1

Privacy and Information Governance Challenges in the

Age of Big Data

Montréal, QuébecOctober 21, 2014

Jerrard B. GaertnerCPA, CA, CISSP, CISA, CGEIT, CIPP/IT, CFI, CIA, I.S.P., ITCP

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

2

Disclaimer

This presentation does not constitute legal or professional advice. The opinions expressed are those of the presenter and do not represent those of the Canadian Information Processing Society or Managed Analytic Services Inc.

American, Canadian and European Union laws and regulations differ from each other in substantive ways. Although every effort has been made to ensure the accuracy of this material, the author assumes no responsibility for its accuracy, completeness, applicability or currency.

Consult your legal, security and/or privacy practitioner(s) for more detailed information on these topics.

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

3

Your Presenter

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

4

How Did We Get Here?

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

5

Business Imperative!

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

6

Deriving Value Often RequiresProcess Change and Inter-Departmental Cooperation

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

7

May I Have This Dance?

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

8

Do Not Relay on Strictly Technology Solutions

They WILL fail!

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

9

All Eggs in One Basket

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

10

Big Data has Special Risks1. Concentration creates high value targets 2. Where did each element come from, is it

accurate, unique, current? Data quality issues are significant

3. Lower established reliability and less familiarity, greater inherent complexity, increase risk of error

4. Logical analysis, process re-performance not always possible. Untestable processing leaves residual risk

5. ETL process can be complex & time consuming6. On line and off line processes pose different risks7. Big Data sometimes falls between the cracks in

the application of security and privacy policies

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

11

Big Data has Big Business RisksThat Can Lead to Security, Privacy and Compliance Failures

1. Very few certified vendors or 3rd party certified installations which can be relied upon from a due diligence perspective

2. Lack of experience leads to unrealistic expectations, under-resourcing, pressure to produce

3. Outside expertise can be costly – in house bootstrapping problematical

4. Deriving value is not the same thing as finding an answer or a pattern

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

12

Concentration, Conversion

(ETL) and Data Quality Risks

Few Security and Privacy

Tools

Staff Lack Familiarity and

Training

Architectural Complexity

Lack of Proven Reliability and

3rd Party Certification

Unrealistic Expectations

and Pressure to Produce

Difficult to Test in Conventional

Ways

Big Data Risks

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

13

The Basics

• Governance and IT governance• Framework and standards applied• Security and privacy standard adapted• Risk based approach• Innovative application of standard

control technologies• Human and organizational components

are critical• Enforcement and 3rd party oversight

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

14

Some Hints from Experience1. Training and awareness are critical2. Strong organizational and administrative controls

can compensate for many deficiencies3. It is rarely as simple or as effective as Vendors

would like you to believe – always do your own due diligence

4. People will try to circumvent controls if they feel they are hampering efficiency

5. It is often most difficult to deliver intangible deliverables – security, privacy control, processes and procedures, documentation – and these are most often sacrificed on the alter of budget and schedule

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

15

Some More Hints6. Apply limited resources where they will have the greatest

impact – always consider risk7. Segregating, sandboxing, limiting, logging, exception

reporting, validating are tried and true techniques that still work

8. Never use default security passwords9. Open source is a double edged sword to be treated

always with respect10.A little encryption is better than none – as long as you

know what you’re doing11.Automated ETL tools can save a LOT of time12.IT staff are custodians of the data – not its owners

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

16

Baby & the Bathwater?

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

17

Retention, Preservation & Destruction – Or Not?

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

18

Predictive Analytics – A Very Special Case

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

19

The Road AheadIts easy to see…

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

20

Jerrard Gaertner CPA, CA•CISA/IT, CGEIT, CISSP, CIPP/IT, CFI, CIA, I.S.P., ITCP

jgaertner@cips.cajerrard.gaertner@managedanalyticservices.com

1-416-505-0307

Thank you!

© 2014 Jerrard Gaertner and Managed Analytic Services Inc.

21