Sandboxes….and the law continued

This is on from the post where I raised the data protection law issues of  "we’ve created a simple, one-click process for cloning your entire Salesforce deployment an exact replica that includes all customizations and data." Sfdc offering. (see the other post for all the details)

This was picked up by Niel  last night. But as I was wading through some stuff on messrs Sarbanes and Oxley,and I thought "hang on" this may be more than just a "EU privacy thing"

Almost everything gets linked to SOX today so I may stretching this stretching this a bit (repeat: I'm not a lawyer), but surely there is a SOX management of internal controls issue here too. All sorts of confidential information such as pipeline would reside in the "exact data" you would be extracting. Even some of the configuration would be confidental in nature. I suspect most auditors would be very uncomfortable with this sort of "exact data" residing in a sandbox, with all sorts of IT bods accessing it. The issue becomes worse if you are then using this "exact data" to test an interface to an appexchange application. Who knows where it may end up being passed to….

If I look to the Numerix comments on  http://www.testingbestpractices.com/2006-01/  Niel, your company notes some sensible best practice.

Limit Real Data Exposure. Information used in testing efforts can be exposed to numerous groups: internal testing teams, outsourced testers and consultants. In addition, information such as payroll checks and invoices, are likely to be printed as part of the testing process. Making information available to this growing number of teams increases the likelihood of falling out of compliance with legislation, including HIPPA and the Data Protection Act (UK). So, limit access to real data and scramble data early in the testing cycle.

As part of such an offering, SaaS, or otherwise, I'd expect to see a strong scrambling feature and clear guidelines on handling test data. Perhaps these are part of the offering? If they are, surely they should be positioned in the marketing?
technorati tag:

3 thoughts on “Sandboxes….and the law continued

  1. I think I am one of the SOX victims. For testing data, we have to always mask out all sensitive information, even, it is used as the key information for user acceptance test. Besides, our team face a lot of difficulties in user account creation / maintenance. And we have not yet started to review the documentation standard / audit requirement. It’s a long way to go……

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s