Auditing your (Big) Data Strategy
Transcript of Auditing your (Big) Data Strategy
Auditing your (Big) Data StrategyPresented by:
Stewart Mantell
General Manager, Internal Audit
TAL
Intro
• Why is data important
• The new oil?
• Value of Data
• Data risk
Source: APRA
Understanding your data (strategy)
• Does your organisation understand its data• “knowing is half the battle”
• Data classification
• Context is key• What, why, where, how
Knowing where your data is
• Data sources and uses proliferate
• Is data held internally, or with providers
• Think laterally
• Shadow IT and growth of cloud services
Source: IIA
Data Classification – a foundation
• Data classification• Criticality and sensitivity
• Content, Context, User
• A number of general definitions• Generally available / public / unclassified
• Internal Use only
• Confidential /restricted
• Commercial in Confidence / highly restricted
• Tools can be used to gather information, but…Source: AWS
Auditing Considerations
• Regulatory Considerations• Consideration of approach / design in line with regulatory
guidance e.g. CPS 231,232, 234
• Vendor / legal risks• Privacy regime / jurisdiction
• Customer Consent
• Organisational Risk Appetite
• Termination of services and repatriation of data
Auditing Considerations (contd)
• Technology Considerations – what are the threats• Based on architecture, on prem vs cloud
• Look at layers – infrastructure and app
• Threat analysis: Data Breach, Malicious Encryption, Fraud, DoS, APT
• Operational Considerations – how is data being used• predictive vs reactive, system of record vs system of insight /
enquiry
• Governance, Monitoring, Testing
Cloud
• Increasing use of cloud as part of Big Data strategies
• Shared service model for controls
• Audit assurance over cloud providers
Source: AWSSource: APRA
CPS 234 – Information Security• Resilience against
information security incidents (including cyberattacks)
• Maintain an information security capability that is commensurate with information security vulnerabilities and threats.
Governance & Policy Framework
Information Security Capability
Defined Information Assets
Documented Controls
Systematic Testing Program
Internal Audit Review
Notification Process
Leveraging the use of Big Data
• Use Big Data for Internal Audit Analytics
• Rise in the use of Data and Big Data and harnessing that for Internal Audit
• Make the most of scarce audit resources
Guidance on managing and auditing (big) data risk
• IIA – GTAG Understanding and Auditing Big Data
• CPG 235
• CPS 234
• APRA Cloud guidance
• ISACA
Summary
• Context is key to understanding big data risk
• Data classification is a foundation
• There are specific considerations when using cloud
• CPS 234 is driving focus on security, but don’t forget about quality
• Harness data and big data for audit work
• Leverage industry thinking IIA, APRA, ISACA