Presentation is loading. Please wait.

Presentation is loading. Please wait.

Test Data Privacy Best Practices Methodology Bill Mackey Subject Matter Expert.

Similar presentations


Presentation on theme: "Test Data Privacy Best Practices Methodology Bill Mackey Subject Matter Expert."— Presentation transcript:

1 Test Data Privacy Best Practices Methodology Bill Mackey Subject Matter Expert

2 Introduction Why Do Companies Care About Data Privacy? 2

3 Worldwide Data Privacy Drivers Regulatory Compliance… – United States Gramm-Leach-Bliley Act, Sarbanes-Oxley Act – European Union Personal Data Protection Directive, 1998 – Health Insurance Portability and Accountability Act (HIPAA) – Australia Privacy Amendment Act of 2000 – Japanese Personal Information Protection Law – Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) Internal auditors are forcing data protection controls and procedures, especially for offshore use/outsourcing arrangements Risk of exposure can cause significant damage – Corporate embarrassment, lawsuits, negative press, fines/penalties, loss of customers, etc.

4 Data Breaches Reported Since the ChoicePoint Incident 2846 Incidents Reported Between – ,066,426 Consumers Impacted The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches, the first of its kind in the nation, implemented July Personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. A Chronology of Data Breaches Reported Since the ChoicePoint Incident Privacy Rights Clearinghouse, January 19, 2012

5 How are Companies Addressing this Issue? Signing non-disclosure agreements Restricting security access to sensitive/ confidential data Applying minimal “de-identifying” rules Implementing a complete data disguise solution with processes and procedures Low Effectiveness High Effectiveness

6 Best Practices Approach to Data Privacy 6

7 Technology alone is not the answer 7 Services Repeatable Best Practices Assessment Implementation Superior Expertise with o 3rd Party Software o Financial o Healthcare o Government Meet dates within high risk projects Services Repeatable Best Practices Assessment Implementation Superior Expertise with o 3rd Party Software o Financial o Healthcare o Government Meet dates within high risk projects Technology Related Data Extraction Data Sub-setting Data Format Conversion Disguise Rules Definition Common Rules Across the Enterprise Unified Rules Repository Support for Mainframe and Distributed Environments Roles Based Authorization Audit and Reporting Technology Related Data Extraction Data Sub-setting Data Format Conversion Disguise Rules Definition Common Rules Across the Enterprise Unified Rules Repository Support for Mainframe and Distributed Environments Roles Based Authorization Audit and Reporting Methodology Data Analysis o Analyze metadata o Discover PII o Classify data Design o Associate disguise rules o Define extract criteria o Identify target environment(s) o Identify load method(s) o Define population strategy Develop o Extract data and relationships o Apply rules across data sources o Load data Deliver o Produce reports o Audit results o Enable best practices Methodology Data Analysis o Analyze metadata o Discover PII o Classify data Design o Associate disguise rules o Define extract criteria o Identify target environment(s) o Identify load method(s) o Define population strategy Develop o Extract data and relationships o Apply rules across data sources o Load data Deliver o Produce reports o Audit results o Enable best practices Comprehensive Solution

8 Deliver – Deploy and maintain data protection processesDevelop – Build the processes to disguise test dataDesign – Define strategies for disguising test data Process: Data Privacy Methodology Analyze – Understand each application’s sensitive information

9 Data Privacy Best Practices 9

10 Data Privacy Project Plan 10

11 Data Privacy Best Practices Process Overview 11

12 Deployment Approaches Two project approaches: – Progressive: Organizations that have large numbers of applications and multiple lines of business benefit more from a progressive approach. The progressive approach builds upon the success of early efforts, building up a library of disguise routines and process definitions that align with existing projects within the organization. – Parallel: Organizations that have small to medium numbers of applications benefit more from the parallel approach. The parallel approach covers a wider range of applications at the same time, which is possible when the applications are less intertwined or more independent. Both approaches use a risk based methodology.

13 Operational Structure Centralized- A single team responsible for performing the data masking function for all lines of business or application areas. This organization is also often referred to as a center of excellence model. Benefits Fewer resources need to be trained on the data disguise software and activities; Increased control over consistency of the disguise techniques and behavior; and Increased productivity of these resources as they work across applications. Drawbacks Increased effort during the Analyze phase as these resources gain the necessary application centric knowledge; Increased duration as there are typically less of these resources, so more effort with less people results in long duration. Decentralized- Each application group is responsible for the data masking functions. Benefits Existing application domain knowledge can be leveraged; The duration of Analyze phase may be shortened as activities can be performed in parallel; and This model streamlines the communication model between the groups. Drawbacks Increased effort related to training; and Increased demand on communications in order to maintain consistency.

14 Process: How we get there Establish an actionable roadmap Determine the scope Establish a strategy Identify constraints (internal and external) Select the technology Recognized and adaptable Support multiple environments, platforms, & techniques Partner to gain the experience Minimize first time hurdles, pit-falls, & dead-ends Maximize analysis and design efficiency

15 Project Overview – Planning 15

16 Project Phases 16 Perform the Analyze methodology phase  Data Model Analysis  Function Model Analysis Perform the Design methodology phase  Design extract process  Design disguise techniques  Design load process Perform the Develop methodology phase  Creation and population of Translation/Association tables  Creation and population of Encryption keys  Development and Unit Testing of Extract/Disguise/Load tasks Perform the Deliver methodology phase  Create the repeatable process

17 Data Privacy Analysis Phase 17

18 Analysis 18 Analysis phase can be broken down into two major activities: – Identification and documentation of the data model (DM), – identification and documentation of the functional model (FM) components of the application. These two activities provide the cornerstone for a Data Privacy initiative, and as such, are arguably the most critical of the entire project scope.

19 Managing Analysis Tasks 19

20 Data Model Analysis 20 The goal of the Data Model Analysis activities is to provide knowledge about the environment’s data. determine the elements that are considered sensitive define their association to other data objects.

21 Data Privacy_ _Data_Model_Analysis

22 Function Model Analysis 22 identifies and documents information about the application processes. determine what business rules and logic apply to the data considered sensitive or private. Outline how the affected data should be changed. Identify all data validations and checks done against sensitive fields within the application programs.

23 Analysis Tasks 23 CONTACT_TBL PK,FK1CUSTOMER_NUMBER PKCONTACT_ID CONTACT_NAME TITLE CONTACT_CODE ADDRESS CITY STATE ZIP_CODE COUNTRY AREA_CODE TELEPHONE_NUM PART_TBL PKPART_NUMBER PART_NAME EFFECT_DATE EQUIVALENT_PART PURCH_PRICE SETUP_COST LABOR_COST UNIT_OF_MEASURE MATERIAL_COST REWORK_COST AVAILABILITY_IND ENGR_DRAW_NUM ORDER_LINE_TBL PK,FK1ORDER_NUM PKORDER_LINE_NUMBER FK2PART_NUM PLAN_QTY UNITS_COMPLETE UNITS_STARTED SCRAP_QTY START_DATE LINE_STATUS CUSTOMER_HIST_TBL CUSTOMER_ROWID CUSTOMER_NUMBER COMPANY_NAME TELEPHONE_NUM CONTACT_NAME CONTACT_TITLE SUPPLIER_TBL PK,FK1PART_NUMBER PKSUPPLIER_CODE SUPPLIER_NAME SUPPLIER_MODEL_NUM WHOLESALE_PRICE DISCOUNT_QUANTITY PREFERRED_SUPPLIER LEAD_TIME LEAD_TIME_UNITS ORDER_TBL PKORDER_NUMBER FK1CUST_NUM SOC_SEC_NUM CREDIT_CARD_NUM MOTHERS_MAID_NAME ORD_TYPE ORD_DATE ORD_STAT ORD_AMOUNT ORD_DEPOSIT ORD_LINE_COUNT SHIP_CODE SHIP_DATE ORD_DESCRIPTION CUSTOMER_TBL PKCUSTOMER_NUMBER COMPANY_NAME ADDRESS CITY STATE ZIP_CODE COUNTRY AREA_CODE TELEPHONE_NUM CONTACT_NAME CONTACT_TITLE CONTACT_ADDR CONTACT_CITY CONTACT_STATE CONTACT_ZIP CONTACT_COUNTRY CONTACT_AREA_CD CONTACT_TELEPHONE Data Modeling Tools Data Management Tools File-AID/DB2 / DBA- Xpert Impact Analysis File-AID/Data Solutions Analysis

24 Utilize Technology For Analysis

25 Understand the Sensitive Elements

26 Document Analysis Results

27 Data Privacy_ _Data_Model_Analysis

28 Design Overview 28 Design is the second phase of the Compuware Data Privacy Best Practices methodology and it is broken down into three major activities: – Documentation of the Data Extracts to be created – Identification and documentation of the data disguise rules to be created/implemented – Documentation of the Data Loads to be created These activities provide the background for the creation of the actual rules and specifications to create a Disguised copy of the data

29 Design 29 Define application disguise strategy and process – Field-level disguise rules (encrypt, translate, age, generate) – Source extract criteria for data (filters, naming conventions, etc.) – Security rules for supporting files – Structure, value domain (content), population strategy for translate table(s) – Target environment(s) and load method(s) to be used

30 Managing Design Tasks

31 Data Extract Design 31 Identifies the required information to extract the data from the original source tables/files/environments. Includes the following: – environmental data (region, subsystem, server, etc), – driving object identification (which table/file do we drive the extract from), – selection criteria information, – extract specific information needed to pull the needed information from the source tables/files. Finally, the overall extract execution strategy will be documented (when to execute, frequency of execution, etc)

32 Data Disguise Design 32 Takes the fields to be disguised and begin to scope out what exactly will be done to these fields to create a disguised test environment. Identifies the specific disguise technique selection criteria to be applied field masking to be applied If any translations will be done, the Translation Table information is also documented (creation data, fields to be created, etc).

33 Data Disguise Techniques Replace sensitive values with meaningful, readable data using a translation table Generate fictitious data from scratch or from some other source Replace sensitive values with formulated data based on a user- defined key Replace sensitive dates consistently while maintaining the integrity of a date field Conceal partial fields Encrypt Translate Age Mask Generate

34 Data Privacy_ _Disguise Rule Design 34

35 Data Privacy_ _Disguise Rule Design 35

36 Data Privacy_ _Data Load Design 36

37 Data Privacy_ _Data Load Design 37

38 Data Privacy Develop Phase 38

39 Develop Phase 39

40 Develop 40 Subset Extract Load Maintain Integrity Build Test Validate z/OS Distributed Test z/OS Distributed Production Data Privacy Manager

41 Develop - z/OS Relationships 41 AR/RI Production z/OS

42 Develop - z/OS Extract 42 z/OS Production Subset Extract

43 Develop - Distributed Related Extract 43 Distributed Production Subset Extract

44 Develop - Disguise 44 Build Test Validate Test Data Privacy Manager

45 Develop - z/OS Load 45 Disguised Extract Load Maintain Integrity Test z/OS

46 Develop - Distributed Load 46 Test Load Maintain Integrity Extract File Distributed

47 Validate Results 47

48 Execution Reports 48

49 Audit Reports 49

50 Data Privacy Deliver Phase 50

51 Deliver Production Test System Test Unit Test QA Test Acceptance Test Apply Privacy Rules Subset Extract Load Maintain integrity Data Privacy Manager z/OS Distributed z/OS Distributed z/OS Distributed z/OS Distributed z/OS Distributed z/OS Distributed Privacy Audit Reports

52 Managing Delivery Tasks System Unit QA Acceptance Fictionalized Data Privacy Audit Reports

53 Deliver - Disguise Rule Administration 53 Disguise Rules Test Data Privacy Manager

54 Document - Extract & Disguise Reports 54

55 Document - Audit Reports 55

56 Data Privacy_1.4.1_Deliver Execution Sequence 56

57 Data Privacy_ _Deliver Execution Sequence 57

58 Data Privacy Solution Product Technology Tools that can deliver quality data that meets the integrity, consistency and usability demands of your data privacy requirements Process A clear strategy backed up by a methodology that serves as a roadmap or blueprint for an enterprise-wide data privacy initiative Expertise The knowledge and experience to effectively manage the process and drive the technology to implement data privacy assurance in the application testing environment

59 © 2011 Compuware Corporation — All Rights Reserved 59


Download ppt "Test Data Privacy Best Practices Methodology Bill Mackey Subject Matter Expert."

Similar presentations


Ads by Google