If this environment were healthcare, there would be hefty restrictions on ever using production data in testing environments, masked or otherwise. As tightly regulated as the financial services is in the US, I can find no basis for justifying doing this, I would regard this as completely forbidden. In my own practice (security, privacy and regulatory compliance), I do not permit any client to employ this practice. And yes, there are definite compliance issues with this:
a. Testing and development personnel are generally not permitted access to live production data not fully de-identified - the type of environment does not matter.
b. If the type of de-identification method is reversible in any way, should unauthorized personnel gain access to the environment, that combination all but guarantees a breach and data theft.
c. Using the rationale of trying to save money will not be accepted by regulatory authorities as justification due to the perceived unacceptable and avoidable risk. The organization's risk acceptance/appetite/tolerance would likely be rejected due to the nature of the regulations in play and the nature of the risk itself; not to mention the existence of various acceptable alternatives.
The notion of using production data in any form other than completely sanitized been rejected for as long as I have been working in the IT world (over 35 years). Even recognizing that producing a test data set is somewhat troublesome (valid test results are after all rather important), I can envision no justifiable rationale to support use live data in any form other than fully deidentified and sanitized.
------------------------------
Ross Leo
Galen Data, Inc.
Galen Data, Inc.
------------------------------
Original Message:
Sent: May 17, 2021 10:21:44 AM
From: Raji Krishnamoorthy
Subject: Using production data in test environment
Hi,
For an U.S based Financial Services organization, is it ok to do a data masking exercise on production data and use it in the test environment?
Will there be any compliance issues due to this?
------------------------------