Recently, I was performing a routine audit of a client’s SDLC for an application in development, in view of routine compliance audit, and in the process of reviewing test cases, I was shocked to find real PII data in the requirement; I mean the whole enchilada…not just name and address, but date of birth, driver’s license, and even SSN. Apparently, the client had included a screenshot of an employee’s human resources record as part of the BRD, and sent it by email to an offshore developer team. Rule #1 in data security: Never use real PII data for development or testing purposes.
I wish I could say that such was an isolated incident, but
believe it or not, the practice is common, as clients often provide non scrubbed
data and artifacts with real PII data during requirements gathering, and unwitting BAs, business
owners, and developers simply distribute the same, seemingly without a care in
the world. This shows how unaware most people are when it comes to data and
information security; often it is the little things that lead to the big
things. Likewise, minor security threats often lead to big ones, as a result of
negligence that often stem from ignorance or lack of policy guidelines. Fact is, majority, over 80%, of the data
breach and identity theft that occur are perpetrated by employees who have
access to sensitive data, whether intentionally or otherwise. Individuals who
do not understand how important it is to protect data, their personally
identifiable information (PII) or the PII of others, put the security of their
sensitive information and those of others at risk. We have work to do to educate people on the
importance of securing data and how to do so. Developers should never have access
to real PII data for development and testing purposes.
No comments:
Post a Comment