JISCMail - DATA-PROTECTION Archives

Morning all,

Our organisation is committed to compliance with the British Standard 7799:
Information Security Management (ISO/IEC 17799:2000(E)).  The following is
an extract:-
"10.4.2 Protection of system test data
Test data should be protected and controlled. System and acceptance testing
usually requires substantial volumes of test data that are as close as
possible to operational data. The use of operational databases containing
personal information should be avoided. If such information is used, it
should be depersonalized before use. The following controls should be
applied to protect operational data, when used for testing purposes.
a) The access control procedures, which apply to operational application
systems, should also apply to test application systems.
b) There should be separate authorization each time operational information
is copied to a test application system.
c) Operational information should be erased from a test application system
immediately after the testing is complete.
d) The copying and use of operational information should be logged to
provide an audit trail."

Interesting article at http://www.out-law.com/php/page.php?
age_id=systemtestingwith1065526767&area=news

and the BSI guide advertised at http://www.bsi-
global.com/ICT/Security/bip0002.xalter costs £75

My own view is that the subject information provisions apply. ie "Have we
told data subjects their personal data will be used for testing?" "Er, no",
is the usual answer.
Then follows, "Do you want to tell them or shall I?"

Regards


MD

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^