Privacy and Testing.
First let me introduce myself. My name is Robert Galambos and
I have more than 17 Years experience in the field of 'Data Privacy' and
Data Access/Management. I have two certifications under my belt.
CIPP/C and CIPP/IT (Certified Information Privacy Professional/Canada and
Certified Information Privacy Professional Information Technology).
But enough about me.
So first, let's look at some basic information as we get started.
You have an IT department.
This department processes various data items (stuff) that helps run
You are also fairly certain that your data is 'SAFE' or so you have been
told. Your IT department (either inside or outsourced) is consistently
upgrading the system(s) based on requests from the users (that's you)
or adding to capacity or getting the latest gadgets etc.
This may include adding additional security functionality to your computer
systems, for example, 2 pass authentication.
And these are probably good things, helping to better service
your customers/business and making sure your competitors can't access
any of your data. etc.
For any changes to occur successfully, they have to be tested fully
before they are put into the 'real world'. This is to prevent the change
from causing headaches, or maybe something even worse. This is what you can
call due diligence.
The above series of statements apply to about 95% of all businesses
that have any sort of web presence, automated processes etc.
So far so good?
But what does all that mean?
It means that the 'real world' (production) data (examples like
your customer's tax-id, credit card number, is safe (or so we hope)). These
'things' are called Personal Identifiable Information (PII).
Most companies recognize that strict protection must be in
place to help prevent sensitive information, whether PII(see above) or
company information, from getting out.
However (you knew this was coming didn't you?) there may be some other
areas where that same strong protection is not 'there'. And this could be
extremely hazardous to your company's future.
Let me explain.
Most IT departments maintain at least two environments, one that runs
your business (what I refer as the 'real world') and the other to
test/develop the changes that your company needs/wants.
Probably your Company's IT department has at
least one separate test environment(and probably a lot more).
This test environment may contain production/real data that will then
be used for testing. It may have only a sample of the real data or maybe
some made up data (a topic for a later post)or a combination of the two).
'There is no better data to test with than production data' or so the
thought process goes.
(The scary part is next)
Your company MAY BE in jeopardy of contravening
some privacy laws either in your own country, or a country where you may
have a branch office or even only where some of your customers who like
your product/service live/work.(isn't the internet grand?).
(more on this in a latter post)
Your company may also have an increased risk of a data breach.
Those test 'areas', which I mentioned above, may have some production data
that is there 'only for testing purposes'. Yet by their very nature
this same data will not be as secure as production.
For example, you may have people needing to access the test/change
environment(I.E. consultants, programmers, tester etc.) for their day
to day work tasks. This results in needing more 'open' access rules.
Imagine a programmer throwing out some reports he was testing and then
the report being found in a trash bin? with the sensitive information
No one wants to be on the front page of the WSJ.
Yet that may just happen. A recent study stated that more than
70% of all data breaches (exposure of sensitive data) are
NON malicious in nature.
Next post I will address these issues as well as exploring other issues of
concern within the Testing/Data Privacy realm.
If you have any comments, good/bad or questions feel free to drop me a line
Robert Galambos CIPP/C CIPP/IT
IBM certified DB2 z/OS DBA