Best Practices for Ensuring Data Privacy inProduction and Nonproduction SystemsW H I T E PA P E R

This document contains Confidential, Proprietary and Trade Secret Information (“Confidential Information”) ofInformatica Corporation and may not be copied, distributed, duplicated, or otherwise reproduced in any mannerwithout the prior written consent of Informatica.While every attempt has been made to ensure that the information in this document is accurate and complete, sometypographical errors or technical inaccuracies may exist. Informatica does not accept responsibility for any kind ofloss resulting from the use of information contained in this document. The information contained in this document issubject to change without notice.The incorporation of the product attributes discussed in these materials into any release or upgrade of anyInformatica software product—as well as the timing of any such release or upgrade—is at the sole discretion ofInformatica.Protected by one or more of the following U.S. Patents: 6,032,158; 5,794,246; 6,014,670; 6,339,775; 6,044,374;6,208,990; 6,208,990; 6,850,947; 6,895,471; or by the following pending U.S. Patents: 09/644,280;10/966,046; 10/727,700.This edition published November 2011

White PaperTable of ContentsExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Data Privacy Best Practices Are Sound Business Practice . . . . . . . . . . . . . . 3Protection of Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Best Practices for Data Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Structured and Unstructured Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Data Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Best Practices for Data Leakage Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Sensitive Data and Data Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Best Practices for Data Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Special Regulatory and Industry Requirements . . . . . . . . . . . . . . . . . . . . . 7Best Practices for Regulatory and Industry Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7Regulatory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Health Insurance Portability and Accountability Act (HIPAA) . . . . . . . . . . . . . . . . . . . . . . . 9General Compliance Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Ongoing Compliance Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Securing Applications and Data in Development . . . . . . . . . . . . . . . . . . . 11Best Practices for Sensitive Data in Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Best Practices for Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12System Administrators and Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems1

Executive SummaryThere is a growing need to protect sensitive employee, customer, and business data across theenterprise wherever such data may reside. Until recently, most data theft occurred from maliciousindividuals hacking into production databases. With a number of well-publicized and costlythefts creating both tremendous legal liability and bad publicity for the effected organizations,business has quickly grown more sophisticated in protecting against such attacks, but so have theattackers.While the industry deals with the most egregious aspects of data theft, many computer systemsstill remain vulnerable to attack at some level. An important tier of data remains practicallyuntouched and unprotected by today’s new data security procedures: nonproduction systems usedfor development, testing, and training purposes. These systems are generally less protected andleave a large hole in the data privacy practices at organizations of all sizes. These environmentsleverage real data to test applications, housing some of the most confidential or sensitiveinformation in an organization, such as national identification numbers, bank records, and otherfinancial information.This white paper discusses best practices for creating data privacy procedures in both productionand nonproduction environments. These procedures include creating a comprehensive set ofpolicies to classify datatypes that need to be protected, integrating these policies into day-to-daybusiness processes, providing ongoing compliance reviews, using a proven commercial solution formasking sensitive data in all production and nonproduction environments, and integrating theseprivacy processes and technology across the enterprise.2

White PaperData Privacy Best Practices Are Sound Business PracticeConfidentiality, integrity, and availability are the cornerstones of data privacy, as well as soundbusiness practices. They are essential for: Compliance with existing regulations and industry standards Reliable, accurate, high-performance services Competitive positioning Reputation of the firm Customer trust“Best practice” varies widely from one situation to another, even for a specific kind of control suchas passwords. “Best” is not used here in a literal way. Rather, it is used to combine such notionsas “good”, “commonly used”, “prudent”, “industry standard”, or “generally accepted”.Note that frameworks such as IS027001, COSO, COBIT, and ITIL provide a broad range of controlobjects, but do not provide specific information protection controls. Although there is no officialframework for best practices that your organization can simply adopt, a variety of data protectioncontrols have come to be widely accepted as sensible, baseline, and sound practices. In theend, the true authority for what is right for your organization comes from your organization’smanagement team, regulatory examiners, and industry standards.Protection of Sensitive DataEvery organization has sensitive data: trade secrets, intellectual property, critical businessinformation, business partners’ information, or customers’ information. All of this data must beprotected based on company policy, regulatory requirements, and industry standards. This sectionwill cover several important elements of protecting this data.Any organizations that collects, uses, and stores sensitive information should establish aninformation classification policy and standard. This classification policy and standard shouldcontain a small number of classification levels that will meet the organization’s needs. Mostorganizations will have at least three categories such as public, internal use only, and confidential.Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems3

Many organizations have long-established data classification guidelines. However, with theincreasing number of new regulations and advancement in industry standards, the mere presenceof a corporate policy is no longer sufficient. Some organizations have spent a lot of time and effortoperationalizing their data protection policy into the information technology (IT) infrastructureby deploying various controls and tools to minimize the risk of noncompliance. Data leakagedetection, prevention, and protection technologies have emerged over the past few years and arenow being widely used within IT organizations.Data governance, risk management, compliance, and business requirements should drive thenumber and definition of each data category as well as the requirements for labeling, storage,distribution, disclosure, retention, and destruction. Regulatory and industry rules and standardswill clearly play a significant role in the definition process. Other data will require protection,including trade secrets, research, formulas, pre-patent discovery, and various forms of customerand employee information.Another important aspect of data protection is to understand how data is used within theoperations of the organization and in what form they reside (e.g., hard copy, electronic documents,within database). In addition, protection requirements will vary by type of operational environment,such as production, production support, development, quality assurance (QA), or third party.The requirements for protecting sensitive or confidential data must be clearly defined and reflectthe specific requirements within the appropriate regulatory and industry rules and standards orbusiness policies. Specific data elements must be labeled as sensitive and should never be usedwithin their factual state in development, QA, or other nonproduction environments. The dataclassification policy should clearly identify the requirements for data masking.Finally, the organization must implement an audit process that will provide periodic independentreview to ensure that best practices are followed.Best Practices for Data ClassificationOrganizations must create a comprehensive set of policies and procedures for the classificationof all private, sensitive, and confidential data to adequately protect the organization’s critical dataassets. In addition, organizations should implement the following steps:1. Supply periodic awareness training for employees, contractors, and third-party service providers2. Integrate procedures into the day-to-day business processes and automate as much of theprocess as feasible3. Obtain periodic independent audits to review and report the results to senior management4

White PaperStructured and Unstructured DataSensitive data occurs in two forms: structured and unstructured. Structured sensitive data resideswithin business applications, databases, enterprise resource planning (ERP) systems, storagedevices, third-party service providers, back-up media, and off-site storage. Unstructured sensitivedata is dispersed throughout the firm’s infrastructure including desktops, laptops, thumb-drives,and other endpoints.Organizations must define, implement, and enforce their data classification policy and provideprocedures and standards to protect both structured and unstructured sensitive data. Forunstructured, they can use end-point security tools to control the use of portable devices andmedia, content analysis tools to detect the presence of sensitive data, and encryption toolsto protect unauthorized access to these devices. For structured data, organizations can useencryption and data masking software.Data LeakageData leakage is the intentional or unintentional release or loss of data to an untrusted third party.Business partners, customers, and employees trust that organizations that hold data about themwill take reasonable measures to protect the confidentiality and integrity of their sensitive dataand that those organizations must foresee and prevent intentional or unintentional misuse, breach,or theft of the sensitive data.Available technologies vary from simple blocking devices, paths, ports, other forms of egress andaccess, and mass encryption of devices, media, and connections to more complex or selectiveblocking. Technology now exists to monitor content in real time to identify selected information,conditions, people, entitlements, and actions to block, quarantine, encrypt, log, alert, or sanitizedata. There are currently two methodologies: scanning data at rest and analyzing data in motion.These technologies can be deployed in many parts of the infrastructure, but are more commonlyfound at end-point devices and external gateways. End-point devices typically contain removabledigital storage devices, hard-copy devices, and various forms of network connectivity that provideaccess to many internal network resources and in some cases could by-pass internal managednetwork gateways to get outside the organization. These often become conduits for data leakage.Some of the major drivers to prevent data leakage come from regulations such as the GrammLeach-Bliley Act (BLBA), Health Insurance Portability and Accountability Act (HIPAA), and 37 statebreach laws or from industry requirements such as the payment card industry (PCI-DSS) or fromnational security such as NERC Cyber Security Standard (CIP), DHS, NIST; and corporate policy.Best Practices for Data Leakage PreventionDeploy and integrate technology and processes throughout the infrastructure to detect and/orprotect sensitive data from leaking out of your enterprise. These steps will require physical andlogical controls and technology, changes in routine business and operational processes, andongoing monitoring and assessment of personnel who have access to sensitive information.Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems5

Sensitive Data and Data MaskingIt is important to have a common definition of “real data” and what we will refer to as “nonfactualbut real data” or “masked data.”For example, in SAP ERP, data elements define the characteristics of the data including the type,length, and business term such as “first name”, “last name”, or “city”.The data contained with the actual tables can be factual (e.g., an actual Social Security number)or it can be nonfactual (e.g., a random collection of numerals conforming to the data definition forthat particular data element).Data elements, such as “customer” or “order”, are often related to each other through the useof a key field. When there is an association with many data elements, protecting individual dataelements becomes complex. Some data elements alone may not contain sensitive data; however,once an association with other data elements occurs, they all become sensitive data. So datamasking software must quickly become very sophisticated to ensure that all the sensitive data isprotected (masked), the data is still contextually valuable, and referential integrity is maintained.Organizations sometimes develop their own data masking tools, which are effective to varyingdegrees. However, with the continuing onslaught of regulations and risk of fines, negative impacton reputation, and possibility of criminal convictions, organizations have moved toward thirdparty data masking technologies that are regularly updated according to evolving standards andregulations.Best Practices for Data MaskingUse a proven commercial solution for masking of sensitive data in both production andnonproduction environments, including development, quality assurance, sandbox systems,training,production support, and production. Choose a vendor that includes Support for a wide variety of databases and applications A proven track record Data discovery capabilities Out of the box data masking metadata to expedite project timelines Straight-forward easy to learn transformation logic A scalable high performing data masking server Simple to use and reuse data masking rules Built in separation of duties Auditing and validation capabilitiesInclude data masking in your standard data provision process so that sensitive data never residesin your nonproduction environments.Never provide third parties or offshore teams with sensitive data that is not masked.Never allow developers or other unauthorized personnel to access production data withoutdynamically masking sensitive data.6

White PaperSpecial Regulatory and Industry RequirementsDepending on the countries that your organization does business in, requirements for theprotection of sensitive data will vary. Nearly every country has data privacy laws, so you shouldalways perform a comprehensive review of each of the pertinent laws and their supportingrequirements. You will find that there is substantial commonality among these regulations—at leastin their spirit or intent. This white paper will focus on some of the more common regulations inNorth America.Best Practices for Regulatory and Industry RequirementsAlthough there are unique aspects to each regulatory item, complying with one may help youcomply with (or minimize your exposure to) another. In general, data security techniques arebroadly applicable across these regulations and also across a wide variety of industries. What oneindustry devises has a good chance of being useful to others.Many financial services firms have been taking data security seriously for a long time. The majorityof controls called for by the regulations have simply been considered sound business practices forearning customer trust. The latest regulations only add a few new concepts. Many firms will findthemselves well down the road toward complianceBecause testing and monitoring of controls should be done by parties not directly involved in thedesign or operation of those controls, there has been a substantial increase of a new businessfunction called IT risk management or IT data governance as a new best practice. The financialservices industry has taken the lead, but other industries also have adopted this new function.Many of the regulations and industry standards have special requirements for third-partyservice providers. These service providers include IT outsource, third party software vendors aswell as providers that fulfill elements of certain business processes (e.g., a business that doespromotional mailings for the company and must receive names and addresses).Your organization is not relieved of its responsibility to protect sensitive information just becausethe covered information moves into someone else’s hands.Regulations and industry standards either imply or specify that your organization must adaptto change. Your organization must keep up with changes in the business risk profile, businessprocess, employee training, all forms of threats, technologies, software bugs, and the never-endingflow of software application patches.Regulatory RequirementsThe following three examples of government regulation and industry standards indicate howconfidential data should be handled.Gramm-Leach-Bliley Act (GLBA)The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that offer financial productsor services such as loans, financial or investment advice, or insurance to individuals. Complianceis mandatory for all nonbank mortgage lenders, loan brokers, financial or investment advisers, taxpreparers, debt collectors, and providers of real estate settlements. The law requires that financialinstitutions protect information that is collected about individuals; it does not apply to informationthat is collected in business or commercial activities.Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems7

Best Practices for GLBAThere are three basic rules to understand to ensure compliance with GLBA:1. Ensure the security and confidentiality of customer records and information.2. Protect against any anticipated threats or hazards to the security or integrity of such records.3. Protect against unauthorized access to or use of such records or information that could result insubstantial harm or inconvenience to any customer.Let’s look into these three rules further. First, what does “ensure the security and confidentiality ofcustomer records and information” mean?In general terms, you should take all reasonable measures to guarantee that the privacy ofnonpublic personal information in all forms (electronic, hard copy, verbal) is protected fromunauthorized access and disclosure.Second, what does “protect against any anticipated threats or hazards to the security or integrityof such records” mean? Let us explain in layperson terms: “Protect against anticipated threats or hazards”—this requires the application of a riskassessment process to foresee the possible known or unknown threats and vulnerabilities inany form (physical, logical, human, or disaster) that may compromise the security and integrityof nonpublic personal information. “to the security or integrity of such records”—in this case, security can be defined as anythingthat would compromise the confidentiality of nonpublic personal information; integrity canbe defined as anything that could compromise the trustworthiness, reliability, accuracy, orsoundness of nonpublic personal information.Finally, what does “protect against unauthorized access to or use of such records or informationthat could result in substantial harm or inconvenience to any customer’ mean?The term “unauthorized access” is very familiar, but who authorizes access? We as consumersand customers play a role in defining who has access to our “nonpublic personal information”and under what conditions they can use this information. We sign and click on agreements everyday that define the terms and conditions of granting access to and use of our nonpublic personalinformation. However, the service providers that we grant these privileges to are required to followsecurity practices to ensure that “need-to-know” concepts are followed and all unauthorizedparties are denied access to our nonpublic personal information.Another very important best practice is to keep up to date with agency guidance on GLBA; it’s likekeeping up with operating system patches, but with less frequency. You must protect personallyidentifiable information in all environments, including development, QA, and test environments;the regulations do not differentiate among these environments. Remember: static data masking isthe safest way to protect sensitive information in development and QA environments.8

White PaperHealth Insurance Portability and Accountability Act (HIPAA)The HIPAA Security and Privacy Standard defines administrative, physical, and technicalsafeguards to protect the confidentiality, integrity, and availability of electronic protected healthinformation (PHI), sometimes referred to as personal health information. HIPAA has three majorpurposes: To protect and enhance the rights of consumers by providing them access to their healthinformation and controlling the inappropriate use of that information To improve the quality of health care in the United States by restoring trust in the health caresystem among consumers, health care professionals, and the multitude of organizations andindividuals committed to the delivery of care To increase the efficiency and effectiveness of health care delivery by creating a nationalframework for health privacy protection that builds on efforts by states, health systems, andindividual organizations and individualsBest Practices for HIPAAUnderstanding the HIPAA Security and Privacy Standard requirements is the key to interpretingwhat the covered entities must do:1. Ensure the confidentiality, integrity, and availability of all electronic protected health informationthat the covered entity creates, receives, maintains, or transmits2. Protect against any reasonably anticipated threats or hazards to the security or integrity of suchinformation3. Protect against any reasonably anticipated uses or disclosures of such information4. Ensure compliance by the workforcePayment Card Industry Data Security Standard (PCI DSS)PCI DSS originally began as five different programs by VISA, MasterCard, American Express,Discover, and JCB. Each company’s intentions were roughly similar: to create an additional level ofprotection for customers by ensuring that merchants meet minimum levels of security when theystore, process, and transmit cardholder data. In December 2004, these five companies alignedtheir individual policies and created the Payment Card Industry Data Security Standard.The first PCI DSS was introduced in January 2005. The standard is intended to allow merchants,card issuers, card processing companies, and other third-party service providers to demonstratecompliance with a common agreement for information security due care, rather than requiringthem to comply with differing requirements from each payment processing company.All of the five founding members have agreed to incorporate the PCI DSS as the technicalrequirements of each of their data security compliance programs. Each founding member alsorecognizes the Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)certified by the PCI Security Standards Council as being fit to validate compliance to the PCIDSS. The PCI Security Standards Council is an open global forum for the ongoing development,enhancement, storage, dissemination, and implementation of security standards for account dataprotection.Best Practices for Ensuring Data Privacy in Production and Nonproduction Systems9

The PCI DSS is considered one of the more comprehensive data security standards in a cluster ofregulations that have emerged over the past decade, and it is regarded as being relatively moreprescriptive than other laws and regulations. It covers 6 overall areas and 12 requirements, eachsupported by lower-level requirements.General Compliance Best PracticesOne of the most important aspects of data privacy is to use a risk management approach. Ifyour organization deals with health, financial, or other personal information, then your risk modelshould be risk averse and therefore, your interpretation of these requirements should lean towarda higher bar for your controls.Privacy is a subset of confidentiality and, in the spirit of these regulations and industry standards,must be protected from unauthorized access by using the latest industry security technologyproducts and solutions.Some best-practice technologies are content extrusion at the host and network gateways,encryption or masking of data at rest, network segmentation of sensitive data storage, and loggingall access attempts to sensitive data at infrastructure and application levels. Data at rest must beencrypted in all environments and masked in nonproduction environments. Use of tamper-prooftechnologies in data storage environments is one of the new methods of best practice.Encryption of portable devices is now an industry standard best practice, and failure to encryptportable devices containing sensitive data can be seen as being negligent by the regulatoryagencies, the courts, and the general public.Include real and frequent testing of your security infrastructure and IT control environment.Disaster recovery and business continuity plans should be tested by actually switching over tothe respective sites at least annually. Some organizations test their disaster recovery plan everyquarter.Risk AssessmentAny risk is assumable so long as the risk assumption decision is made by the right person(s) andso long as they are adequately informed.Risks pose potential consequences that can increase the cost of doing business. The same istrue for controls, which can add obvious costs (such as new processes, IT equipment, or softwarelicenses) and can also introduce qualitative costs (such as inconvenience to customers oremployees or processing overhead). The cost of a control is justified only if it is less than theavoided costs of compromise.No control is perfect, no matter how much you spend; it’s another balancing act. Strong controlsare usually more costly and almost always much more intrusive into processes and people’sexperiences. Least privileged and need to know are well-accepted best practices that are notalways easy to implement. If you limit a user’s privileges to the minimum he or she needs to dohis or her job, you will have done what you can to minimize the risks associated with that user’saccess to your environment. Some companies believe that every employee should be empowered10

White Paperto serve the customer in any way. This business choice makes limitation of privileges somewhatmoot. People make or break security; no amount of technology can make up for poor practicesand behaviors.Every technical control ultimately relies on some form of fallible human process: to build it,configure it, administer it, and use it.Ongoing Compliance AssessmentCompliance assessment is not a one-time task. It requires a repetitive process to be reasonablyeffective. Ideally, compliance is fully integrated into daily operations. Our definition of best practicecompliance assessment is fairly broad. It starts with understanding the controls: First, you need a clear understanding of the purpose of the control (what risk or risks it ismitigating), the specific attributes of the control (settings, parameters), the significance of thecontrol (from a risk perspective), whether there are secondary controls (back-up control that willperform the same level of risk mitigation), and the type of control (technology, process, people). There must be specific documented test criteria to ensure that the control, as defined in thefirst step, has been implemented correctly. The control must, most importantly, be tested todetermine its effectiveness in mitigating the risk as defined in step 1. The test results must be recorded (a permanent record of the test results must be retainedbased on your regulatory requirements). There should be an accountability process for this step.In some cases, the recording may be technological. If you are using a software tool to test yourcontrols, then the recording should be protected to ensure the integrity of the results. The test results must then be collected into a central repository for correlation an

enterprise wherever such data may reside. Until recently, most data theft occurred from malicious . encryption and data masking software. Data Leakage Data leakage is the intentional or unintentional release or loss of data to an untrusted third party. Business partners, customers, and em