Until now I have refrained from responding BUT I think I need to. First to answer your question, depending on where the data comes from or resides, there may be legal question. Both the EU and Canada to name but two countries, have very 'strong' regulations concerning what a company can do with 'production data' (PII, personnel identifiable information) Most US states have similar laws as well.
In simple terms I allow your company to use my PII data to provide the services I contracted you for. I do not give permission for you to use my data for anything else. (this along with the aspect that in development, by its very nature security is more open (i.e. more developers need access to the data to run their test etc)). More than 70% of all data breaches are non criminal/accidental in nature. And then there is the aspect of, should developers use full production data for testing? Depending on the type of testing probably NOT. In unit testing a developer needs quick response to fix/create new code. He cannot afford to wait the 1 or more hours for a turnaround test for something that could take 10 mins to run if a sub-set of data is used instead. As for SIT/UAT (system integration testing/user acceptance testing) there may be a need for full production data testing. BUT PII needs to be removed while still being functional. It does not matter if Robert or Kermit opens an account, and thus appear on a report but with at least Kermit on a test report, no one can tell who he really is. Also integration is not only for RI but between applications as well (I.E. change the name of Robert galambos to Kermit the frog in every application/data store it appears whether on the MF or Mid tire). So while there are tools out there (including the company I work for (shall I say they are the 'best' in breed but again I am bias ;-) ). You need to develop an enterprise wide solution to an issue that I can assure won't go away, and MAY bit you in the rear (especially if your company make the front page of the local/national paper because of a data breach) Privacy is not a profit maker, BUT it makes sure you don't make the headlines and then have to deal with the consequences. Robert Galambos CIPP/C CIPP/IT Compuware Senior Technical Specialist IBM Certified Solutions Expert - DB2 UDB for OS/390 Database Administration Certified Information Privacy Professional/Canada Certified Information Privacy Professional/Information Technology [email protected] BLOG: blog.compuware.com Tel: +1 905 886 7000 Toll Free: +1 800 263 7189 Fax: +1 905 886 7023 Quebec: +1 877-281-1888 Compuware Canada Service is our best product The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of George Henke Sent: Tuesday, June 15, 2010 12:11 PM To: [email protected] Subject: Developers' Use of Prod Data For Testing 1) Does anyone know of developers being prevented from using production data and being required to create their own test data completely from scratch? 2) Does anyone know of a software tool that will scramble production data like SSNs while maintaining "referential integrity" ( DB2, IMS, etc) to prevent developers from having access to sensitive production data? My current client claims both these things exist, but I have never heard of them. Thank you, George Henke (C) 845 401 5614 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
