Saturday, March 2, 2013

Testing and Data Privacy, Is there an issue?

Privacy and Testing. 
First let me introduce myself. My name is Robert Galambos and 
I have more than 17 Years  experience in the field of 'Data Privacy' and 
Data Access/Management. I have two certifications under my belt. 
CIPP/C and CIPP/IT (Certified Information Privacy Professional/Canada and 
Certified Information Privacy Professional Information Technology).
But enough about me. 
So first, let's look at some basic information as we get started. 
You have an IT department. 
This department processes various data items (stuff) that helps run
your business.
You are also fairly certain that your data is 'SAFE' or so you have been 
told. Your IT department (either inside or outsourced) is consistently
upgrading the system(s) based on requests from the users (that's you) 
or adding to capacity or getting the latest gadgets etc. 
This may include adding additional security functionality to your computer
systems, for example, 2 pass authentication.
And these are probably good things, helping to better service 
your customers/business and making sure your competitors can't access 
any of your data. etc. 
For any changes to occur successfully, they have to be tested fully 
before they are put into the 'real world'. This is to prevent the change
from causing headaches, or maybe something even worse. This is what you can 
call due diligence. 
The above series of statements apply to about 95% of all businesses 
that have any sort of web presence, automated processes etc. 
So far so good?
But what does all that mean? 
It means that the 'real world' (production) data (examples like
your customer's tax-id, credit card number, is safe (or so we hope)). These
'things' are called Personal Identifiable Information (PII). 
Most companies recognize that strict protection must be in
place to help prevent sensitive information, whether PII(see above) or
company information, from getting out. 
However (you knew this was coming didn't you?) there may be some other 
areas where that same strong protection is not 'there'. And this could be 
extremely hazardous to your company's future.
Let me explain. 
Most IT departments maintain at least two environments, one that runs 
your business (what I refer as the 'real world') and the other to 
test/develop the changes that your company needs/wants.
Probably your Company's IT department has at 
least one separate test environment(and probably a lot more). 
This test environment may contain production/real data  that will then
be used for testing. It may have only a sample of the real data or maybe
some made up data (a topic for a later post)or a combination of the two). 
'There is no better data to test with than production data' or so the
thought process goes. 
(The scary part is next)
Your company MAY BE in jeopardy of contravening 
some privacy laws either in your own country, or a country where you may 
have a branch office or even only where some of your customers who like 
your product/service live/work.(isn't the internet grand?). 
(more on this in a latter post)
Your company may also have an increased risk of a data breach. 
Those test 'areas', which I mentioned above, may have some production data
that is there 'only for testing purposes'. Yet by their very nature 
this same data will not be as secure as production. 
For example, you may have people needing to access the test/change 
environment(I.E. consultants, programmers, tester etc.) for their day 
to day work tasks. This results in needing more 'open' access rules. 
Imagine a programmer throwing out some reports he was testing and then 
the report being found in a trash bin? with the sensitive information
still visible? 
No one wants to be on the front page of the WSJ.
Yet that may just happen. A recent study stated that more than
70% of all data breaches (exposure of sensitive data) are 
NON malicious in nature. 
Next post I will address these issues as well as exploring other issues of 
concern within the Testing/Data Privacy realm. 
If you have any comments, good/bad or questions feel free to drop me a line
Robert Galambos CIPP/C CIPP/IT 
IBM certified DB2 z/OS DBA 

View Robert Galambos CIPP/C CIPP/IT VA3BXG's profile on LinkedIn

No comments:

Post a Comment