ISO/IEC 27045

ISO/IEC 27045 – Information technology — Big data security and privacy — Processes [DRAFT]

Introduction

It was intended to improve the ability of organizations to secure and protect their big data until 2021 when the project was re-started.

Scope and objectives

Among the benefits of the standard are a process reference model, assessment tool, and maturity model.

The models will examine architectures of the processes used to accomplish big data security and privacy, particularly the maturity of those processes.

There will be a set of indicators of process performance and process capability that will be used as the basis for collecting objective evidence that will allow an assessor to rate the processes.

The content

Possible processes are:

– Organizational aspects including compliance management, data sharing agreements, governance of huge data sets, and managing the supply of big data;
– Technical such as data source verification and transcription, de-identification of large data sets, data traceability instruments, and analytical security for big data;
– Managerial, which includes metadata management, information rights management, big data incident response, big data risk management, data quality management, data categorization and classification, data disposal management, data logging, and auditing.

The standard’s status

In 2018, the project began.

Six working drafts were produced before the project was halted and reverted to a preliminary work item – essentially starting over.

Commentary

Currently, there is no definition of “big data”, although 30 other terms have been defined formally.

A preliminary proposal focused on the mobile Internet, IoT, and cloud leading to big data, to address security and privacy concerns raised by the sharing of information across those domains.

Big data may refer to the following in the context of this standard:

– Large, complex, high-volume, conventional IT systems;
– An extensive network of IT systems;
– Big and dynamic data sets that are beyond the capabilities of conventional database systems; or
– Something completely different. Maybe there are a lot of ones and zeroes. Possibly DATA.

According to the introduction to the 4th Working Draft, the following is written:

“The emerging big data technologies are extensively used in all industries all over the world, and it’s widely accepted that business development today is achieved by big data to some extent. Big data security is not the security of big data technology, but rather data security in a big data environment. Big data has the key data characteristics of high volume, high velocity, high variety and high variability, and also the key data processing characteristics of high volatility, high veracity and high value. These characteristics introduce additional risks and thus challenges on the security and privacy aspect of big data. The risks and challenges have been described in detail in clause 5.1 of ISO/IEC 20547-4. For example, “variety” refers to a wide range of data types and sources, including structured, semi-structured and unstructured data, production, financial and other business data, as well as text, audio, video, pictures, geographic location information, etc.
Traditional security controls to an information system are not enough to satisfy the security and privacy aspect of big data. So, the processes like “data categorization and classification”, “data source verification and recording” and ”metadata management” are needed.
This document provides processes for organizations to build and improve their big data security and privacy capabilities based on big data security and privacy concerns analyzed in ISO/IEC 20547-4.”

Let’s wait and see what happens.