Post on 17-Jan-2016
1
Privacy and Information Governance Challenges in the
Age of Big Data
Montréal, QuébecOctober 21, 2014
Jerrard B. GaertnerCPA, CA, CISSP, CISA, CGEIT, CIPP/IT, CFI, CIA, I.S.P., ITCP
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
2
Disclaimer
This presentation does not constitute legal or professional advice. The opinions expressed are those of the presenter and do not represent those of the Canadian Information Processing Society or Managed Analytic Services Inc.
American, Canadian and European Union laws and regulations differ from each other in substantive ways. Although every effort has been made to ensure the accuracy of this material, the author assumes no responsibility for its accuracy, completeness, applicability or currency.
Consult your legal, security and/or privacy practitioner(s) for more detailed information on these topics.
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
3
Your Presenter
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
4
How Did We Get Here?
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
5
Business Imperative!
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
6
Deriving Value Often RequiresProcess Change and Inter-Departmental Cooperation
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
7
May I Have This Dance?
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
8
Do Not Relay on Strictly Technology Solutions
They WILL fail!
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
9
All Eggs in One Basket
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
10
Big Data has Special Risks1. Concentration creates high value targets 2. Where did each element come from, is it
accurate, unique, current? Data quality issues are significant
3. Lower established reliability and less familiarity, greater inherent complexity, increase risk of error
4. Logical analysis, process re-performance not always possible. Untestable processing leaves residual risk
5. ETL process can be complex & time consuming6. On line and off line processes pose different risks7. Big Data sometimes falls between the cracks in
the application of security and privacy policies
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
11
Big Data has Big Business RisksThat Can Lead to Security, Privacy and Compliance Failures
1. Very few certified vendors or 3rd party certified installations which can be relied upon from a due diligence perspective
2. Lack of experience leads to unrealistic expectations, under-resourcing, pressure to produce
3. Outside expertise can be costly – in house bootstrapping problematical
4. Deriving value is not the same thing as finding an answer or a pattern
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
12
Concentration, Conversion
(ETL) and Data Quality Risks
Few Security and Privacy
Tools
Staff Lack Familiarity and
Training
Architectural Complexity
Lack of Proven Reliability and
3rd Party Certification
Unrealistic Expectations
and Pressure to Produce
Difficult to Test in Conventional
Ways
Big Data Risks
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
13
The Basics
• Governance and IT governance• Framework and standards applied• Security and privacy standard adapted• Risk based approach• Innovative application of standard
control technologies• Human and organizational components
are critical• Enforcement and 3rd party oversight
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
14
Some Hints from Experience1. Training and awareness are critical2. Strong organizational and administrative controls
can compensate for many deficiencies3. It is rarely as simple or as effective as Vendors
would like you to believe – always do your own due diligence
4. People will try to circumvent controls if they feel they are hampering efficiency
5. It is often most difficult to deliver intangible deliverables – security, privacy control, processes and procedures, documentation – and these are most often sacrificed on the alter of budget and schedule
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
15
Some More Hints6. Apply limited resources where they will have the greatest
impact – always consider risk7. Segregating, sandboxing, limiting, logging, exception
reporting, validating are tried and true techniques that still work
8. Never use default security passwords9. Open source is a double edged sword to be treated
always with respect10.A little encryption is better than none – as long as you
know what you’re doing11.Automated ETL tools can save a LOT of time12.IT staff are custodians of the data – not its owners
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
16
Baby & the Bathwater?
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
17
Retention, Preservation & Destruction – Or Not?
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
18
Predictive Analytics – A Very Special Case
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
19
The Road AheadIts easy to see…
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
20
Jerrard Gaertner CPA, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, CFI, CIA, I.S.P., ITCP
jgaertner@cips.cajerrard.gaertner@managedanalyticservices.com
1-416-505-0307
Thank you!
© 2014 Jerrard Gaertner and Managed Analytic Services Inc.
21