Assuring the security of sensitive information
by Martin Atherton, Jon Collins and Dale Vile
Many organisations have been driving improvements in information management to gain better control over their information assets. While things in this area are not perfect, awareness of the challenges is now high and action is being taken to enhance capability in the areas of compliance, discovery and, not least, data security. But are all the bases adequately covered?
Despite higher level initiatives, some important activity is falling under the radar
When feedback was gathered from 240 IT and business professionals on the topic of information governance, it was clear that an important area of activity is frequently overlooked. More than 70% of organisations employ data from live systems during the software development lifecycle for testing purposes. Unlike operational areas of the business that are subject to corporate level guidance and scrutiny, however, information governance in this pre-production environment is left largely to IT.
The risks are significant, and understanding them is important
While those running IT departments and development projects are generally very responsible, the environment is actually more risky than it appears at first sight. The people involved in software development and testing are not always employees, activity is often highly distributed across multiple locations, and the IT landscape used to support the development and test cycle is not always separated from live systems. With the best will in the world, there is inherently a lot of scope for things to go wrong, so effective information governance is critical to assuring ongoing security.
Plugging process and automation gaps is key if risks are to be properly managed
The way in which test data is managed is frequently highlighted as an area for improvement, which points directly to process deficiencies in many organisations. Even where processes are in reasonable shape, though, exposures still exist. The majority of respondents in the research alluded to the need for improvements in automation in areas such as test data management, live data sanitisation, and workflow management during the testing process. This suggests a high degree of reliance on manual procedures, which by definition will be prone to error.
Proactive review of current policy and process is recommended in many cases
If you are responsible for running an IT department or development organisation and haven’t yet been challenged on how live data is used during the software lifecycle, it’s only matter of time before this happens so it is better to prepare proactively. Rather than thinking of this as a burden, however, there is a real opportunity here to secure the support and funding required for making improvements that will deliver much broader benefits. Whether it is more efficient process or investment in better tools to manage software testing, the result is likely to be a smoother and more efficient operation that is both more pleasant to work in and to manage. From the corporate perspective, however, we cannot lose sight of the real imperative for control, which is effective risk management and preventing that accident which is sitting there waiting to happen.
(See also our best practice primer on testing governance, which is a companion document to this main research report)
The research upon which this report is based was designed and interpreted on an independent basis by Freeform Dynamics. Feedback was gathered from 240 IT and business professionals during the study, which was sponsored by IBM.