auditing your (big) data strategy
TRANSCRIPT
![Page 1: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/1.jpg)
Auditing your (Big) Data StrategyPresented by:
Stewart Mantell
General Manager, Internal Audit
TAL
![Page 2: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/2.jpg)
Intro
• Why is data important
• The new oil?
• Value of Data
• Data risk
Source: APRA
![Page 3: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/3.jpg)
Understanding your data (strategy)
• Does your organisation understand its data• “knowing is half the battle”
• Data classification
• Context is key• What, why, where, how
![Page 4: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/4.jpg)
Knowing where your data is
• Data sources and uses proliferate
• Is data held internally, or with providers
• Think laterally
• Shadow IT and growth of cloud services
Source: IIA
![Page 5: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/5.jpg)
Data Classification – a foundation
• Data classification• Criticality and sensitivity
• Content, Context, User
• A number of general definitions• Generally available / public / unclassified
• Internal Use only
• Confidential /restricted
• Commercial in Confidence / highly restricted
• Tools can be used to gather information, but…Source: AWS
![Page 6: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/6.jpg)
Auditing Considerations
• Regulatory Considerations• Consideration of approach / design in line with regulatory
guidance e.g. CPS 231,232, 234
• Vendor / legal risks• Privacy regime / jurisdiction
• Customer Consent
• Organisational Risk Appetite
• Termination of services and repatriation of data
![Page 7: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/7.jpg)
Auditing Considerations (contd)
• Technology Considerations – what are the threats• Based on architecture, on prem vs cloud
• Look at layers – infrastructure and app
• Threat analysis: Data Breach, Malicious Encryption, Fraud, DoS, APT
• Operational Considerations – how is data being used• predictive vs reactive, system of record vs system of insight /
enquiry
• Governance, Monitoring, Testing
![Page 8: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/8.jpg)
Cloud
• Increasing use of cloud as part of Big Data strategies
• Shared service model for controls
• Audit assurance over cloud providers
Source: AWSSource: APRA
![Page 9: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/9.jpg)
CPS 234 – Information Security• Resilience against
information security incidents (including cyberattacks)
• Maintain an information security capability that is commensurate with information security vulnerabilities and threats.
Governance & Policy Framework
Information Security Capability
Defined Information Assets
Documented Controls
Systematic Testing Program
Internal Audit Review
Notification Process
![Page 10: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/10.jpg)
Leveraging the use of Big Data
• Use Big Data for Internal Audit Analytics
• Rise in the use of Data and Big Data and harnessing that for Internal Audit
• Make the most of scarce audit resources
![Page 11: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/11.jpg)
Guidance on managing and auditing (big) data risk
• IIA – GTAG Understanding and Auditing Big Data
• CPG 235
• CPS 234
• APRA Cloud guidance
• ISACA
![Page 12: Auditing your (Big) Data Strategy](https://reader034.vdocument.in/reader034/viewer/2022051600/627fc8691abd4135dd51bb62/html5/thumbnails/12.jpg)
Summary
• Context is key to understanding big data risk
• Data classification is a foundation
• There are specific considerations when using cloud
• CPS 234 is driving focus on security, but don’t forget about quality
• Harness data and big data for audit work
• Leverage industry thinking IIA, APRA, ISACA