Questions when sensitive data must be seen in IT development staff and support staff
Hi,
This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data). For example, we are compiling social data of staff like family components, relationships, members income, health issues, etc. Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps. If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?
What we have come up with is using dumb data (not real data) for developers to create the applications. We will use this data from creation up to validation stage. In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.
What u guys think? - any Experts with this type of experience fully appreciated you input
This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data). For example, we are compiling social data of staff like family components, relationships, members income, health issues, etc. Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps. If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?
What we have come up with is using dumb data (not real data) for developers to create the applications. We will use this data from creation up to validation stage. In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.
What u guys think? - any Experts with this type of experience fully appreciated you input
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good idea will follow suit on it.
So POLP are just "principals" or "concepts" or "how-to's", there is no apps or tool one ca get?
So POLP are just "principals" or "concepts" or "how-to's", there is no apps or tool one ca get?
ASKER
To close this question, what kind person or company does this type of work?
>>So POLP are just "principals" or "concepts" or "how-to's", there is no apps or tool one ca get?
>>To close this question, what kind person or company does this type of work?
Sorry but I'm not sure I understand these questions.
Tools or apps to do what?
What type of work?
>>To close this question, what kind person or company does this type of work?
Sorry but I'm not sure I understand these questions.
Tools or apps to do what?
What type of work?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank u, it's something related to what mbkitmgr indicated in his Entry - we started setting up scripts to test this.
By any chance, do u know of companies or sites specializing in Principle of Least Privilege (POLP)?
By any chance, do u know of companies or sites specializing in Principle of Least Privilege (POLP)?
Don't know that POLP is something anyone can specialize in. It is a core concept of overall InfoSec. Any good security company should cover it. There are many companies that specialize in information security and many levels.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank u very much! Great info!
Ok guys, I think I have enough to continue on this road, Thanx!
Ok guys, I think I have enough to continue on this road, Thanx!
ASKER
slightwv and David,
I started looking info on Least Privilege, and it's a lot (POLP, POMP and POLA where what is recommended is POLP). To my understanding as what is POLP, that is how the users are setup in the accounting system, but can I apply this to developers?
is it like what I said at my question:
"What we have come up with is using dumb data (not real data) for developers to create the applications. We will use this data from creation up to validation stage. In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data."