@ISACA Volume 12  12 June 2019

4 Vs of Big Data

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Big data requires strong data handling processes in data-intensive systems. Today, with the incredible growth of data collection into systems of diverse kinds and sizes around the world, we need to understand big data basics for review, audit and security purposes. The characteristics of big data that force new architectures are as follows:

  • Velocity (i.e., rate of flow)
  • Volume (i.e., the size of the dataset)
  • Variety (i.e., data from multiple repositories, domains or types)
  • Veracity (i.e., provenance of the data and its management)

These 4 characteristics are known colloquially as the Vs of big data. The 4 Vs are used in the following ways:

  • Velocity describes the speed at which data are processed. The data usually arrive in batches or are streamed continuously. As with certain other nonrelational databases, distributed programming frameworks were not developed with security and privacy in mind. Malfunctioning computing nodes might leak confidential data. Partial infrastructure attacks could compromise a significantly large fraction of the system due to high levels of connectivity and dependency.
  • Volume describes how much data are coming in. This typically ranges from gigabytes to exabytes and beyond. As a result, the volume of big data has necessitated storage in multitiered storage media. The movement of data between tiers has led to a requirement of cataloging threat models and a surveying of novel techniques. This requirement is the threat model for network-based, distributed, auto-tier systems. A positive of having large volumes of data is that analytics can be performed to help detect security breach events. This is an instance where big data technologies can help to fortify security.
  • Variety describes the organization of the data including whether the data are structured, semi-structured or unstructured. Retargeting traditional relational database security to non-relational databases has been a challenge. These systems were not designed with security and privacy in mind, and these functions are usually relegated to middleware. Traditional encryption technology also hinders the organization of data based on semantics.
    An emerging phenomenon introduced by big data variety is the ability to infer identity from anonymized datasets by correlating with apparently innocuous public databases. Sensitive data are shared after sufficient removal of apparently unique identifiers and indirectly identifying information by the processes of anonymization and aggregation.
  • Veracity includes provenance and curation. Provenance is based upon the pedigree of the data, the metadata and the context of the data when collected. This is important for both data quality and for protecting security and maintaining privacy policies. Big data frequently moves across individual boundaries to groups and communities of interest and across state, national and international boundaries. An additional area of the pedigree is the potential chain of custody and collection authority of the data. Curation is an integral concept that binds veracity and provenance to principles of governance and data quality assurance. Curation, for example, may improve raw data by fixing errors, filling in gaps, modeling, calibrating values and ordering data collection. Furthermore, there is a central and broadly recognized privacy principle incorporated in many privacy frameworks (e.g., the Organisation for Economic Co-operation and Development [OECD] principles, the EU General Data Protection Regulation [GDPR], Fair Trade Commission [FTC] fair information practices) that data subjects must be able to view and correct information collected about them in a database.

Big data systems and analysis by organizations large and small are here to stay, and we need to stay up to date with the technologies, analytics and utilization of these types of systems as they advance in the future.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


The Evolving Role of the CIO


Source: Digital Vision.;
Getty Images

Interested in learning what the role of the chief information officer (CIO) is and how it is evolving? What are some of the challenges CIOs face in their daily work, and what are the required skills, knowledge and attributes needed to successfully lead an enterprise? Attend the “Blazing a Path to the C-Suite With the CIO of Chicago” webinar, presented by ISACA and the ISACA Tallahassee (Florida, USA) Chapter.

This webinar will be led by Danielle DuMerer, CIO and commissioner for the city of Chicago’s (Illinois, USA) Department of Innovation and Technology (DoIT). She will take participants on a journey along her path to becoming a CIO, including the challenges she faced as a woman and how she overcame them. This webinar takes place on 19 June at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

DuMerer and her DoIT team create responsive and accessible digital services to improve how residents interact with government. She previously served as the city of Chicago’s chief technology officer (CTO), developed educational technology products at the McGraw-Hill Companies and worked in the library and archives field. She has served both educational and nonprofit organizations to promote equitable access to and preservation of information resources. She will use her experience to guide you on your own path to the C-suite, understand the challenges CIOs face and understand how the role is changing.

To learn more about this webinar or to register for it, visit the Blazing a Path to the C-Suite With the CIO of Chicago page of the ISACA website.


New Insights for the State of Cybersecurity


ISACA surveyed security managers and practitioners for its global State of Cybersecurity survey in November 2018. The outcome of the survey’s insights and findings can be found in the State of Cybersecurity 2019 report. This report aims to help cyberprofessionals manage, understand and address current cybersecurity trends including identifying prevalent attacks, determining effective security awareness programs and implementing successful reporting structures to combat these attacks.

The State of Cybersecurity 2019, Part 2: Current Trends in Attacks, Awareness and Governance analyzes current trends in cybersecurity attack vectors, response methodologies, organizational governance and program management. These trends include stabilization of attacks across the industry, underreporting of cybercrime, and reporting structures and governance that best support cybersecurity teams’ mitigation of attacks.

To learn more, download the complimentary white paper by visiting the State of Cybersecurity 2019 page of the ISACA website.


ISACA Podcast Now Available on Stitcher


Source: Emilija
Getty Images

The ISACA Podcast, which provides coverage of and unique perspectives on IT audit, security, governance and risk issues affecting organizations today, is now available on the Stitcher app. Stitcher can be accessed through iOS devices, Android devices and through a web player.

Recently, ISACA recorded a podcast about IT recruiting and retention on the floor of its North America CACS conference. In this podcast, Sandy Silk, director of information security education and consulting at Harvard University (Cambridge, Massachusetts, USA) and speaker at NA CACS, shares some strategies for removing unconscious bias from the hiring process. She goes beyond the discussion during her session and talks about imposter syndrome, how to build a positive interview experience for candidates and strategies to retain employees.

In addition to Stitcher, the ISACA Podcast is also available on the ISACA Podcast page of the ISACA website and can be streamed or downloaded from iTunes, Google Play or SoundCloud. Subscribe to the podcast so you never miss a new episode.