data lifecycle risks considerations and controls
DESCRIPTION
Presentation delivered on the Data Day organized by ISACA Toronto chapter.TRANSCRIPT
![Page 1: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/1.jpg)
Data Lifecycle: Risk Considerations and Controls October, 2013
![Page 2: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/2.jpg)
Data Lifecycle Risk Considerations and Controls
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador
Ouest Business Solutions Inc.
Director Eastern Region
2@CarlosChalicoT
#ISACA_DDay
![Page 3: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/3.jpg)
What´s in this for you?
By the end of this session you will:
• Understand the concept of data and general considerations regarding its classification.
• Know some of the risks data faces in a data management lifecycle.
• Challenge the relationship between business activities and human behaviour when managing data.
3
![Page 4: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/4.jpg)
First things first
4
Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil
![Page 5: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/5.jpg)
So, what does this mean?
DATA5
@CarlosChalicoT #ISACA_DDay
![Page 6: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/6.jpg)
Data (Wikipedia)Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.
6@CarlosChalicoT
#ISACA_DDay
![Page 7: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/7.jpg)
Data (Wikipedia)
7
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of qualitative or quantitative variables, belonging to a set of items. Data in computing (or data processing) are represented in a structure, often tabular (represented by rows and columns), a tree (a set of nodes with parent-children relationship) or a graph structure (a set of interconnected nodes). Data are typically the results of measurements and can be visualised using graphs or images. Data as an abstract concept can be viewed as the lowest level of abstraction from which information and then knowledge are derived. Raw data, i.e., unprocessed data, refers to a collection of numbers, characters and is a relative term; data processing commonly occurs by stages, and the "processed data" from one stage may be considered the "raw data" of the next. Field data refers to raw data collected in an uncontrolled in situ environment. Experimental data refers to data generated within the context of a scientific investigation by observation and recording. !The word data is the plural of datum, neuter past participle of the Latin dare, "to give", hence "something given". In discussions of problems in geometry, mathematics, engineering, and so on, the terms givens and data are used interchangeably. Such usage is the origin of data as a concept in computer science or data processing: data are numbers, words, images, etc., accepted as they stand.
@CarlosChalicoT #ISACA_DDay
![Page 8: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/8.jpg)
Data• Values of qualitative or quantitative variables.
• Represented in a structure:
- Tabular.
- Tree.
- Graph.
• Results.
• Lowest level of abstraction for information and knowledge.
• Numbers, words, images, accepted as they stand.8
@CarlosChalicoT #ISACA_DDay
![Page 9: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/9.jpg)
Data
9
Data + Value = Information
KnowledgeDecision Making
Failure
SuccessResults
@CarlosChalicoT #ISACA_DDay
![Page 10: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/10.jpg)
Classifying Data
DATA
10
Process Sensitivity
IT Infrastructure@CarlosChalicoT
#ISACA_DDay
![Page 11: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/11.jpg)
Classifying Data: Process
11
Financial
Commercial
Strategic
Operational
Personal
Raw Unnecesary...
Combined@CarlosChalicoT
#ISACA_DDay
![Page 12: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/12.jpg)
Classifying Data: Sensitivity
Top Secret Secret
Sensitive Confidential Proprietary
Public12
@CarlosChalicoT #ISACA_DDay
![Page 13: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/13.jpg)
13
Top Secret Secret Sensitive Confidential Proprietary Public
Financial
Financial
Financial
Financial
Financial
Financial
Classifying Data
Personal
Personal
Commercial
Commercial
Commercial
Strategic
Strategic
Strategic
Strategic
Strategic
Operational
Operational
Operational
Operational
Operational
OperationalRaw
Raw
Combined
Combined
Combined
@CarlosChalicoT #ISACA_DDay
![Page 14: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/14.jpg)
14
Classifying Data
![Page 15: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/15.jpg)
15
Understanding Data Classification Based on Business and Security RequirementsISACA Journal, 2006, Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil
Classifying Data
@CarlosChalicoT #ISACA_DDay
![Page 16: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/16.jpg)
Data Lifecycle: Risk Considerations and Controls October, 2013
Data - conceptData - classification
![Page 17: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/17.jpg)
Data Lifecycle
17@CarlosChalicoT
#ISACA_DDay
![Page 18: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/18.jpg)
Data Lifecycle Risks
Before
!
During
!
After
18
Confidentiality
!
Integrity
!
Availability
@CarlosChalicoT #ISACA_DDay
![Page 19: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/19.jpg)
Countermeasures
• Information Security Programs - COBIT
- ISO27000
- ISO38500
- ITIL
• Specific Controls - Data Loss Prevention
- Awareness
- Incident Response Management
• Compliance19
Governance
Corporate
IT
Data@CarlosChalicoT
#ISACA_DDay
![Page 20: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/20.jpg)
What about today?
20
New Trends
![Page 21: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/21.jpg)
New Trends
21@CarlosChalicoT
#ISACA_DDay
![Page 22: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/22.jpg)
New Trends
22@CarlosChalicoT
#ISACA_DDay
![Page 23: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/23.jpg)
New Trends
23@CarlosChalicoT
#ISACA_DDay
![Page 24: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/24.jpg)
Data Lifecycle: Risk Considerations and Controls October, 2013
Data LifecycleRisks in data lifecycleCountermeasuresRisks in new trends
![Page 25: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/25.jpg)
New Trends
25@CarlosChalicoT
#ISACA_DDay
![Page 26: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/26.jpg)
Where are we going?
• Real stories:
- The ones capable of identifying who is pregnant.
- The ones capable of knowing where you are without letting you notice it.
- The ones using your personal data for not intended purposes without your consent.
- The ones tweetting without taking care of its company reputation.
26@CarlosChalicoT
#ISACA_DDay
![Page 27: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/27.jpg)
27
Where are we going?
Values
Behavioral actions
Changing the Social Contract@CarlosChalicoT
#ISACA_DDay
![Page 28: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/28.jpg)
28
Where are we going?
Identity
Reputation
Privacy
Ownership@CarlosChalicoT
#ISACA_DDaySource: Ethics of Big Data, Kord Davis
![Page 29: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/29.jpg)
29
Where are we going?
Take care of the
LIFESTREAM
YoursYour
Organization’s@CarlosChalicoT
#ISACA_DDaySource: Ethics of Big Data, Kord Davis
![Page 30: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/30.jpg)
Where are we going?
30
Inquiry
Analysis
Articulation
Action
@CarlosChalicoT #ISACA_DDay
Ethics of Big Data
Source: Ethics of Big Data, Kord Davis
![Page 31: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/31.jpg)
Bibliography
31@CarlosChalicoT
#ISACA_DDay
![Page 32: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/32.jpg)
Data Lifecycle: Risk Considerations and Controls October, 2013
What happensWhere we are going
![Page 33: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/33.jpg)
Conclusions
• You need to know your data.
• Data needs to be protected according to the process they serve or support and also considering their sensitivity.
• COBIT 5 is a good framework to define controls related to data classification and protection.
• Data faces risks all over their lifecycle.
• Countermeasures defined shall be alligned to corporate and IT governance.
33@CarlosChalicoT
#ISACA_DDay
![Page 34: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/34.jpg)
Conclusions
• New technologies and processes always, always (yes, always) bring new risks into the landscape.
• Big Data considerations are changing the social contract.
• You need to use your values and do what is right and should be considered right by others when managing data.
• You should take care of your lifestream and your company’s.
34@CarlosChalicoT
#ISACA_DDay
![Page 35: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/35.jpg)
Final Thoughts
35
http://www.slideshare.net/sap/99-facts-on-the-future-of-business@CarlosChalicoT
#ISACA_DDay
![Page 36: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/36.jpg)
Final Thoughts
36@CarlosChalicoT
#ISACA_DDay
![Page 37: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/37.jpg)
Final Thoughts
37@CarlosChalicoT
#ISACA_DDay
![Page 38: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/38.jpg)
Final Thoughts
38@CarlosChalicoT
#ISACA_DDay
![Page 39: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/39.jpg)
Final Thoughts
39@CarlosChalicoT
#ISACA_DDay
![Page 40: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/40.jpg)
Final Thoughts
40@CarlosChalicoT
#ISACA_DDay
![Page 41: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/41.jpg)
Final Thoughts
41
SAP & Vuzix Augmented Reality
@CarlosChalicoT #ISACA_DDay
![Page 42: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/42.jpg)
Final Thoughts
42@CarlosChalicoT
#ISACA_DDay
![Page 43: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/43.jpg)
Final Thoughts
43@CarlosChalicoT
#ISACA_DDay
![Page 44: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/44.jpg)
Final Thoughts
44@CarlosChalicoT
#ISACA_DDay
![Page 45: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/45.jpg)
Questions and Answers
45
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador
Ouest Business Solutions Inc.
(647)6388062
twitter: @CarlosChalicoT
LinkedIn: ca.linkedin.com/in/carloschalico/@CarlosChalicoT
#ISACA_DDay
![Page 46: Data Lifecycle Risks Considerations and Controls](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f55dbb4c905b9508b507e/html5/thumbnails/46.jpg)
Data Lifecycle: Risk Considerations and Controls October, 2013
Thank You!