Sandboxes….and the law continued

This is on from the post where I raised the data protection law issues of  "we’ve created a simple, one-click process for cloning your entire Salesforce deployment an exact replica that includes all customizations and data." Sfdc offering. (see the other post for all the details)

This was picked up by Niel  last night. But as I was wading through some stuff on messrs Sarbanes and Oxley,and I thought "hang on" this may be more than just a "EU privacy thing"

Almost everything gets linked to SOX today so I may stretching this stretching this a bit (repeat: I'm not a lawyer), but surely there is a SOX management of internal controls issue here too. All sorts of confidential information such as pipeline would reside in the "exact data" you would be extracting. Even some of the configuration would be confidental in nature. I suspect most auditors would be very uncomfortable with this sort of "exact data" residing in a sandbox, with all sorts of IT bods accessing it. The issue becomes worse if you are then using this "exact data" to test an interface to an appexchange application. Who knows where it may end up being passed to….

If I look to the Numerix comments on  Niel, your company notes some sensible best practice.

Limit Real Data Exposure. Information used in testing efforts can be exposed to numerous groups: internal testing teams, outsourced testers and consultants. In addition, information such as payroll checks and invoices, are likely to be printed as part of the testing process. Making information available to this growing number of teams increases the likelihood of falling out of compliance with legislation, including HIPPA and the Data Protection Act (UK). So, limit access to real data and scramble data early in the testing cycle.

As part of such an offering, SaaS, or otherwise, I'd expect to see a strong scrambling feature and clear guidelines on handling test data. Perhaps these are part of the offering? If they are, surely they should be positioned in the marketing?
technorati tag:

Sandboxes….and the law.

First up I’m not a lawyer, I’m one of those odd people who have an information technology law degree, but aren’t lawyers. have just announced a sand box solution.  (saw this on the big endian blog, which I linked to from Jeffs  blog.) This seems to be a copy of a live system into a test or sandbox environment.

To quote from the site “In response to customer requests, we’ve created a simple, one-click process for cloning your entire Salesforce deployment an exact replica that includes all customizations and data.” (judging that it is also offered on the UK site and the German site, SF plan to offer this in Europe too)

At least over here the terms sandbox and live data probably shouldn’t go in the same sentence. The data captured in CRM systems is typically personal information. (according to the UK Data Protection act of 1998 personal data “means data which relate to a living individual who can be identified”)

Under UK Law I reckon this sandbox of “exact data” would be illegal under the Data Protection act of 1998. (similar laws exist across europe,as they derive from the same EU directive)  Data protection is sometimes referred to as Privacy, especially in the US.

To quote:Iain Bourne of the government’s Information Commission said: “Firms should use dummy records for testing. If live records are in use, that is something we’d be interested in.”

The law provides powers to fine the data controller and to shut the system down if necessary.

Understanding the mass of law that impacts software globally is not easy. What may be perfectly sound business practice in country A is illegal in country B. That is why things like global HR systems and global CRM are complex. The German user group have a 120 page guide to the legal issues around this just for CRM. Data Protection law is a big, messy complex area. Too many software firms, consultancies and customers don’t take it seriously enough. 



Compliance stuff.

Wrote this on the plane on the way back from Sweden. They speak better english than anywhere else in the world, even England.  

I spent the last six months of 2005 working closely with the Virsa systems and the Virsa team. For my sins I managed the relationship between Virsa  EMEA team and our field organisation.  Virsa is in the right place at the right time. Jasvir Gill and his team are really on the ball.  I wish I had some shares.

It is a great example of how SAP’s ecosystem model can work well. The partner gets to leverage the SAP sales channel and brand, reaching a bigger and better target audience. SAP gets to market with a solution quicker than we could have done by playing catch up. The customer wins because they get the support and the integration commitment from SAP, yet the focus of a niche player.  I’m looking forward to seeing this ecosystem model grow with other organisations. We are still learning  a lot from working with Virsa about how to make a small company leverage the SAP machine.

Compliance is going to be big and just get bigger. SOX is just the tip of the iceberg. People that understand the legal issues and the technology solutions are going to be in serious demand. As the laws get more complex and demanding, technology will need to play a much greater role in policing, warning, optimising and reporting on compliance. (I hope so as I’m the middle of a the world’s longest lasting PhD on the relationship between law and enterprise applications.) I’m keen to share ideas with others working on compliance related issues, either from a law or technology perspective. Let me know what you think about the convergence of enterprise risk and compliance

Those boring things that SAP has always been pedantically disciplined about, audit, security, authorisation, rules, workflow, access control and so on have suddenly become trendy. In the past it was sometimes seen as “German” overengineering, especially in the sales cycle.  Audit information systems and internal controls weren’t cool things to demo. Now they are. Thanks messrs Sarbanes and Oxley. Keep it coming.

There is lots of good stuff out there on the SAP community. Check it out.  hug an auditor today.