Posts Tagged ‘SDLC’

DHS Exploding Generator Shows Dire Need For Better Computer Security

Thursday, September 27th, 2007

Scanning the news this morning, this CNN headline caught my eye, “Mouse click could plunge city into darkness, experts say
The first sentence is compelling:


Carnegie Mellon’s Data Privacy Head Urges Development of New Privacy Technologies

Wednesday, July 11th, 2007

I enjoy reading Scientific American Magazine. And I especially am interested in reading their articles that touch upon, or directly address, information security, privacy or compliance. It is always nice to see the views of practitioners, educators, researchers and others who are not on the typical information security circuit of publications.


Outsourced Company’s Unsecure Application Makes U.K. Passport Applicant PII Available to Everyone On the Internet

Wednesday, May 30th, 2007

On May 18 the U.K. Data Protection Commissioner said in a Channel 4 news report he’s going to investigate why an online visa application system allowed the personally identifiable information (PII) of around 50,000 applicants from India who had applied for U.K. passports viewable on the Internet.


The Need to Build Security In: Poor Implementation of Indianapolis Public Schools Website Allows Viewing of PII For 7000+ Students and Teachers

Friday, May 18th, 2007

Today Monsters and Critics reported, “Indianapolis Public Schools exposes thousands to risk of identity theft.”
Apparently the Indianapolis Public Schools (IPS) website “that allows teachers to post reviews, student-writing samples, grades, and other confidential material to the IPS network” was implemented and configured without much attention to security.


Iowa Student Gets Internship from Google for Reporting Security Flaw: More Proof Vendors Need Stronger Security Checking For Their Products

Saturday, May 5th, 2007

Last night while my sons and I were watching the news it was reported that in Davenport, Iowa a St. Ambrose University student, David Bloom, found a security flaw in early December when he was using the Google Docs and Spreadsheets program.


Reducing Attack Exposure for Internet-Facing Applications

Thursday, May 3rd, 2007

Yesterday the Channel 12 news in Jackson, Mississippi reported a Kennesaw, Georgia business had its Internet-facing computer system hacked. That business’s application is “now generating thousands of counterfeit messages to businesses and consumers, purporting to be a complaint filed with the BBB.”


PII About 800,000 Individuals Compromised at UCLA

Tuesday, December 12th, 2006

Today CNN reported personally identifiable information (PII), Social Security numbers, home addresses and birth dates, about 800,000 current and former UCLA students, faculty and staff may have been compromised.
Surprisingly, the unauthorized access reportedly was occurring from October, 2005 through November 21 of this year when the security staff finally noticed suspicious activity.


Data De-identification and Masking Methods

Monday, July 31st, 2006

There is increasing concern about the use of real/actual personally identifiable information (PII) for test and development purposes.  I’m also increasingly concerned about the use of PII by sales representatives who are showing demos to potential clients.  I was recently surprised to see a vendor showing me a demo of his security software using the actual production data of his clients, which included a vast amount of PII about his clients‚Äô customers, such as names, social security numbers and credit card numbers.  He had accumulated this information while doing work for the clients with the software.  Needless to say, his demo turned into a long discussion about the risks involved with this practice.  Such a practice is an incident and lawsuit waiting to happen.  Unfortunately the sales staff at many companies use production data for demo purposes.  And it’s not just software vendors.  Insurance representatives often show their potential clients demos using PII, as do financial organizations, and healthcare companies, plus potentially other industries.  Do you know if your sales staff is using your production data?

I just posted a new podcast, "Data De-identification and Masking Methods," a follow-up to my last podcast, ‚ÄúWhat IT Leaders Need to Know About Using Production Data for Testing.‚Äù I discuss some of the ways in which data can be de-identified, or masked, to use for not only test purposes, but also for demo and other purposes. There are many ways to de-identify and mask data.  Some are better than others.  It all depends upon the type of data you‚Äôre working with, and the associated application or system.  I briefly describe seven ways in which data can be masked and de-identified, in addition to an alternative in the slim chance that there is absolutely no way in which anything other than production data can be used for testing. The ultimate goal is to protect the privacy and confidentiality of PII while also making meaningful data available for purposes of testing, demos or analysis.

MP3: Rebecca Herold – Data De-identification and Masking Methods

What IT Leaders Need to Know About Using Production Data for Testing

Friday, July 14th, 2006

There are many issues involved with using live production data, particularly real personally identifiable information (PII), for test and demo purposes.  For many years it has been the norm within organizations to use copies of production data for testing during applications and systems development.  However, over the past few years this practice is becoming more and more of a bad idea with all the new privacy laws and regulations, identity theft cases, insider instigated fraud, increased customer awareness, and the growing number of companies using outsourced companies to manage applications development, testing and quality assurance. 

In my latest podcast I discuss the importance of and reasons for using data that does not include real, production PII for test and development purposes.

MP3: Rebecca Herold – What IT Leaders Need to Know About Using Production Data for Testing