In the spirit of the first thread, I am introducing the second. that is, HOW do
we go about protecting/auditing PII (personal identifiable information)
The first thing I have to say, don't expect for an average size company
to be able within a short period of time to completely tackle the issue. Not
going to happen.
In the previous thread we had mention as a short note about the
differences of encryption/masking techniques. Let me expand on this in random
order of importance
a) IT industry is notorious on different people using different terms
for the same thing. the following are some sample techniques for scrubbing of
data
1) Encryption both record and field. reversible
2) Data Aging. reversible
3) Generating Data. non reversible
4) Look-up/translation. depending can be reversible or not
each technique (among others) do have their uses for different type of
data. the type and need depends on analysis and best practices.
b) You want to make sure that anything you do on the Dist. environment
that the same results need to be had on the Mainframe (applicable). (enterprise
wide) Most application span many environments (windows/red
hat/UNIX/MVS/Oracle/Excel/DB2/VSAM/MS Access/XML/ etc. (to name but a few) and
you want to make sure that client 1 in application a is scrubbed the same way
in application b, c etc. Otherwise items like system/user acceptance/volume
testing will probably fail
c) The process needs to be repeatable. so the same record going in will
produce the same record going out. The reasoning behind that is not every
file/db can be always scrubbed at the same time, and for the same frequency.
d) The most important. and the most time consuming. The analysis of the
environment. Where is all the PII info. How are they all related. Which files
need to be looked at, what are the business rules for those files/fields. The
success of the entire project rely on the time spent here.
e) After you initially set up the process, make sure that it is
implemented as an ongoing bases as this is not a static but a dynamic
requirement as your business moves forward. How are changes going to be
applied/monitored. What will the EDP/Internal/external auditors requirements
(audit trails? logging etc?)
f) if you choice a vendor to help you, have they been doing this for
awhile? what expertise do they bring to the table. Do they have supporting
tools (HINT The company I work for does not only sell software but provide
tools to help as well) (sorry for the commercial but they do pay the bills
<S>). Do they have implementation teams in place with previous expertise
(ditto). Are their people certified by a publicly recognized association
g) Do you have upper management 'buy in'. without this projects like
this have limited chance for success.
I) is there a way to 'monitor' the exact data that the CSR (customer
service rep) accessed so if there are any questions arising it can be quickly
discovered/confirmed. The scenario of a banking rep access accounts that she/he
are not responsible for?
as before comments are encouraged. If you want further info fell free
in contacting me.
these posts are my personnel opinion alone
Robert Galambos CIPP/C CIPP/IT
Compuware Senior Technical Specialist
IBM Certified Database Associate
IBM Certified DB2 9 for z/OS Database Administration
Certified Information Privacy Professional/Canada
Certified Information Privacy Professional/Information Technology
[email protected]
Tel: +1 905 886 7000
Toll Free: +1 800 263 7189
Fax: +1 905 886 7023
Quebec: +1 877-281-1888
Le contenu de ce courriel s'adresse au destinataire seulement. Il contient de
l'information pouvant être confidentielle. Vous ne devez ni le copier ni
l'utiliser ni le divulguer à qui que ce soit à moins que vous soyez le
destinataire ou une personne désignée autorisée. Si vous le receviez par
erreur, veuillez nous aviser immédiatement et le détruire.
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose it
to anyone else. If you received it in error please notify us immediately and
then destroy it.
"Service in every product...
Les renseignements contenus dans le présent message électronique sont
confidentiels et concernent exclusivement le(s) destinataire(s) désigné(s). Il
est strictement interdit de distribuer ou de copier ce message. Si vous avez
reçu ce message par erreur, veuillez répondre par courriel à l'expéditeur et
effacer ou détruire toutes les copies du présent message.
Le contenu de ce courriel s'adresse au destinataire seulement. Il
contient de l'information pouvant être confidentielle. Vous ne devez ni le
copier ni l'utiliser ni le divulguer à qui que ce soit à moins que vous soyez
le destinataire ou une personne désignée autorisée. Si vous le receviez par
erreur, veuillez nous aviser immédiatement et le détruire.
The contents of this e-mail are intended for the named
addressee only. It contains information that may be confidential. Unless you
are the named addressee or an authorized designee, you may not copy or use it,
or disclose it to anyone else. If you received it in error please notify us
immediately and then destroy it.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
