This is on from the post where I raised the data protection law issues of "we’ve created a simple, one-click process for cloning your entire Salesforce deployment — an exact replica that includes all customizations and data." Sfdc offering. (see the other post for all the details)
This was picked up by Niel last night. But as I was wading through some stuff on messrs Sarbanes and Oxley,and I thought "hang on" this may be more than just a "EU privacy thing"
Almost everything gets linked to SOX today so I may stretching this stretching this a bit (repeat: I'm not a lawyer), but surely there is a SOX management of internal controls issue here too. All sorts of confidential information such as pipeline would reside in the "exact data" you would be extracting. Even some of the configuration would be confidental in nature. I suspect most auditors would be very uncomfortable with this sort of "exact data" residing in a sandbox, with all sorts of IT bods accessing it. The issue becomes worse if you are then using this "exact data" to test an interface to an appexchange application. Who knows where it may end up being passed to….
If I look to the Numerix comments on http://www.testingbestpractices.com/2006-01/ Niel, your company notes some sensible best practice.
Limit Real Data Exposure. Information used in testing efforts can be exposed to numerous groups: internal testing teams, outsourced testers and consultants. In addition, information such as payroll checks and invoices, are likely to be printed as part of the testing process. Making information available to this growing number of teams increases the likelihood of falling out of compliance with legislation, including HIPPA and the Data Protection Act (UK). So, limit access to real data and scramble data early in the testing cycle.
As part of such an offering, SaaS, or otherwise, I'd expect to see a strong scrambling feature and clear guidelines on handling test data. Perhaps these are part of the offering? If they are, surely they should be positioned in the marketing?
technorati tag: SAP
Vendorprisey 
I think I am one of the SOX victims. For testing data, we have to always mask out all sensitive information, even, it is used as the key information for user acceptance test. Besides, our team face a lot of difficulties in user account creation / maintenance. And we have not yet started to review the documentation standard / audit requirement. It’s a long way to go……
idpt,
In a shameless sales response, suggest you check out the compliance calibrator the other other Virsa tools from SAP. They help automate this….
Very amazing site! I wish I could do something as nice as you did…mary