Data Lifecycle Risks Considerations and Controls
0 likes•1,701 views
The document discusses data lifecycle risks and controls. It begins by defining data and discussing data classification. It then explains risks to data throughout its lifecycle before collection, during use, and after use. Some risks include breaches of confidentiality, integrity, and availability. The document recommends implementing information security programs and specific controls to mitigate risks. It also notes new risks emerging from technologies like big data and the need to consider ethics when managing data.
Data Lifecycle Risks Considerations and Controls
- 1. Data Lifecycle: Risk Considerations and Controls October, 2013
- 2. Data Lifecycle Risk Considerations and Controls Carlos Chalico CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador Ouest Business Solutions Inc. Director Eastern Region 2 @CarlosChalicoT #ISACA_DDay
- 3. What´s in this for you? By the end of this session you will: • Understand the concept of data and general considerations regarding its classification. • Know some of the risks data faces in a data management lifecycle. • Challenge the relationship between business activities and human behaviour when managing data. 3
- 4. First things first 4 Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil
- 5. So, what does this mean? DATA 5 @CarlosChalicoT #ISACA_DDay
- 6. Data (Wikipedia) Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. ! The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand. 6 @CarlosChalicoT #ISACA_DDay
- 7. Data (Wikipedia) 7 Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent- children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. ! The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand. @CarlosChalicoT #ISACA_DDay
- 8. Data • Values of qualitative or quantitative variables. • Represented in a structure: - Tabular. - Tree. - Graph. • Results. • Lowest level of abstraction for information and knowledge. • Numbers, words, images, accepted as they stand. 8 @CarlosChalicoT #ISACA_DDay
- 9. Data 9 Data +Value = Information KnowledgeDecision Making Failure Success Results @CarlosChalicoT #ISACA_DDay
- 10. Classifying Data DATA 10 Process Sensitivity IT Infrastructure @CarlosChalicoT #ISACA_DDay
- 11. Classifying Data: Process 11 Financial Commercial Strategic Operational Personal Raw Unnecesary... Combined @CarlosChalicoT #ISACA_DDay
- 12. Classifying Data: Sensitivity Top Secret Secret Sensitive Confidential Proprietary Public 12 @CarlosChalicoT #ISACA_DDay
- 15. 15 Understanding Data Classification Based on Business and Security Requirements ISACA Journal, 2006,Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil Classifying Data @CarlosChalicoT #ISACA_DDay
- 16. Data Lifecycle: Risk Considerations and Controls October, 2013 Data - concept Data - classification
- 19. Countermeasures • Information Security Programs - COBIT - ISO27000 - ISO38500 - ITIL • Specific Controls - Data Loss Prevention - Awareness - Incident Response Management • Compliance 19 Governance Corporate IT Data @CarlosChalicoT #ISACA_DDay
- 20. What about today? 20 New Trends
- 24. Data Lifecycle: Risk Considerations and Controls October, 2013 Data Lifecycle Risks in data lifecycle Countermeasures Risks in new trends
- 26. Where are we going? • Real stories: - The ones capable of identifying who is pregnant. - The ones capable of knowing where you are without letting you notice it. - The ones using your personal data for not intended purposes without your consent. - The ones tweetting without taking care of its company reputation. 26 @CarlosChalicoT #ISACA_DDay
- 27. 27 Where are we going? Values Behavioral actions Changing the Social Contract @CarlosChalicoT #ISACA_DDay
- 28. 28 Where are we going? Identity Reputation Privacy Ownership @CarlosChalicoT #ISACA_DDay Source: Ethics of Big Data, Kord Davis
- 29. 29 Where are we going? Take care of the LIFESTREAM Yours Your Organization’s @CarlosChalicoT #ISACA_DDay Source: Ethics of Big Data, Kord Davis
- 30. Where are we going? 30 Inquiry Analysis Articulation Action @CarlosChalicoT #ISACA_DDay Ethics of Big Data Source: Ethics of Big Data, Kord Davis
- 32. Data Lifecycle: Risk Considerations and Controls October, 2013 What happens Where we are going
- 33. Conclusions • You need to know your data. • Data needs to be protected according to the process they serve or support and also considering their sensitivity. • COBIT 5 is a good framework to define controls related to data classification and protection. • Data faces risks all over their lifecycle. • Countermeasures defined shall be alligned to corporate and IT governance. 33 @CarlosChalicoT #ISACA_DDay
- 34. Conclusions • New technologies and processes always, always (yes, always) bring new risks into the landscape. • Big Data considerations are changing the social contract. • You need to use your values and do what is right and should be considered right by others when managing data. • You should take care of your lifestream and your company’s. 34 @CarlosChalicoT #ISACA_DDay
- 41. FinalThoughts 41 SAP & Vuzix Augmented Reality @CarlosChalicoT #ISACA_DDay
- 45. Questions and Answers 45 Carlos Chalico CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador Ouest Business Solutions Inc. [email protected] (647)6388062 twitter: @CarlosChalicoT LinkedIn: ca.linkedin.com/in/carloschalico/ @CarlosChalicoT #ISACA_DDay
- 46. Data Lifecycle: Risk Considerations and Controls October, 2013 Thank You!