Do you test using real production data? Beware using sensitive data for any application development or testing purposes, since lost or stolen information can trigger costly data notifications, regulatory sanctions, and customer fallout.

Do you test applications using real, production data?

Anecdotally, many developers and QA testers say they prefer to build and test applications using the real thing: actual customer data.

Such practices, however, can violate a number of data privacy regulations. For example, the 1996 Health Insurance Portability and Accountability Act (HIPAA) mandates companies restrict access to people’s personal health data on a “need to know” basis. Likewise, the Sarbanes-Oxley Act of 2002 requires companies to control access and track changes to systems handling corporate financial information. In addition, over 30 states have passed data breach notification laws requiring companies to notify consumers if their personal information may have been compromised. This includes such things as a person’s name and address, date of birth, social security number, and credit card and bank account numbers.

These regulations make no distinction between production and testing environments. Simply put, the requirements are the same whether an attacker hacks into your e-commerce application, or accesses a database in the testing environment. Given such risks, many companies have decided developers — as well as quality assurance (QA) personnel and database administrators (DBAs) — simply don’t have a “need to know,” and thus shouldn’t have access to any sensitive information. Beyond helping protect sensitive data, the company and its customers, this also protects developers: they’re not culpable in the event of a data leak or security breach.

To ensure applications perform appropriately once they launch, however, developers still need access to “good enough” data to build and test their applications. Accordingly, many organizations are creating homegrown scripts, or purchasing off-the-shelf software, to transform sensitive production data into safe but usable test data.   READ MORE

Lax security and portable media lets data walk out the door

Forty-five percent of professionals have taken corporate data with them when they changed jobs, according to a recent online survey, with many of them simply e-mailing it to themselves or storing it on a peripheral device. Forty-two percent said that corporate security measures were ineffectual. Perhaps not surprisingly, 53 percent on average were also of the opinion that their employer’s intellectual property was being used by a competitor. The number who felt that way rose to 63 percent for IT professionals.

6.4.07    Internal controls were recently listed as the number one financial reporting challenge for 2007 by the head of Financial Executives International.

The move comes in the wake of the recent publication of revised guidance concerning audits of internal controls over financial reporting by the Public Company Accounting Oversight Board.

Second on the list was how to account for uncertain income taxes and the interpretation of FASB Statement No. 109. The adoption of XBRL in the wake of the SEC’s campaign to promote interactive financial reports was third on the list.

Number six on the list of 10 was the complexity involved in financial reporting, which has led to a restatement rate of 10 percent, implying that the accounting staff needs subject-matter experts for every accounting area.