The document discusses data lifecycle risks and controls. It begins by defining data and discussing data classification. It then explains risks to data throughout its lifecycle before collection, during use, and after use. Some risks include breaches of confidentiality, integrity, and availability. The document recommends implementing information security programs and specific controls to mitigate risks. It also notes new risks emerging from technologies like big data and the need to consider ethics when managing data.

1. Data Lifecycle: Risk Considerations and Controls
October, 2013

2. Data Lifecycle
Risk Considerations and Controls
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador
Ouest Business Solutions Inc.
Director Eastern Region
2
@CarlosChalicoT
#ISACA_DDay

3. What´s in this for you?
By the end of this session you will:
• Understand the concept of data and general
considerations regarding its classification.
• Know some of the risks data faces in a data
management lifecycle.
• Challenge the relationship between business
activities and human behaviour when managing data.
3

4. First things first
4
Title:
Elephant In The Room
Artist:
Leah Saulnier The Painting Maniac
Medium:
Painting - Oil

5. So, what does this mean?
DATA
5
@CarlosChalicoT
#ISACA_DDay

6. Data (Wikipedia)
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of
qualitative or quantitative variables, belonging to a set of items. Data in
computing (or data processing) are represented in a structure, often tabular
(represented by rows and columns), a tree (a set of nodes with parent-children
relationship) or a graph structure (a set of interconnected nodes). Data are
typically the results of measurements and can be visualised using graphs or
images. Data as an abstract concept can be viewed as the lowest level of
abstraction from which information and then knowledge are derived. Raw
data, i.e., unprocessed data, refers to a collection of numbers, characters and
is a relative term; data processing commonly occurs by stages, and the
"processed data" from one stage may be considered the "raw data" of the next.
Field data refers to raw data collected in an uncontrolled in situ environment.
Experimental data refers to data generated within the context of a scientific
investigation by observation and recording.
!
The word data is the plural of datum, neuter past participle of the Latin dare,
"to give", hence "something given". In discussions of problems in geometry,
mathematics, engineering, and so on, the terms givens and data are used
interchangeably. Such usage is the origin of data as a concept in computer
science or data processing: data are numbers, words, images, etc., accepted as
they stand.
6
@CarlosChalicoT
#ISACA_DDay

7. Data (Wikipedia)
7
Data (/ˈdeɪtə/ DAY-tə, /ˈdætə/ DA-tə, or /ˈdɑːtə/ DAH-tə) are values of
qualitative or quantitative variables, belonging to a set of items. Data in
computing (or data processing) are represented in a structure, often tabular
(represented by rows and columns), a tree (a set of nodes with parent-
children relationship) or a graph structure (a set of interconnected nodes).
Data are typically the results of measurements and can be visualised using
graphs or images. Data as an abstract concept can be viewed as the lowest
level of abstraction from which information and then knowledge are derived.
Raw data, i.e., unprocessed data, refers to a collection of numbers, characters
and is a relative term; data processing commonly occurs by stages, and the
"processed data" from one stage may be considered the "raw data" of the next.
Field data refers to raw data collected in an uncontrolled in situ environment.
Experimental data refers to data generated within the context of a scientific
investigation by observation and recording.
!
The word data is the plural of datum, neuter past participle of the Latin dare,
"to give", hence "something given". In discussions of problems in geometry,
mathematics, engineering, and so on, the terms givens and data are used
interchangeably. Such usage is the origin of data as a concept in computer
science or data processing: data are numbers, words, images, etc., accepted
as they stand.
@CarlosChalicoT
#ISACA_DDay

8. Data
• Values of qualitative or quantitative variables.
• Represented in a structure:
- Tabular.
- Tree.
- Graph.
• Results.
• Lowest level of abstraction for information and
knowledge.
• Numbers, words, images, accepted as they stand.
8
@CarlosChalicoT
#ISACA_DDay

9. Data
9
Data +Value = Information
KnowledgeDecision
Making
Failure
Success
Results
@CarlosChalicoT
#ISACA_DDay

10. Classifying Data
DATA
10
Process Sensitivity
IT Infrastructure
@CarlosChalicoT
#ISACA_DDay

11. Classifying Data: Process
11
Financial
Commercial
Strategic
Operational
Personal
Raw Unnecesary...
Combined
@CarlosChalicoT
#ISACA_DDay

12. Classifying Data: Sensitivity
Top Secret
Secret
Sensitive
Confidential
Proprietary
Public
12
@CarlosChalicoT
#ISACA_DDay

13. 13
Top Secret
Secret
Sensitive
Confidential
Proprietary
Public
Financial
Financial
Financial
Financial
Financial
Financial
Classifying Data
Personal
Personal
Commercial
Commercial
Commercial
Strategic
Strategic
Strategic
Strategic
Strategic
Operational
Operational
Operational
Operational
Operational
Operational
Raw
Raw
Combined
Combined
Combined
@CarlosChalicoT
#ISACA_DDay

14. 14
Classifying Data

15. 15
Understanding Data Classification Based on Business and Security Requirements
ISACA Journal, 2006,Volume 5; Rafael Etges, CISA, CISSP and Karen McNeil
Classifying Data
@CarlosChalicoT
#ISACA_DDay

16. Data Lifecycle: Risk Considerations and Controls
October, 2013
Data - concept
Data - classification

17. Data Lifecycle
17
@CarlosChalicoT
#ISACA_DDay

18. Data Lifecycle Risks
Before
!
During
!
After
18
Confidentiality
!
Integrity
!
Availability
@CarlosChalicoT
#ISACA_DDay

19. Countermeasures
• Information Security Programs
- COBIT
- ISO27000
- ISO38500
- ITIL
• Specific Controls
- Data Loss Prevention
- Awareness
- Incident Response Management
• Compliance
19
Governance
Corporate
IT
Data
@CarlosChalicoT
#ISACA_DDay

20. What about today?
20
New Trends

21. NewTrends
21
@CarlosChalicoT
#ISACA_DDay

22. NewTrends
22
@CarlosChalicoT
#ISACA_DDay

23. NewTrends
23
@CarlosChalicoT
#ISACA_DDay

24. Data Lifecycle: Risk Considerations and Controls
October, 2013
Data Lifecycle
Risks in data lifecycle
Countermeasures
Risks in new trends

25. NewTrends
25
@CarlosChalicoT
#ISACA_DDay

26. Where are we going?
• Real stories:
- The ones capable of identifying who is pregnant.
- The ones capable of knowing where you are without
letting you notice it.
- The ones using your personal data for not intended
purposes without your consent.
- The ones tweetting without taking care of its
company reputation.
26
@CarlosChalicoT
#ISACA_DDay

27. 27
Where are we going?
Values
Behavioral
actions
Changing the Social Contract
@CarlosChalicoT
#ISACA_DDay

28. 28
Where are we going?
Identity
Reputation
Privacy
Ownership
@CarlosChalicoT
#ISACA_DDay
Source: Ethics of Big Data, Kord Davis

29. 29
Where are we going?
Take care of the
LIFESTREAM
Yours
Your
Organization’s
@CarlosChalicoT
#ISACA_DDay
Source: Ethics of Big Data, Kord Davis

30. Where are we going?
30
Inquiry
Analysis
Articulation
Action
@CarlosChalicoT
#ISACA_DDay
Ethics of
Big Data
Source: Ethics of Big Data, Kord Davis

31. Bibliography
31
@CarlosChalicoT
#ISACA_DDay

32. Data Lifecycle: Risk Considerations and Controls
October, 2013
What happens
Where we are going

33. Conclusions
• You need to know your data.
• Data needs to be protected according to the process
they serve or support and also considering their
sensitivity.
• COBIT 5 is a good framework to define controls
related to data classification and protection.
• Data faces risks all over their lifecycle.
• Countermeasures defined shall be alligned to
corporate and IT governance.
33
@CarlosChalicoT
#ISACA_DDay

34. Conclusions
• New technologies and processes always, always (yes,
always) bring new risks into the landscape.
• Big Data considerations are changing the social
contract.
• You need to use your values and do what is right and
should be considered right by others when managing
data.
• You should take care of your lifestream and your
company’s.
34
@CarlosChalicoT
#ISACA_DDay

35. FinalThoughts
35
http://www.slideshare.net/sap/99-facts-on-the-future-of-business
@CarlosChalicoT
#ISACA_DDay

36. FinalThoughts
36
@CarlosChalicoT
#ISACA_DDay

37. FinalThoughts
37
@CarlosChalicoT
#ISACA_DDay

38. FinalThoughts
38
@CarlosChalicoT
#ISACA_DDay

39. FinalThoughts
39
@CarlosChalicoT
#ISACA_DDay

40. FinalThoughts
40
@CarlosChalicoT
#ISACA_DDay

41. FinalThoughts
41
SAP & Vuzix Augmented Reality
@CarlosChalicoT
#ISACA_DDay

42. FinalThoughts
42
@CarlosChalicoT
#ISACA_DDay

43. FinalThoughts
43
@CarlosChalicoT
#ISACA_DDay

44. FinalThoughts
44
@CarlosChalicoT
#ISACA_DDay

45. Questions and Answers
45
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador
Ouest Business Solutions Inc.
carlos.chalico@ouestsolutions.com
(647)6388062
twitter: @CarlosChalicoT
LinkedIn: ca.linkedin.com/in/carloschalico/
@CarlosChalicoT
#ISACA_DDay

46. Data Lifecycle: Risk Considerations and Controls
October, 2013
Thank You!