ISO/IEC 27045 — Information technology — Big data security and privacy — Processes [DRAFT]
This standard aims to improve organizations’ capabilities for security and privacy around big data.
Scope and purpose
The standard will deliver a process reference model, assessment and maturity models for big data security and privacy.
The models will focus on architecture of the processes used to achieve big data security and privacy, particularly the maturity of those processes.
The processes will include a set of indicators of process performance and process capability to be used as a basis for collecting objective evidence, enabling an assessor to assign ratings.
Content of the standard
The processes may be:
- Organisational such as compliance management, data sharing agreements, governance of big data, data asset management and data supply chain management;
- Technical such as data source verification and recording, big data de-identification, instrumenting for data traceability and big data analytical security;
- Managerial such as metadata management, data rights management, big data incident management, big data risk management, data quality management, data categorization and classification, data disposal management and logging and auditing.
Status of the standard
The project started in 2018.
It is currently at 4th Working Draft stage and is due to be published in 2022.
We do not know, yet, precisely what is meant by “big data” since the term is presently undefined, although 30 other terms are formally defined.
The initial proposal referred to mobile Internet, IoT and cloud leading to big data, and was angled towards addressing security and privacy issues arising from the sharing of data across those realms.
In the context of this standard, big data may mean:
- Conventional but large, complex, high-volume IT systems;
- Extensive networks of IT systems;
- Truly colossal data sets that are too big and too dynamic for conventional database systems; or
- Something else entirely. Outsized ones and zeroes maybe. DATA perhaps.
The 4th Working Draft introduction states, enigmatically:
“The emerging big data technologies are extensively used in all industries all over the world, and it’s widely accepted that business development today is achieved by big data to some extent. Big data security is not the security of big data technology, but rather data security in a big data environment. Big data has the key data characteristics of high volume, high velocity, high variety and high variability, and also the key data processing characteristics of high volatility, high veracity and high value. These characteristics introduce additional risks and thus challenges on the security and privacy aspect of big data. The risks and challenges have been described in detail in clause 5.1 of ISO/IEC 20547-4. For example, “variety” refers to a wide range of data types and sources, including structured, semi-structured and unstructured data, production, financial and other business data, as well as text, audio, video, pictures, geographic location information, etc. Traditional security controls to an information system is not enough to satisfy the security and privacy aspect of big data. So, the processes like “data categorization and classification”, “data source verification and recording” and ”metadata management” are needed.
This document provides processes for organizations to build and improve their big data security and privacy capabilities based on big data security and privacy concerns analyzed in ISO/IEC 20547-4.”
We shall see how it turns out.
< Previous standard ^ Up a level ^ Next standard >