Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Privacy and Data Expand / Collapse
Author
Message
Posted Thursday, March 20, 2014 1:27 PM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, October 1, 2014 8:59 AM
Points: 341, Visits: 307
hisakimatama (3/20/2014)
Data security certainly isn't something that's enforced very well, even by the agencies created to do so .
Unfortunately, despite this vendor being contracted by the regulatory agency here, they've been operating for about 8 years without the slightest mishap in terms of inspection. How this happens is beyond me. Demanding that this sort of data be so heavily protected while you contract out to a company that doesn't even try is mind-boggling.


It has been my experience since the 80's that every regulation about data security has exemptions that allow for third party vendors and Grand Fathering of existing processes.

Data is only as secure as the least secure thing that possessed it.
In other countries it is illegal to take someone else's card from them to swipe it for charges.
Here
Post #1553230
Posted Friday, March 21, 2014 4:26 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:47 AM
Points: 5,600, Visits: 3,451
Steve Jones - SSC Editor (3/20/2014)
Jim Youmans-439383 (3/20/2014)
I use to want to know how my data was secured and make sure it was not being put at risk. Use to being the key phase here.

I was actually reprimanded (actual HR sit down and note put in my employee file) for "not being a team player" and for "refusing to follow instructions" because I would not copy sensitive personal information (including SSN and some CC numbers, all in clear text) from our production system to several development systems.

My boss told me that my job was to do as I was told and keep the servers running. Let Data Security worry about the security.

The sad truth is that being a DBA does not make you a "data professional" in most companies. It makes you a data monkey that had better do as you are told. If you put up a fuss, you will either get reprimanded or fired.

I left that company soon afterwards, but I have found the same attitude in most other companies that I have worked for.

In my 18 years or experience, the DBA "data professional" that you speak of, with any kind of real decision making power is a myth.


I wouldn't refuse, and I'd say the note was justified. It's a bad idea, but don't confuse your rights/responsibilities with the company's. I wouldn't copy the data unless my boss had given me a document saying I needed to do this, and I'd have notified him this was a potential issue.

At the end of the day, this isn't the same as some illegal activity. My job is to get work done and inform the company of potential issues with the process. If they still want it done and assume responsibility, I'm OK with that.


I had a similar issue recently with a member of my team at the time being continually asked to do things which required them being given details which they shouldn't have access to in order to perform a different team's job. I raised this with the architectural team (which had the companies Security Architect and responsibilities for such things). I said that we were happy to do the task even though it wasn't our responsibilities but were concerned that we shouldn't be doing it as not only should we not have the information and also development teams are transient so eventually we would not be around to do it.

It believe that it ruffled a few feathers but my "reasonable" approach meant that no-one could say I was being obstructive. In fact someone said by raising the security breach that the lost all plausible deniability i.e. something had to be done otherwise it was their neck for the chopping block.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1553405
Posted Friday, March 21, 2014 4:55 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:47 AM
Points: 5,600, Visits: 3,451
PHYData DBA (3/20/2014)
In the last ten years I Have had the pleasure to work.
With at least four different offshores that demanded real copies of databases to use in the development of their product.
Three of them ended up having to admit that they sold some or all of this data.
The forth pointed out that this would be a possibility that they would not be liable for in their contracts up front.

Until we stop giving full and uncensored access to third party vendors how will their ever be data security?


As a developer I never want real data. Realistic data: yes. Real data: no.

I don't want access to the production database either.

It is not that I can't be trusted nor that I would mess things up. It is just that there is no need for me to have these things. I feel that same way about access to source code; no one outside of development (except any support functions who also maintain applications - which is a development function) should have access to modify code. In fact, I would want serious justification provided for why anyone would want access to read the code as there is often enough information to assist someone to carry out illegal, and certainly immoral, acts.

Anyone in security will tell you to only grant the minimal permissions for anyone to perform their own job. No more.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1553415
Posted Monday, March 24, 2014 6:14 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Today @ 2:18 AM
Points: 54, Visits: 369
So many people in IT just dont care, unless they have had a personal bad experience.

I had one data-warehouse that shrunk when the PCI-DSS / DP Act in the UK made room for directors to be personally fined and/or be sent to prison company etc. Until then I explored every avenue in getting the security in place to stop over 500 people from seeing credit card numbers and [personal information.

But without the court cases and without public fines too many companies are now ignoring the requirements.


Post #1554001
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse