2. Data Lifecycle
Risk Considerations and Controls
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador
Ouest Business Solutions Inc.
Director Eastern Region
2
@CarlosChalicoT
#ISACA_DDay
3. What´s in this for you?
By the end of this session you will:
• Understand the concept of data and general
considerations regarding its classification.
• Know some of the risks data faces in a data
management lifecycle.
• Challenge the relationship between business
activities and human behaviour when managing data.
3
4. First things first
4
Title:
Elephant In The Room
Artist:
Leah Saulnier The Painting Maniac
Medium:
Painting - Oil
5. So, what does this mean?
DATA
5
@CarlosChalicoT
#ISACA_DDay
6. Data (Wikipedia)
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of
qualitative or quantitative variables, belonging to a set of items. Data in
computing (or data processing) are represented in a structure, often tabular
(represented by rows and columns), a tree (a set of nodes with parent-children
relationship) or a graph structure (a set of interconnected nodes). Data are
typically the results of measurements and can be visualised using graphs or
images. Data as an abstract concept can be viewed as the lowest level of
abstraction from which information and then knowledge are derived. Raw
data, i.e., unprocessed data, refers to a collection of numbers, characters and
is a relative term; data processing commonly occurs by stages, and the
"processed data" from one stage may be considered the "raw data" of the next.
Field data refers to raw data collected in an uncontrolled in situ environment.
Experimental data refers to data generated within the context of a scientific
investigation by observation and recording.
!
The word data is the plural of datum, neuter past participle of the Latin dare,
"to give", hence "something given". In discussions of problems in geometry,
mathematics, engineering, and so on, the terms givens and data are used
interchangeably. Such usage is the origin of data as a concept in computer
science or data processing: data are numbers, words, images, etc., accepted as
they stand.
6
@CarlosChalicoT
#ISACA_DDay
7. Data (Wikipedia)
7
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of
qualitative or quantitative variables, belonging to a set of items. Data in
computing (or data processing) are represented in a structure, often tabular
(represented by rows and columns), a tree (a set of nodes with parent-
children relationship) or a graph structure (a set of interconnected nodes).
Data are typically the results of measurements and can be visualised using
graphs or images. Data as an abstract concept can be viewed as the lowest
level of abstraction from which information and then knowledge are derived.
Raw data, i.e., unprocessed data, refers to a collection of numbers, characters
and is a relative term; data processing commonly occurs by stages, and the
"processed data" from one stage may be considered the "raw data" of the next.
Field data refers to raw data collected in an uncontrolled in situ environment.
Experimental data refers to data generated within the context of a scientific
investigation by observation and recording.
!
The word data is the plural of datum, neuter past participle of the Latin dare,
"to give", hence "something given". In discussions of problems in geometry,
mathematics, engineering, and so on, the terms givens and data are used
interchangeably. Such usage is the origin of data as a concept in computer
science or data processing: data are numbers, words, images, etc., accepted
as they stand.
@CarlosChalicoT
#ISACA_DDay
8. Data
• Values of qualitative or quantitative variables.
• Represented in a structure:
- Tabular.
- Tree.
- Graph.
• Results.
• Lowest level of abstraction for information and
knowledge.
• Numbers, words, images, accepted as they stand.
8
@CarlosChalicoT
#ISACA_DDay
9. Data
9
Data +Value = Information
KnowledgeDecision
Making
Failure
Success
Results
@CarlosChalicoT
#ISACA_DDay
15. 15
Understanding Data Classification Based on Business and Security Requirements
ISACA Journal, 2006,Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil
Classifying Data
@CarlosChalicoT
#ISACA_DDay
16. Data Lifecycle: Risk Considerations and Controls
October, 2013
Data - concept
Data - classification
26. Where are we going?
• Real stories:
- The ones capable of identifying who is pregnant.
- The ones capable of knowing where you are without
letting you notice it.
- The ones using your personal data for not intended
purposes without your consent.
- The ones tweetting without taking care of its
company reputation.
26
@CarlosChalicoT
#ISACA_DDay
27. 27
Where are we going?
Values
Behavioral
actions
Changing the Social Contract
@CarlosChalicoT
#ISACA_DDay
28. 28
Where are we going?
Identity
Reputation
Privacy
Ownership
@CarlosChalicoT
#ISACA_DDay
Source: Ethics of Big Data, Kord Davis
29. 29
Where are we going?
Take care of the
LIFESTREAM
Yours
Your
Organization’s
@CarlosChalicoT
#ISACA_DDay
Source: Ethics of Big Data, Kord Davis
30. Where are we going?
30
Inquiry
Analysis
Articulation
Action
@CarlosChalicoT
#ISACA_DDay
Ethics of
Big Data
Source: Ethics of Big Data, Kord Davis
32. Data Lifecycle: Risk Considerations and Controls
October, 2013
What happens
Where we are going
33. Conclusions
• You need to know your data.
• Data needs to be protected according to the process
they serve or support and also considering their
sensitivity.
• COBIT 5 is a good framework to define controls
related to data classification and protection.
• Data faces risks all over their lifecycle.
• Countermeasures defined shall be alligned to
corporate and IT governance.
33
@CarlosChalicoT
#ISACA_DDay
34. Conclusions
• New technologies and processes always, always (yes,
always) bring new risks into the landscape.
• Big Data considerations are changing the social
contract.
• You need to use your values and do what is right and
should be considered right by others when managing
data.
• You should take care of your lifestream and your
company’s.
34
@CarlosChalicoT
#ISACA_DDay