Page 192 - Building Big Data Applications
P. 192

Chapter 10   Building the big data application  191


                   The last section is a quick discussion on risks and best practices for application devel-
                 opment. Risks are basically there at all times around every aspect of data. The ecosystem of
                 data brings alot of uninvited visitors and intruders, who need to be kept at bay. The risk
                 assessment shown here is a starter kit for all data-related applications, and the areas cover
                 most of the subjects, which can be expanded for your specific requirements.

                 Risk assessment questions


                 Information security policy
                 1. Information security policy document
                     Does an Information security policy exist, which is approved by the manage-
                      ment, published and communicated as appropriate to all employees?
                     Does it state the management commitment and set out the organizational
                      approach to managing information security?
                 2. Review and Evaluation
                     Does the Security policy have an owner, who is responsible for its maintenance
                      and review according to a defined review process?
                     Does the process ensure that a review takes place in response to any changes
                      affecting the basis of the original assessment, example: significant security in-
                      cidents, new vulnerabilities or changes to organizational or technical structure?

                 Information security infrastructure

                 1. Allocation of information security responsibilities
                     Are responsibilities for the protection of individual assets and for carrying out
                      specific security processes clearly defined?
                 2. Cooperation between organizations
                     Are the appropriate contacts with law enforcement authorities, regulatory
                      bodies, utility providers, information service providers, and telecommunication
                      operators maintained to ensure that appropriate action can be quickly taken
                      and advice obtained, in the event of an incident?
                 3. Independent review of information security
                     Is the implementation of security policy reviewed independently on regular ba-
                      sis? This is to provide assurance that organizational practices properly reflect
                      the policy, and that it is feasible and effective.

                 Security of third-party access
                 1. Identification of risks from third party
                     Are risks from third-party access identified and appropriate security controls
                      implemented?
                     Are the types of accesses identified, classified, and reasons for access justified?
   187   188   189   190   191   192   193   194   195   196   197