South African companies need to move to protect the integrity of people’s personal information during the testing of software.
João de Oliveira, MigrationWare sales director, says most organisations have historically used production data for testing purposes.
“The reason is that production data most accurately approximates the circumstances that are being tested for. It comes down to a question of cost. Creating artificial data is time consuming and expensive and ultimately does not reproduce the real environment,” he says.
The security around personal data is generally far less stringent in the testing environment than it is in the production environment. This means that people’s personal information could be put at risk by companies failing to take adequate measures to protect the information during the testing phase of software development, he adds.
Overseas companies have already been forced to comply with legislation like Sarbanes-Oxley, Basel II and the Payment Card Industry (PCI) Data Security Standard.
The implications of non-compliance are significant with organisations who do not comply with the legislation facing the possibility of being put out of business, or as a minimum having directors held personally culpable by law, de Oliveira says. In Europe, the protection of data in the testing environment is seen as a non negotiable and so all organisations have had to implement a data protection policy.
Locally, government is in the process of working on the Protection of Personal Information Bill. While this Bill is still a number of years away, Bowman Gilfillan Attorneys says the Bill will provide for comprehensive regulation of all aspects of the collection, use, disclosure, storage of and access to “personal information”.
Furthermore, companies will be held accountable to the Information Protection Commission (a new body which will be established to monitor and enforce compliance with the Act). Employers will be required to supply a host of information to the Commission, including company information, the purposes for which personal information may be processed, any planned cross-border transfer of information, and a general description of the security measures in place to safeguard the confidentiality, integrity and availability of the information, according to Bowman Gilfillan.
De Oliveira says it therefore appears that the Bill will have application not only to the storage of people’s personal information, but to the use of that information during the testing phase of the software development lifecycle.
He says the key for companies looking to comply with future legislation lies in putting in place the appropriate de-identification practices to ensure sensitive personal or financial data is not at risk to security and privacy breaches during the testing of software.
"This can be done on the database level by data masking, also known in the trade as “anonymisation”, to ensure the privacy of data is maintained, especially in the development and testing environments. Masking removes data elements containing sensitive information, making it impossible to trace personal information from representative production data.
"Software development and testing can still be performed through the generation of representative subsets of production data which have been masked. This allows for accurate, secure and reliable generation of test data, while ensuring they meet the latest compliance and privacy regulations," he says.
Companies need to collate data from across the enterprise and create an inventory of organisational data reduction and masking rules, which can then be stored in a central repository. These rules allow for consistent and congruent subsets of masked data to be extracted as needed for testing, significantly reducing the volumes of data used in the test environment.
"“It will also make meeting legislated security requirements and reporting on the steps taken to preserve the privacy of people’s personal information far easier for companies with the Protection of Personal Information Bill comes into being,” de Oliveira concludes.