Data and information governance is extremely important today, perhaps even more so than it was in 2008, when Freeform Dynamics ran a study looking at what was being done to enhance capability in the areas of compliance, discovery and, not least, data security.
The study focused on the use of data in the software lifecycle – that is, in the development and implementation of new applications and upgrades. This area was just as significant back then as it is today, but it’s also easy to forget that in many geographies there may be limitations on using data for testing if it includes sensitive information of customers. Some of what the study discovered was both revealing and worrying, so how much has really changed in the years since then?
The survey found that the vast majority of organisations taking part had at least some policies in place setting out how live data could be used in testing. A follow-up question showed that 71 percent of those taking part did use live data in their testing processes. Of those using live data, just over half said they only used sanitised data, i.e. data that had been anonymised. Around 40 percent of those using live data in testing said they did so in both sanitised and raw forms, and three percent admitted they only used the raw, unredacted, live data.
We must acknowledge that the use of live data can be perfectly acceptable if it doesn’t contain anything controlled by legislation, regulation or organisational policy. However, given the nature of most data held in businesses, it’s unlikely that all test data would have been completely unrestricted in this way.
Do we use live data in testing? No idea!
Some of the questions that followed shed worrying light on how data used in testing was controlled. For example, nearly all IT professionals and security managers knew whether live data was used in testing. But around two in every five managers looking after business risk or compliance were unable to answer questions on live data usage in testing processes. Almost as many business or finance managers were similarly in the dark.
I wonder how many of these were working under the assumption that it was an SEP (somebody else’s problem), or if they had simply not considered how their systems were tested. But taken together these results illustrated that there was plenty of scope for things to go wrong and for laws to have been broken.
Intriguingly, the survey found that almost two-thirds saw the need for significant improvement in communications between business and IT. On the technology side, a similar proportion of respondents thought that general test data management tools or tools to help sanitise data would help make a difference.
One thing is clear: tools of that kind are much more capable today than they were back then. But are they being used more widely now? In 2021, data governance is a matter that can easily impact the board room, and misuse of sensitive customer data may result in painful fines, never mind very bad publicity. Has your organisation improved how it governs test data?