SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Privacy and Data


Privacy and Data

Author
Message
PHYData DBA
PHYData DBA
SSC Eights!
SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)SSC Eights! (935 reputation)

Group: General Forum Members
Points: 935 Visits: 537
hisakimatama (3/20/2014)
Data security certainly isn't something that's enforced very well, even by the agencies created to do so :-D.
Unfortunately, despite this vendor being contracted by the regulatory agency here, they've been operating for about 8 years without the slightest mishap in terms of inspection. How this happens is beyond me. Demanding that this sort of data be so heavily protected while you contract out to a company that doesn't even try is mind-boggling.


It has been my experience since the 80's that every regulation about data security has exemptions that allow for third party vendors and Grand Fathering of existing processes.

Data is only as secure as the least secure thing that possessed it.
In other countries it is illegal to take someone else's card from them to swipe it for charges.
Here
Gary Varga
Gary Varga
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16719 Visits: 6534
Steve Jones - SSC Editor (3/20/2014)
Jim Youmans-439383 (3/20/2014)
I use to want to know how my data was secured and make sure it was not being put at risk. Use to being the key phase here.

I was actually reprimanded (actual HR sit down and note put in my employee file) for "not being a team player" and for "refusing to follow instructions" because I would not copy sensitive personal information (including SSN and some CC numbers, all in clear text) from our production system to several development systems.

My boss told me that my job was to do as I was told and keep the servers running. Let Data Security worry about the security.

The sad truth is that being a DBA does not make you a "data professional" in most companies. It makes you a data monkey that had better do as you are told. If you put up a fuss, you will either get reprimanded or fired.

I left that company soon afterwards, but I have found the same attitude in most other companies that I have worked for.

In my 18 years or experience, the DBA "data professional" that you speak of, with any kind of real decision making power is a myth.


I wouldn't refuse, and I'd say the note was justified. It's a bad idea, but don't confuse your rights/responsibilities with the company's. I wouldn't copy the data unless my boss had given me a document saying I needed to do this, and I'd have notified him this was a potential issue.

At the end of the day, this isn't the same as some illegal activity. My job is to get work done and inform the company of potential issues with the process. If they still want it done and assume responsibility, I'm OK with that.


I had a similar issue recently with a member of my team at the time being continually asked to do things which required them being given details which they shouldn't have access to in order to perform a different team's job. I raised this with the architectural team (which had the companies Security Architect and responsibilities for such things). I said that we were happy to do the task even though it wasn't our responsibilities but were concerned that we shouldn't be doing it as not only should we not have the information and also development teams are transient so eventually we would not be around to do it.

It believe that it ruffled a few feathers but my "reasonable" approach meant that no-one could say I was being obstructive. In fact someone said by raising the security breach that the lost all plausible deniability i.e. something had to be done otherwise it was their neck for the chopping block.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Gary Varga
Gary Varga
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16719 Visits: 6534
PHYData DBA (3/20/2014)
In the last ten years I Have had the pleasure to work.
With at least four different offshores that demanded real copies of databases to use in the development of their product.
Three of them ended up having to admit that they sold some or all of this data.
The forth pointed out that this would be a possibility that they would not be liable for in their contracts up front.

Until we stop giving full and uncensored access to third party vendors how will their ever be data security?


As a developer I never want real data. Realistic data: yes. Real data: no.

I don't want access to the production database either.

It is not that I can't be trusted nor that I would mess things up. It is just that there is no need for me to have these things. I feel that same way about access to source code; no one outside of development (except any support functions who also maintain applications - which is a development function) should have access to modify code. In fact, I would want serious justification provided for why anyone would want access to read the code as there is often enough information to assist someone to carry out illegal, and certainly immoral, acts.

Anyone in security will tell you to only grant the minimal permissions for anyone to perform their own job. No more.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Yet Another DBA
Yet Another DBA
SSC-Addicted
SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)SSC-Addicted (499 reputation)

Group: General Forum Members
Points: 499 Visits: 1234
So many people in IT just dont care, unless they have had a personal bad experience.

I had one data-warehouse that shrunk when the PCI-DSS / DP Act in the UK made room for directors to be personally fined and/or be sent to prison company etc. Until then I explored every avenue in getting the security in place to stop over 500 people from seeing credit card numbers and [personal information.

But without the court cases and without public fines too many companies are now ignoring the requirements.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search