalicoT
#ISACA_DDay
What´s in this for you?
By the end of this session you will:
• Understand the concept of data and general considerations regarding its classification.
• Know some of the risks data faces in a data management lifecycle.
• Challenge the relationship between business activities and human behaviour when managing data.
3
First things first
4
Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil
So, what does this mean?
DATA5
@CarlosChalicoT #ISACA_DDay
Data (Wikipedia)Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.
6@CarlosChalicoT
#ISACA_DDay
Data (Wikipedia)
7
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.
@CarlosChalicoT #ISACA_DDay
Data• Values of qualitative or quantitative variables.
• Represented in a structure:
- Tabular.
- Tree.
- Graph.
• Results.
• Lowest level of abstraction for information and knowledge.
• Numbers, words, images, accepted as they stand.8
@CarlosChalicoT #ISACA_DDay
Data
9
Data + Value = Information
KnowledgeDecision Making
Failure
SuccessResults
@CarlosChalicoT #ISACA_DDay
Classifying Data
DATA
10
Process Sensitivity
IT Infrastructure@CarlosChalicoT
#ISACA_DDay
Classifying Data: Process
11
Financial
Commercial
Strategic
Operational
Personal
Raw Unnecesary...
Combined@CarlosChalicoT
#ISACA_DDay
Classifying Data: Sensitivity
Top Secret Secret
Sensitive Confidential Proprietary
Public12
@CarlosChalicoT #ISACA_DDay
13
Top Secret Secret Sensitive Confidential Proprietary Public
Financial
Financial
Financial
Financial
Financial
Financial
Classifying Data
Personal
Personal
Commercial
Commercial
Commercial
Strategic
Strategic
Strategic
Strategic
Strategic
Operational
Operational
Operational
Operational
Operational
OperationalRaw
Raw
Combined
Combined
Combined
@CarlosChalicoT #ISACA_DDay
14
Classifying Data
15
Understanding Data Classification Based on Business and Security RequirementsISACA Journal, 2006, Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil
Classifying Data
@CarlosChalicoT #ISACA_DDay
Data Lifecycle: Risk Considerations and Controls October, 2013
Data - conceptData - classification
Data Lifecycle
17@CarlosChalicoT
#ISACA_DDay
Data Lifecycle Risks
Before
!
During
!
After
18
Confidentiality
!
Integrity
!
Availability
@CarlosChalicoT #ISACA_DDay
Countermeasures
• Information Security Programs - COBIT
- ISO27000
- ISO38500
- ITIL
• Specific Controls - Data Loss Prevention
- Awareness
- Incident Response Management
• Compliance19
Governance
Corporate
IT
Data@CarlosChalicoT
#ISACA_DDay
What about today?
20
New Trends
New Trends
21@CarlosChalicoT
#ISACA_DDay
New Trends
22@CarlosChalicoT
#ISACA_DDay
New Trends
23@CarlosChalicoT
#ISACA_DDay
Data Lifecycle: Risk Considerations and Controls October, 2013
Data LifecycleRisks in data lifecycleCountermeasuresRisks in new trends
New Trends
25@CarlosChalicoT
#ISACA_DDay
Where are we going?
• Real stories:
- The ones capable of identifying who is pregnant.
- The ones capable of knowing where you are without letting you notice it.
- The ones using your personal data for not intended purposes without your consent.
- The ones tweetting without taking care of its company reputation.
26@CarlosChalicoT
#ISACA_DDay
27
Where are we going?
Values
Behavioral actions
Changing the Social Contract@CarlosChalicoT
#ISACA_DDay
28
Where are we going?
Identity
Reputation
Privacy
Ownership@CarlosChalicoT
#ISACA_DDaySource: Ethics of Big Data, Kord Davis
29
Where are we going?
Take care of the
LIFESTREAM
YoursYour
Organization’s@CarlosChalicoT
#ISACA_DDaySource: Ethics of Big Data, Kord Davis
Where are we going?
30
Inquiry
Analysis
Articulation
Action
@CarlosChalicoT #ISACA_DDay
Ethics of Big Data
Source: Ethics of Big Data, Kord Davis
Bibliography
31@CarlosChalicoT
#ISACA_DDay
Data Lifecycle: Risk Considerations and Controls October, 2013
What happensWhere we are going
Conclusions
• You need to know your data.
• Data needs to be protected according to the process they serve or support and also considering their sensitivity.
• COBIT 5 is a good framework to define controls related to data classification and protection.
• Data faces risks all over their lifecycle.
• Countermeasures defined shall be alligned to corporate and IT governance.
33@CarlosChalicoT
#ISACA_DDay
Conclusions
• New technologies and processes always, always (yes, always) bring new risks into the landscape.
• Big Data considerations are changing the social contract.
• You need to use your values and do what is right and should be considered right by others when managing data.
• You should take care of your lifestream and your company’s.
34@CarlosChalicoT
#ISACA_DDay
Final Thoughts
35
http://www.slideshare.net/sap/99-facts-on-the-future-of-business@CarlosChalicoT
#ISACA_DDay
Final Thoughts
36@CarlosChalicoT
#ISACA_DDay
Final Thoughts
37@CarlosChalicoT
#ISACA_DDay
Final Thoughts
38@CarlosChalicoT
#ISACA_DDay
Final Thoughts
39@CarlosChalicoT
#ISACA_DDay
Final Thoughts
40@CarlosChalicoT
#ISACA_DDay
Final Thoughts
41
SAP & Vuzix Augmented Reality
@CarlosChalicoT #ISACA_DDay
Final Thoughts
42@CarlosChalicoT
#ISACA_DDay
Final Thoughts
43@CarlosChalicoT
#ISACA_DDay
Final Thoughts
44@CarlosChalicoT
#ISACA_DDay
Questions and Answers
45
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador
Ouest Business Solutions Inc.
(647)6388062
twitter: @CarlosChalicoT
LinkedIn: ca.linkedin.com/in/carloschalico/@CarlosChalicoT
#ISACA_DDay
Data Lifecycle: Risk Considerations and Controls October, 2013
Thank You!