Responsible Big Data Governance: Preventing Regulatory Overreaction

Transcription

1 Responsible Big Data Governance: Preventing Regulatory Overreaction Paulo Pereira Chief Data Architect and Governance Leader March 22th, 2015 Imagination at work

2 The Industrial Internet What happened when 1B people became connected? What happens when 50B machines become connected? Entertainment is digitized Social marketing emerged Communications mobilized IT architecture virtualized Retail and ad transformed Consumer Internet Monitoring to component levels Predictive maintenance Energy and fuel efficiencies Virtualized operations technology Workforce transformation Industrial Internet

3 The Industrial Internet is about smart machines, it s about real-time analytics, it s about modeling performance. Think zero unplanned downtime, optimal asset performance, optimal enterprise performance. Doing those things is the next wave, we think, of productivity and profitability General Electric Company - All rights reserved Jeff Immelt, GE Chairman and CEO

4 Industrial Internet The Power of 1% Note: Illustrative examples based on potential one percent savings applied across specific global industry sectors. Source: GE estimates 2015 General Electric Company - All rights reserved 4

5 Industrial Big Data Let s talk BIG Data generated from one of many machines at one of many plants producing a specific personal care product

6 Industrial Big Data Fast and Vast BEFORE 1 KB / FLIGHT 30 PARAMETERS 3 SNAPSHOTS / FLIGHT Takeoff (average diagnostics) Cruise (average diagnostics) Landing (average diagnostics) NOW 500 GB / FLIGHT 5,000 PARAMETERS 1 SNAPSHOT / SEC Air Speed Calibrated Altitude Cooling Valve Position Exhaust Gas Temperature Fuel Flow Ground Speed and more

7 With Business Opportunity Comes Data Regulation Electronic Transmission Protection Laws Data Breach Notification Laws* Federal Regulations HIPPA, PCI, SOX, Threats Vulnerabilities Risks Confidentiality Integrity Accountability Internal Policies Audit Trail Tracking *As of Jan/15 Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted data breach notification legislation GE operates in over 160 Countries 7

8 CSA Cloud Controls Version Example of Data Lifecycle Management Controls Control Domain* CCM V3.0 Control ID Control Specification Scope Applicability** Data Security & Information Lifecycle Management DSI-01 Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. AICPA 2009 TCM, AICPA 2014 TCM BITS Shared Assessments COBIT 4.1/5.0 95/46/EC - European Union Data Protection Directive FedRAMP Security Controls GAPP HIPAA / HITECH Act ISO/IEC ISO/IEC PCI DSS v2.0/v3.0 <several additional refer to CCM V3.0 doc> * The CCM covers several additional relevant domains such as Application & Interface Security; Audit Assurance & Compliance; Business Continuity Management & Operational Resilience; Change Control & Configuration Management; Datacenter Security Asset Management; Encryption & Key Management; Data Governance and Risk Management; Human Resources; Mobile Device Management; Identity & Access Management; Infrastructure & Virtualization Security; <several additional refer to CCM V3.0 doc> ** The CCM v3.0 specifies the articles in each regulation that each controls covers

9 Standardization of Controls CSA - Cloud Controls Version Provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider Strengthens information security control environments by delineating control guidance by service provider and consumer, and by differentiating according to cloud model type and environment Provides a controls framework in 16 domains that are cross-walked to other industry-accepted security standards, regulations, and controls frameworks to reduce audit complexity Seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud

10 Compliance Process for Big Data Compliance Objectives Embed regulatory and security controls into the process and infrastructure automated compliance Monitoring and tracking of regulatory changes and automation of rules affective data compliance Areas to Consider Approach Support Data Transfer / Encryption Data Storage and Retention Policy Contractual Requirements Privacy Requirements Data Access and Controls Sensitive Data/Classified Data Data Inventory Review current rules and storage Apply Data Classification standards Risk Assessment Identify Legal and Regulatory Requirements Audit Teams Business Legal/Security Compliance External legal providers Process owners Industrial teams New Technologies

11 Why a Graph Database? Impact Data Domain Which regulations affect data controls and business outcomes Analysis Audit Controller System Alert Model The questions we want answered required traversal of tree structures. Inventory Ops Outcomes Work Order Schedule Factory

12 Delivering an Integrated View in Context UX Perspectives Business Technical Legal Infrastructure to integrate and manage information inventory Graph Technology Applications Framework Workflow Engine Metadata captured/maintained Automatically Semi-automatically Manually Requirements Regulations Roles Identity Technology Documents Outputs Data Security Processes Audits Context

13 Understanding Regulatory Impacts in Business Outcomes Business Catalog Parties Depende ncies Business Outcomes Business Process Projects and Initiatives Business Context Impact What-If Constraints 13

14 Key Takeaways The scope for transformation in the Industrial Internet is tremendous The potential impact of Industrial Internet technologies spans almost half of the global economy and more than half of the world s energy flows The industry has a responsibility to protect this growth area by using data responsibly Big Data is part of this paradigm shift Due diligence is key in selection of vendors/products and interoperability to support your governance goals New technologies have to be leverage to deal with the increasing regulatory pressures Simplification and Automation will Determine Your Growth Speed Companies should invest in new processes and technology to quickly determine impacts and implement changes Consider virtualization, standardization of controls and cloud methods to drive process innovation 14

15