Michael Josephs

1. The Dark Side of Big Data ……………………………………………... CIO, StrataCare, A Xerox Company Michael Josephs

3. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data 3 It’s a Gold Mine Growth in Data Production –2.5 quintillion bytes estimated to be generated from sources such as online or mobile financial transactions, social media traffic, and GPS coordinates (1) –450 billion transactions per day by 2020 on the internet (B2B and B2C) has been estimated by IDC. –44 fold increase in overall data production 2020 over 2009 predicted (2) Replicated Costs & Risks: Many captured transactions are replicated 5 times (or more) Employee BYOD: Cisco survey found 89% of companies already have employee BYOD for work. (1)World Economic Forum Big Data, Big Impact: New possibilities for international development (2)CSC –Big Data Universe What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services We Breathe Data

4. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data Big Data Has a Dark Side 4 It’s a Gold Mine What Can You Do With It? $Accelerate More Intelligent decisions: Large data sets allow for more accurate instrumentation of processes for improved business results $Improve Services: Optimize distribution methods, better evaluate and allocate risk and detect fraud $Target Sales: More granularly segment customers and potential customers for more efficient business development $Create New Revenue Streams: Establish derived products and services Cost and Risk Continuum Security Regulatory Compliance Liability Litigation and Discovery Infrastructure

5. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data Most Significant Risks and Costs Aren’t Always Clearly Visible 5 Emerging Statutory Compliance & AuditsContractual Nuance and StipulationsExisting Infrastructure and SecurityeDiscovery ObligationsEvolving the Infrastructure & Security ApproachEstablish Service Level AgreementsRefine Data Retention Policies/ProceduresPrivacy by Design

6. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 6 Data Segments Are Often Replicated Up To 5XTransactionalDB Mirror EDW Replicated Costs ++ –Standard data topologies often include 5 or more replications of data that must be protected –Technical and procedural approaches must be established and maintained for all of them –Separate (yet equally stringent) technical and procedural approaches are often needed for the business ecosystemThird Party Ecosystem DR/BC

7. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Existing Infrastructure and Information Security 7 What is Going On Where is it Going –Executives are becoming more risk averse than ever before –At the same time, Big Data initiatives sometimes get a hall pass from complete business case rigor –Evolving Standards •Standards for what constitutes acceptable risk for sensitive data protection is changing rapidly •As a result, owners of sensitive data are continually reexamining their data security standards and security programs –Third party vendors and data custodians are under increasing pressure (& scrutiny to reduce risk levels) –IT Budgets are shifting emphasis from innovation to risk reduction Challenge is operating one comprehensive data security program (while adhering to customers “a la carte” data security demands) –Experienced InfoSec staff are in great demand, making hiring and retention increasing difficult –More targeting of standard management frameworks (ISO 27001:2, etc.) for data hosting and the security programs aimed at its protection –Data custodians retaining unlimited liability for data breach (no caps) and for ensuring subcontractors meet the same data security SLA’s –Increasing investment in data masking is becoming foundational to any data custodianship platform

8. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Regulatory Compliance 8 What is Emerging Responding –Expanding Laws and Regulations: Expansion but without harmonization •Government Frameworks (FTC; The White House) •Complex international laws and regulations (EU, Canada, Australia, Asia, Latin America) –State Data Security and Privacy/Data Breach Laws: now 47 states have adopted laws that in many respects are far more rigorous than HIPPA/HITECH) –Know which laws and regulations apply to your (and your customer’s) business –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, GLB, etc.) –Monitor emerging state data breach laws •Notification to affected individuals •Notice to state AGs (FL, MA, CA) •Government consent decrees (FTC) Organizational Design: Ensure executive compliance oversight has appropriate organizational stature and authority

9. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Contractually Speaking 9 Trending…. Some Protective Steps –Hot Topic: Data security is one of (if not) the most hotly negotiated Terms and Conditions in data custodianship related contracts –Expanding SLA Coverage: Customers are now demanding that contract SLAs cover: Any and all federal and state laws and industry standards will apply to SLAs (even those that don’t apply) Data custodian retains unlimited liability for data breach (no caps) Data custodian remains liable for ensuring subcontractors meet all customer data security SLAs Data Custodian is responsible for breach notification Customers have audit rights Return/destruction of data (Data ownership remains a gray area?) Minimize the custom nature of provisions and align limitation of liability with insurance caps –Fully understand the cost of augmenting existing, or implementing and maintain new, security practices before contractual agreement (including the cost of ongoing audits) –Use of standards increasing as customers tend to bemore accepting of industry adopted management frameworks (ISO 27001:2, NIST, etc.), possibly reducing audit participation efforts –Maintain compliance, and documented third party verification, for legally required practice standards (HIPAA, PCI, etc.) –Blind Data/Feedback Licenses –Separate the cost of breach (vendor) notification from actual notification (customer)

10. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Contractually Speaking (Third Party Ecosystem) 10 Realities Dealing –The Weak Link: •Your data security program is as strong as your weakest subcontractor/provider •Many niche service providers are not able to meet fundamental state of the practice information security standards –Data Custodians Have Two Key Duties: •Duty to Protect: Covers appropriate and reasonable measures to protect data against a breach •Duty to Disclose: Notification of breaches to affected parties and regulators; material risks for public companies –Take a comprehensive, no-concession approach to vendor audits/assessments. –Consider sharing data only AFTER a vendor is fully compliant with security and practice requirements –Make access to your clients dependent on keeping pace with the state of the practice –Engage with 3rdparty credentialing services such as 3PAS Ensure your 3rdparty service provider contracts are as comprehensive as the ones you establish with your clients

11. © 2014 StrataCare, A Xerox Company All Rights Reserved. Big Data –Data Retention 11 What is Going On Here Getting Out Ahead –Establish a well vetted and documented data retention policy (a “default” scenario is rarely a good one) –Standardize customer and 3rd party vendor contracts and maintain a centralized record for reference and compliance audits –Implement secure data destruction mechanisms as part of the program Data retention policies must balance the risks of having “it” with the rewards of leveraging “it” –Responding to Risk: Organizations are radically re-thinking their data retention policies (where they exist) –Key Drivers (for revised data retention policies) include: •Customer contract T’s & C’s •Vendor record retention policies and procedures; •Litigation holds •Laws (SEC, IRS, FTC, etc.) •Industry standards •360 degree cost of retention –Heterogeneity: Managing client-specific data retention plans can be highly costly to administer

12. © 2014 StrataCare, A Xerox Company All Rights Reserved. –Deploy technology for supporting eDiscovery needs OR contract for these services –Use data masking (data de-identification) along with an effective Data Retention program to reduce data scope for eDiscovery needs –Ensure close interaction of legal, IT, accounting and other organizations for common understanding of record retention, destruction, and litigation hold policies and procedures Big Data –eDiscovery 12 Growing Costs Some Steps to Take –Possession: If you have “it” (whether or not you should have it), you may have to produce and preserve it •Party Litigant (via eDiscovery Demand) •Non-party witness •Subject of government investigations –No Place to Hide: Cost or burden of production rarely matters (no excuse), especially for party litigants •Discovery/production-related costs can be massive Consider whether forensic experts will be required •Sanctions/penalties for non-production/spoliation could be worse (i.e., Contempt, monetary sanctions) Continuously balance the benefit (actual or perceived) of retaining data against the costs and risks of protecting and managing it

Michael Josephs

Michael Josephs

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Similar a Michael Josephs

Similar a Michael Josephs(20)

Mais de daveGBE

Mais de daveGBE(8)

Último

Último(20)

Michael Josephs