LPMN Big Data & Business Analytics

Your Gateway to Project Management Success

Big Data & Business Analytics: InfoSec and Privacy considerations when

managing an implementation project September 17th, 2015


#BigData @LPMN_ca @CarlosChalicoT

Carlos Chalico

18+ years

CISA CISSP CISM

ISO27001LA

CGEIT CRISC PbDA



First Things First

Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil



Agenda

• Background

• How did we get here?

• Basic concepts

• Implementing a Big Data – Business Analytics project

• InfoSec and Privacy considerations

• Closing



Robert Frost

“The brain is a wonderful organ; it starts working the moment you get

up in the morning and does not stop until you get into the office”



Background

http://www.slideshare.net/sap/99-facts-on-the-future-of-business


















Background

















Michael E. Driscoll

“We’ve reached a tipping point in history: today more data is being

manufactured by machines, servers and cell phones, than by people”



How did we get here?

Source: Based on Foundations of Enterprise Analytics course, SCS, UofT

2003 2 0 0 5

2006

2 0 0 7

2008 2010





2011 2012

2013

3,200 2014



Basic Concepts

• Analytics

• Enterprise Analytics

• Big Data

• Information Security

• Privacy



Basic Concepts - Analytics


• The discovery and communication of meaningful patterns in data.

• Especially valuable in areas rich with recorded information

• Analytics relies on the simultaneous application of statistics, computer programming and operations research

• Analytics often favours data visualization to communicate insight




• Means the application of analytic techniques to:

– Problems issues and opportunities which affect a significant portion of the enterprise, and or

– Data belonging/relating to enterprise activities whether internal to the enterprise or not

Basic Concepts – Enterprise Analytics




• On-going Analysis Data warehouses and data marts

Corporate reporting

Dashboards

Alerts

Planning and Budgeting

• Special Studies Hypothesis testing

Exploratory

Basic Concepts – Enterprise Analytics

Enterprise Analytics




Basic Concepts – Big Data




• Collection of data sets

• Large and complex

• Some Challenges:

– Capture

– Storage

– Search

– Sharing

– Transfer

– Analysis

– Visualization





• Big data is a short hand label that typically means applying the tools of artificial intelligence, like machine learning, to vast new troves of data beyond that captured in standard data bases.

• The new data sources include web browsing data trails, social network communications, sensor data and surveillance data.

Steve Lohr, New York Times Reporter

How Big Data Became So Big, August 12, 2012





• Volume

• Variety

• Velocity

• Validity

• Veracity

• Big data solutions optimally consist of innovative, cost effective forms of information processing, supporting enhanced insight and decision making.

Adapted from Gartner Inc. S. Sicular Doug Laney





Basic Concepts – InfoSec

• <>IT Security

• Focused on providing the following to information regardless of the media used:

• Confidentiality

• Integrity

• Availability

• Information Security (InfoSec)



Basic Concepts – InfoSec

Information Assurance

Information Security

Information Protection

Cybersecurity (Electronic)

Nonrepudiation

Authentication

Confidentiality

Integrity

Availability

Source: Corey Schou and Steven Hernandez



Basic Concepts – Privacy

• Not a new concept

• Defined in XIX century as “the right to be left alone”

• More recently, in 1997, the United Kingdom’s Calcutt Committee defined it as:

“The right of the individual to be protected against intrusion into his/her personal life or affairs, or those

of his/her family, by direct physical means or by publication of information”

Source: “Canadian Privacy: Data Protection Law and Policy for the Practitioner”, Kris Klein, an IAPP Publication



Basic Concepts – Privacy

Source: Ernst & Young



Implementing a project

University of Toronto

School of Continuing

Studies

Foundations of Enterprise Data Analytics (EDA)

Value proposition and Technologies of EDA

Data Management from EDA to Data Based Decision Making

Big Data Tools and Techniques Mining Financial, Operational And Social NW Data

29

42

2

94

3

29

44

3

03

0

http://learn.utoronto.ca/courses-programs/business-professionals/acourses/management-of-enterprise-data-analytics



Implementing a project

1

Goal

Definition

2

Understand

Process

4

Identify

Areas for

Solution

5

Prioritize

Findings

7

Present

Findings

8

Solution

Preview

3

Integration

Requirements

6

Determine

Scope

Source: Based on “Getting Started with Business Analytics: Insightful Decision Making”, David Roi Hardoon & Galit Schmueli, CRC Press

Is Project Management relevant?



Goal Definition

• What is that the organization needs/wants?

• Will we predict or detect something?

• Who are the stakeholders?

• Who’s sponsoring this?

• Risk and control identification shall start from the very beginning.


Is Project Management

relevant?



Understand processes

• Know the process(es)

• Know the IT infrastructure

• Understand the risks

• Identify and test the controls

• Comprehend their specifications

• Identify new risks on the process, on the project, on the transformation.



relevant?



Integration Requirements

• What are our sources?

• How are/will they be protected?

• Where do data come from?

• Are third parties involved?

• How are they controlled?

– ISAE 3402

– ISO (27000, 28500, 9000).



relevant?



Identify Areas for Solution

• Designing the enterprise analytics solution(s)

• Getting the solution(s) pre-approved

• Designing the controls for the risks expected – InfoSec

– Privacy

– Information Assurance?

– Corporate Risk Management!!!



relevant?



Prioritize Findings

• Were other projects identified?

• What are the risks related to them?

• What are the insights expected?

• Shall they be protected?

• Decide on execution in a controlled manner!!!



relevant?



Determine Scope

• Be realistic on the scope for the selected project(s)

• How will risks be mitigated?

• How is ROI going to be impacted?

• Be proactive, not reactive

• Preventative and not remedial

• This is your last call before execution!!!



relevant?



Present Findings

• Consider InfoSec and Privacy risks KPIs when presenting results

• Stakeholders will appreciate knowing outcomes and how we are protecting it

• Support of stakeholders is critical, this includes:

– Risk identification

– Control definition-design-operation



relevant?



Solution Preview

• Compare outcomes to expected results

• Was it protected as expected?

• Are adjustments needed?

• Does this include InfoSec and Privacy?

• Let’s start again!!!



relevant?

http://www.nearshoreamericas.com/information-security-privacy-considerations-implementing-business-analytics/

















So What?



InfoSec and Privacy Considerations


• On Information Security and Privacy for Big Data, we can have all the traditional concerns, PLUS:

– Protecting the intellectual capital of the

organization derived from analytics – Protecting many/most data which are likely more

vulnerable and less well controlled than in their native repositories

– Concentration of information assets increases the fiduciary and due diligence risks normally encountered

– New, open source, possibly less reliable technology increases the risk of loss or non-availability


#BigData @LPMN_ca @CarlosChalicoT • Privacy drivers are less directly financial, but

very close to the consumer’s heart • Share price, reputation, sales, profit, political

survival can all be affected negatively OR positively by privacy related issues

• Legal requirements are a complex patchwork of conflicting jurisdictional rules, and some include potentially huge fines and penalties

• Privacy requires BOTH a technical and a legal/administrative approach to compliance






• Protecting the privacy of individuals from composable risk, as well as general disclosure

• Ensuring transparency, consent, agreed use • Difficulty in identifying personally identifiable

information – PII requires compliance to vague and complex regulations and statutes

• Enhanced target for identity thieves and others





Risk Mitigation • Appropriate governance framework • Appropriate internal control framework • Appropriate internal controls Including but not limited to • Policies and procedures • Security and privacy technology • Design for security, privacy • Monitoring, Audit and Continuous Auditing • Organizational design and allocation of duties • Intelligent hiring, training and enforcement





Governance

• Governance provides a structure or framework through which:

the objectives of the organization are set

the means of attaining these objectives is determined

performance measurement and monitoring is prescribed

• Governance process implements governance objectives




Frameworks • ISO standards for the implementation of

security • GAPP for the development of necessary and

sufficient privacy controls • ITIL for information technology services • COBIT for internal control on IT






Robert Lewis

“You are what you are when no one is looking”



http://www.ioew.de/uploads/tx_ukioewdb/future-IOEW_CSR-Study_Summary.pdf

Sponsored by: German Federal Ministry of Environment, Nature Conservation and Nuclear Safety


Ethics on Big Data




“Big Data is the mantra right now. Everyone wants to go there, and everyone has these stories about how it might benefit us” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, a San Francisco-based non-profit organization specializing in free speech, privacy and consumer rights. “One of the things you learn in kindergarten is that if you want to play with somebody else’s toys, you ask them,” Tien said. “What is distressing, and I think sad, about the big data appetite is so often it is essentially saying, ‘Hey, we don’t have to ask.’”

Source: Ethics of Big Data, Kord Davis

Ethics on Big Data




Ethics on Big Data




There was one capable of identifying who is pregnant

What can happen

• There was one capable of identifying who is pregnant

Ethics on Big Data



Closing


• Are InfoSec and Privacy important on Big Data and Analytics?

• Is Project Management relevant when dealing with this stuff?

• Is Privacy dying?

• What will you do now?

• How will you do it?



Admiral Ackbar

“It’s a trap!!!”



Final Announcements

• September 21-22, Latin CACS, Mexico City, Internet of Things and Privacy

• October 22, Hispanotech, Toronto, Internet of Things

• October 29, Asobancaria, Bogotá, Privacy



Thank you

Carlos Chalico LI, CISA, CISSP, CISM, CGEIT, CRISC, PbDA, ISO27000LA

Ouest Business Solutions Inc.

Director Eastern Region

[email protected]

(647)6388062

@CarlosChalicoT

@carloschalico

mailto:[email protected]

LPMN Big Data & Business Analytics

Documents

Transcript of LPMN Big Data & Business Analytics