Doreen Broom recently asked:
> Another one...am I right in stating that all test data
> should in fact be "dummy" data. I have been queried
> over this as people say it is more meaningful to have
> live data as you will get a more meaningful test. Am
> I being too hard by insisting on test data?
Many public sector organisations are seeking to abide by BS7799:1999 Code of
Practice for Information Security Management (also published as ISO
17799:2000). If you are connected, or intending to connect to either NHSnet,
the Criminal Justice Extranet (CJX formerly called PNN2) or GSInet, then
your Chief Executive will have signed a code of connection statement saying
that your Information Security is based upon BS7799.
And BS7799-1:1999 does indeed address the issue of Test Data in section
10.4.2 "Protection of system test data" where it states:
Test data should be protected and controlled. System
and acceptance testing usually requires substantial
volumes of test data that are as close as possible to
operational data. The use of operational databases
containing personal information should be avoided.
If such information is used, it should be
depersonalized before use. The following controls
should be applied to protect operational data, when
used for testing purposes.
a) The access control procedures, which apply to
operational application systems, should also apply
to test application systems.
b) There should be separate authorization each
time operational information is copied to a test
application system.
c) Operational information should be erased from
a test application system immediately after the
testing is complete.
d) The copying and use of operational information
should be logged to provide an audit trail.
There is also an earlier reference to the fact that Test Data might require
secure disposal (section 8.6.2 "Disposal of Media").
One thing you do need to be aware of, from a practical point-of-view, is
that it is almost impossible to test comprehensively using only one set of
Test Data. Testers usually therefore maintain several datasets, which need
regular updating and this is sometimes achieved by taking a copy of live
data and applying a "depersonalisation algorithm". Only, in the real world,
tight deadlines sometimes result in this stage being skipped - with the
result that testing is carried out using a recent copy of live data.
--
Graham Smith
P.S. If you're ever looking for pre-assessment help with BS7799-2
compliance, I am a certificated BS7799 auditor.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|