Title of Presentation (this can be up to three lines of text)

Testing with
Production Data?
Best Practices in Data Privacy
Luis Gasca, CIPP
Data Management Specialist
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Abstract
• Data privacy regulations, mitigating the risk of Personally
Identifiable Information (PII) exposure, managing privacy
policies throughout the data life cycle and obtaining privacy
audit certifications are part of today’s IT priorities.
• Research indicates that the greater privacy threats reside
internally within an organization. Protecting sensitive data is
paramount not only for production purposes, but also during
application testing and quality assurance
• Implementing business solutions for data privacy is usually a
complex endeavor. Simplification is achieved through proven
process models and technology to effectively deploy depersonalized data, and in turn, minimize risks, meet regulation
compliance and maintain customer trust.
2
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Session Objectives
• Inform the DB2 Forum audience about the business
needs for Data Privacy.
• Describe the challenges and illustrate the opportunities in
the management of Personally Identifiable Information for
non-production purposes.
• Provide IT professionals with practical advice to enable
them to achieve better business results through
implementation of Data Privacy solutions based on
proven technology and best practice process models.
3
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Agenda
• Information Privacy
− Business drivers
− Regulatory landscape & trends
− Business impact
• Privacy Challenges
− Privacy threats
− Corporate privacy
• Practical Approach to Data Privacy
−
−
−
−
Standards, processes, practices
Project life cycle
Development life cycle
Privacy technology for DB2
• Conclusions
− Opportunities
− Business benefits
4
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Information Privacy
• Although the concept of privacy is broad and culturally
diverse, it can be generally understood as a fundamental
human right.
• Data privacy refers to the freedom from arbitrary interference
or abuse of an individual’s personal information.
− PII (Personally Identifiable Information)
− PHI (Personal Health Information)
− NPI (Non-Public Information)
• Data privacy in information systems relates to the appropriate
use of personal information, during its collection, storage,
processing and disposal, while maintaining and improving the
business.
5
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Worldwide Data Privacy Drivers
• Law
−
−
−
−
International
Federal
State
Etc.
• Risk of exposure
− Corporate reputation,
negative press
• Audit
− Internal & External
− SAS70
− Etc.
• Certification
− Financial liability
− Law enforcement, litigation
− Loss of business and
customer trust
− Industry: PCI
− Self: TRUSTe, GoodPriv@cy
− Etc.
6
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Regulatory Landscape
− United States
• Gramm-Leach-Bliley Act
• Dept. Of Commerce Safe Harbor Provision
• Fair Credit Reporting Act
• Health Insurance Portability and Accountability Act (HIPAA)
• California SB 1386
− European Union Personal Data Protection Directive, 1998
− Australia Privacy Amendment Act of 2000
− Japanese Personal Information Protection Law
− Canadian Personal Information Protection and Electronic
Documents Act (PIPEDA)
− Etc.
7
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Regulatory Trends
35 US states have adopted security breach notification legislation
similar to CA SB 1386 (Bills have been introduced in 9 other states)
Pending Privacy and Data Security Legislation in the 110th Congress
• S. 239, “The Notification of Risk to Personal Data Act”; S. 239 is limited
to breach notification requirement
• H.R. 836 (“Cyber-Security Enhancement and Consumer Data Protection
Act of 2007”); H.R. 836 criminalizes the concealment of data breaches
• S. 495 (“Personal Data Privacy and Security Act of 2007”)
• H.R. 958 (“Data Accountability and Trust Act”)
− S. 495 and H.R. 958 establish requirements for data security, as well as breach
notification standards, and, enhances penalties for identity theft, and requires the
reporting of breaches to federal law enforcement agencies.
8
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Payment Card Industry
Data Security Standard Requirements
Section 3.6. Develop and maintain secure systems
and applications:
− 6.3 Develop software applications based on
industry best practices and include information
security throughout the software development life
cycle.
− 6.3.1: Testing of all security patches and system
and software configuration changes before
deployment
• 6.3.4: Production data (live personal account
numbers) are not used for testing or development
9
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Why Should Businesses Care?
• Penalties for non-compliance to PCI 1.1!
− Possible restrictions on the merchant or permanent
prohibition of the merchant’s participation in credit card
programs
− No credit cards means no business for many
− Starting October 1st, 2007: New fine structure that
starts at $10,000 per month and can go as high as
$100,000 per month!
• PCI its becoming the law !
Adoption of PCI standard by the State of Minnesota as a
state law, in review in other state legislatures, like Texas.
10
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Business Impact
• 217 Million Consumers Impacted through 12-31-2007*
• The catalyst for reporting data breaches to the affected
individuals has been the California law that requires
notice of security breaches, the first of its kind in the
nation, implemented July 2003.
• Personal information compromised includes data
elements useful for identity theft, such as Social Security
numbers, account numbers, and driver's license
numbers.
*A Chronology of Data Breaches Reported Since the ChoicePoint Incident
Privacy Rights Clearinghouse, April 8, 2007
11
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Business Impact
Ponemon Institute estimates an average cost of $6.3M per security
breach incident
• Study examines costs incurred by 35 companies after experiencing a
data breach
• Breaches ranged from less than 4,000 records to more than 125,000
records
• The average cost per lost customer record was $197 U.S. in 2007,
up 8% from 2006
• Breaches by third-party organizations such as outsourcers,
contractors, consultants, and business partners were reported by
40% of respondents, up from 29% in 2006
• Cost of lost business increased more than 30%, averaging $4.1M or
$128 per record compromised. Lost business accounts for 65% of
data breach costs.
Ponemon Institute 2007 Annual Study: Cost of a Data Breach
12
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Privacy Threats
Third party share of data breaches
Third party
40%
Down
from 71%
in 2006
Up from
29% in
2006
Internal
60%
Ponemon Institute
2007 Annual Study: Cost of a Data Breach
13
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Privacy Threats
“It is a serious mistake to think that mainframe
applications are safe by default. They are not…..
Enterprises should not experience a false sense of
security simply because their mission-critical
applications run on mainframes. Yet, they are often
defenseless against insiders equipped with in - depth
knowledge of the applications' logic and security
policies — those using legitimate means to ill-exploit
the system. Most attacks on legacies come from inside
the enterprises, committed by their own employees...
Applications should be protected from the inside out.”
Joseph Feiman, Gartner Research, September 29 2006
Implementing Security for Mainframe Legacy Applications - Worth the Investment
14
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Corporate Privacy
• Privacy Program
− Corporate values
− Organization goals
− Consumer expectations
− Employee commitment
− Communication
• Privacy Policy
− Collection
− Use
− Choice
− Security
− Redress
15
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Corporate Privacy
But …
• How do you
support your
Privacy initiatives ?
• How do you
mitigate the risks ?
16
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Corporate Privacy Maturity
Comprehensive
Privacy
Implementation
Complexity
Outsourcing
Off shoring
Mobile
Computing
Internet
eCommerce
Networks
Databases
Storage
Best Practices
Processes
Information
Management
Tools & Utilities
Security Controls
Policies
Effectiveness
17
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Data Privacy Challenges
Organizational





18
Technical
Political
Defining ownership of
the data

Privacy enforcement
Defining disguise
standards
Business process
management

Conflicts of interest

External influences

Designing and
implementing corporate
disguise policies and
procedures
Communication and
agreement between
different application
groups
Interpretation of the
compliance regulations
Copyright © 2007 Compuware Corporation. All rights ® reserved.

Variety of platforms

Variety of data types

Data complexity


Maintain shared
relationships between
multiple environments
Coordination of physical
implementation
Challenges for IT
Production Region
Test Region
Live customer/account information
Live customer/account information
Access through applications with role
based information accesses
Direct access to the raw data
Trained access to employees through
policies and agreements
Wider exposure to non-employees or
employees across the world
Usage of data monitored and traced for
compliance
Higher potential for unauthorized viewing
and usage
Successful usage requires ‘live’ data
Successful testing does not require ‘live’
data
Region security mature and robust,
through tools and processes
Region security not as robust as
production
19
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Supporting Corporate Privacy Initiatives
Technology
People
Best Practices
Methodology
How do we get there ?
20
Copyright © 2007 Compuware Corporation. All rights ® reserved.
How do we get there ? …Standards
• CMMI
− Capability Maturity
Model Integration
• IEEE
− Institute of Electrical
and Electronic
Engineers
• ISO
− International Standards
Organization
• TQM
− Total Quality
Management
Capability Maturity Mode lntegration 1.1 ©
• Etc.
21
Copyright © 2007 Compuware Corporation. All rights ® reserved.
How do we get there ? …Processes
ISO IEC 12207 ® Software Life Cycle Process
22
Copyright © 2007 Compuware Corporation. All rights ® reserved.
How do we get there?...
“A practice is a proven way of
approaching or addressing a
problem. It is something that
has been done before, can be
successfully communicated to
others, and can be applied
repeatedly to produce
consistent results “
Enough of Processes: Let's Do Practices
Ivar Jacobson, Pan-Wei Ng, and Ian Spence
March 2007
23
Copyright © 2007 Compuware Corporation. All rights ® reserved.
How do we get there ?…
Software Development Models
• Traditional
− Spiral
− Waterfall
Analysis
Design
• Agile
−
−
−
−
RUP®
Crystal
XP
Scrum
Delivery
• Other
−
−
−
−
24
Test Driven Development
Joint Application Development
Paragon Plus™
Etc.
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Spiral Model
Delivery
Analysis
• Unpredictable scope
• Vague requirements
• Frequent iterations of design,
development delivery
• Shorter phases
• Refines and expands
requirements on every cycle
• Quick results
• Rapid feedback
Development
25
Design
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Waterfall Model
•
•
•
•
Analysis
Design
Development
Delivery
Non changing scope
Analysis is critical
Static requirements
Complete design for
development testing and
integration
• Final product is delivered to
end users
• Realistic schedule and budget
• Less surprises
26
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Data Privacy Project Cycle
Paragon Plus™
27
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Proposal Development
• Executive Sponsorship
− CEO, CSO, CPO, CIO
− Legal Counsel
• Strategic Direction
• Organizational Plan
−
−
−
−
•
•
•
•
28
Compliance team
Business SMEs
Privacy team
Quality Assurance team
Risk Assessment
Scope Analysis
Project Definition
Privacy Requirements
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Project Planning
29
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Tracking and Oversight
• Management & Control
−
−
−
−
−
−
−
Resource
Cost
Time
Quality
Vendors
Subcontrators
Configuration
• Communication
− Executive
− Privacy Teams
− Business entities
• Documentation
− Repository
30
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Delivery Method
Analysis
Design
Development
Implementation
31
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Analysis
• What sensitive information do we
have ?
− PII, PHI, NPI
• What are the protection
requirements ?
• What risks are we mitigating ?
• Where is the sensitive information
and where does it need to be
protected ?
• How is sensitive information
processed ?
• How is sensitive data used outside
of production ?
32
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Analysis
• Context Model
− Application scope
− Application dependencies
− Internal and external flows
CUSTOMER_TBL
PK
COMPANY_NAME
ADDRESS
CITY
STATE
ZIP_CODE
COUNTRY
AREA_CODE
TELEPHONE_NUM
CONTACT_NAME
CONTACT_TITLE
CONTACT_ADDR
CONTACT_CITY
CONTACT_STATE
CONTACT_ZIP
CONTACT_COUNTRY
CONTACT_AREA_CD
CONTACT_TELEPHONE
− Major input and outputs
• Data Model
ORDER_TBL
PK
− Objects
PART_TBL
PK
ORDER_NUMBER
PART_NUMBER
FK1
CUST_NUM
SOC_SEC_NUM
CREDIT_CARD_NUM
MOTHERS_MAID_NAME
ORD_TYPE
ORD_DATE
ORD_STAT
ORD_AMOUNT
ORD_DEPOSIT
ORD_LINE_COUNT
SHIP_CODE
SHIP_DATE
ORD_DESCRIPTION
PART_NAME
EFFECT_DATE
EQUIVALENT_PART
PURCH_PRICE
SETUP_COST
LABOR_COST
UNIT_OF_MEASURE
MATERIAL_COST
REWORK_COST
AVAILABILITY_IND
ENGR_DRAW_NUM
− Relationships
SUPPLIER_TBL
PK,FK1
PK
− Structures
ORDER_LINE_TBL
PART_NUMBER
SUPPLIER_CODE
PK,FK1
PK
ORDER_NUM
ORDER_LINE_NUMBER
SUPPLIER_NAME
SUPPLIER_MODEL_NUM
WHOLESALE_PRICE
DISCOUNT_QUANTITY
PREFERRED_SUPPLIER
LEAD_TIME
LEAD_TIME_UNITS
FK2
PART_NUM
PLAN_QTY
UNITS_COMPLETE
UNITS_STARTED
SCRAP_QTY
START_DATE
LINE_STATUS
− Formats
CUSTOMER_HIST_TBL
CUSTOMER_ROWID
CUSTOMER_NUMBER
COMPANY_NAME
TELEPHONE_NUM
CONTACT_NAME
CONTACT_TITLE
33
CUSTOMER_NUMBER
Copyright © 2007 Compuware Corporation. All rights ® reserved.
CONTACT_TBL
PK,FK1
PK
CUSTOMER_NUMBER
CONTACT_ID
CONTACT_NAME
TITLE
CONTACT_CODE
ADDRESS
CITY
STATE
ZIP_CODE
COUNTRY
AREA_CODE
TELEPHONE_NUM
Analysis
• Function Model
− Processes dependencies
− Methods
− States
− Flows
• QA Model
− Test requirements
− Environments
− Migration paths
− Test cases
− Test scripts
34
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Design
• Privacy implementation
strategy
•
•
•
•
•
•
35
Access to source data
Extract criteria
Privacy rules
Delivery methods
Security rules
How will technology be
used to support the
process ?
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Design
• Privacy architecture
− Components
− Configuration
• Extract rules
− Criteria specifications
− Scope specifications
• Privacy rules
− Privacy techniques
− Integrity
− Consistency
− Usability
• Load rules
• Technical Specifications
36
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Design
Considerations
• Integrity
− Intact relationships and dependencies of data within
and across applications.
• Consistency
− Repeatability of results regardless of data source.
• Usability
− Data should be valid for the business and meaningful
to the users.
37
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Design
Privacy Techniques
• Scramble
− Replace sensitive values with formulated data based on a userdefined key.
• Translate
− Replace sensitive values with meaningful, readable data from an
alternate source.
• Mask
− Ability to partially identify and conceal individual fragments of data.
• Age
− Replace sensitive dates with calculated values accurately.
• Generate
− Produce fictitious data from scratch using business oriented
algorithms.
38
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Privacy Enabling Technology
(PET)
39
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Privacy Enabling Technology
(PET)
or
Write code
40
Use software
products
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Privacy Enabling Technology
• How does the PET address privacy requirements?
− Data management
− Privacy management
− Auditing
• How does the PET address testing requirements ?
− Manipulation
− Generation
− Validation
− Administration
− Extract and load
41
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Privacy Enabling Technology
Credit card
privacy rule:
• Identify credit
card type
• Mask type and
check digit pos.
• Generate
disguised
number
• Calculate check
digit
42
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Development
Privacy Enabling Technology
Production
Production
Production
Production
Production
Privacy
Privacy
Enabling
Privacy
Enabling
Privacy
Technology
Enabling
Privacy
Technology
Enabling
Technology
Enabling
Technology
Technology
Development
Development
Development
Development
Development
Load
Disguise
Extract
Load
Disguise
Extract
Load
Disguise
Extract
Load
Disguise
Extract
Load
Disguise
Extract
43
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Implementation
•
•
•
•
•
•
•
•
44
QA Integration
Audit Management
Communication
Training
Certification
Documentation
Validation
Refinement
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Integration
Acceptance
System
Unit
Implementation
• Verify Disguised Data is
Properly Testing:
− Sensitive data functions
− New or modified code
− Critical business logic
•
•
•
•
45
Application outputs
Risk Metrics
Change Management
Auditing Documentation
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Implementation
Original Data
Mary Ward
Jill Jones
03-20-1962
04-18-1962
104 Main Street
111 State Avenue
Flint, MI 48025
Flint, MI 48025
370-55-2939
431-81-6492
4294 5730 5839 3037
42XX XXXX XXX9 3037
234-A574987
234-K136585
ø
46
Disguised Data
(810) 609-2873
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Data Privacy Project Closure
Next steps:
•
•
•
•
•
Discuss lessons learned
Assess and communicate data privacy results
Use managed processes to bridge privacy gaps
Formalize privacy roles and functions
Identify improvements to employee, vendor and
technology management
• Prepare to respond to incidents
• Use metrics for compliance
47
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Data Privacy Opportunities
Organizational





48
Technical
Political
New and enhanced
relationships

Established privacy
framework

Ongoing privacy
processes in place
Proactive incident
management
Better understanding
and management of
internal threats
New attitude towards
data privacy

Recognition of ROI

Corporate pride
Privacy qualified staff
Copyright © 2007 Compuware Corporation. All rights ® reserved.





Improved application
quality
Enhanced development
and testing processes
Reusable privacy
assets
Better knowledge about
the IT environment
Effective use of
technology
Benefits to the Business
A Comprehensive Data Privacy Solution:
•
•
•
•
•
•
49
Supports corporate privacy initiatives
Simplifies the management of privacy projects
Improves test data quality while maximizing efficiency
Lowers cost of regulatory compliance
Reduces risk and liability associated with data privacy
Maintains customer trust and loyalty
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Conclusions
• Organizations face internal risks they need to protect against
• A comprehensive data privacy solution is key to compliance
requirements
• Use any variety of standards and methods that work for the
business
• Best practices are proven ways to achieve data privacy and
provide for a blueprint to deliver results
• Technology plays a critical role
• Business is evolving, best practices should too
• Partner with vendors with the ability to bridge gaps between
software features and working solutions
50
Copyright © 2007 Compuware Corporation. All rights ® reserved.
Thank You !
Testing with Production Data?
Best Practices in Data Privacy
Luis Gasca, CIPP
Data Management Specialist
Compuware Corporation
luis.gasca@compuware.com
51
Copyright © 2007 Compuware Corporation. All rights ® reserved.