The Five Key Factors That Can Ensure the Safety of YOUR Customer Data During Software Testing

by Wendy Castro – 

These days, organizations are able to gather and store more information about their customers than ever before. Modern technology makes that possible. From the corporate viewpoint, that’s a good thing. The more an organization knows about its customers, the better it’s able to serve them — and profit from them.

But let’s flip that script, and look at it from the customer’s viewpoint. Think of a company with which you regularly do business. Imagine all the data they’ve amassed about you, very likely including extremely sensitive info such as credit card information, bank account information, your social security number, and perhaps even much of your personal medical history.

Are you comfortable with any company — and likely many companies — holding that much information about you?

Lots of Reasons to Answer NO!

Recent history provides plenty of reasons for you to answer in the negative to the rhetorical question above. Many of the world’s largest organizations haven’t been particularly careful with your information. They’ve allowed cybercriminals to steal millions upon millions of customer records — very possibly including yours.

It’s bad enough if an organization has permitted a lapse in cybersecurity that has exposed your private information to criminals. But what about organizations that cavalierly use your private data in conducting software testing?

You would also consider that unacceptable, no?

Governments Agree: Time to Be More Careful with Customer Data

Recent government legislation has morphed the protection of customer data from a ‘should do’ to a ‘must do.’

The General Data Protection Regulation (GDPR) was enacted in 2018. And the California Consumer Privacy Act of 2018 (CCPA) will be enforced beginning in 2020. Both have resulted in businesses paying more mind to protecting the Personally Identifiable Information (PII) of both customers and employees.

Governmental intervention has had an impact. At the end of the third quarter of 2018, the number of data breaches was significantly lower — down 50% compared to 2017, as identified in the Identity Theft Resource Center’s (ITRC) 2018 September Data Breach Package¹ and the 2017 Annual Data Breach Year-End Review reports¹.

But data breaches still occur far too often, with seemingly regular announcements of enormous breaches permitted by massive organizations such as Facebook, the U.S. State Department, and T-Mobile.

Though these breaches may seem to happen in production systems, staging environments also represent a potential vulnerability for data exposure. In fact, data breaches continue to occur quite regularly during the software testing process. Many such testing-related breaches occurred in 2018, including the compromise of employee data at Shutterfly², and student data in both New York³ and Mississippi⁴.

And so, wherever PII test data are used for testing — in the staging environment or even during SIT— organizations should ensure that testing data is provided the same protection as would be provided in live production.

How to Ensure That Your Software Testing Is Secure

Keeping your organization’s PII test data secure throughout the testing process requires a focus upon the following five key factors:

1. Test Environment Security: Focus on both the physical environment where your testers perform their jobs, and on the software environment where the system under test resides. Considerations for each environment include the following:
   1. The physical environment: Depending on the sensitivity of the test data to be used, a “clean room” may be implemented wherein only authorized testers are permitted, with no recording devices such as smartphones allowed, and no pens or paper permitted to be carried in or out of the room. The trustworthiness of personnel working in the environment should be verified through background checks.
   2. The software environment: There should be network segregation between different environments to ensure that a project team will not be able to see another project’s test environment. Control of access to the environment should typically require two-factor authentication. Movement of data to and from the environment is controlled; for example, emails with attachments are quarantined, and email to and from domains not whitelisted are blocked. And backups of the environment should be taken periodically.

2. Protection of Test Data: To the extent possible, avoid the use of live PII data. If the use of live PII data cannot be avoided, sensitive details should be masked or removed. There should be a separate authorization required each time live data is copied to the test environment. The copying and use of live data should be logged to provide an audit trail. And masked live data should be deleted immediately from the test environment after testing is completed.

3. Secure Coding Practices: Implementing secure coding standards and guidelines based on industry standards such as OWASP may also be used as a basis for test cases to verify the security of a system under test. The use of external code analysis tools and test metrics during test also provides insight to possible vulnerabilities that may exist in the system being tested.

4. Security Checkpoints: Conduct security reviews at designated testing milestones to verify compliance with policies and standards. Doing so will ensure that controls are enforced.

5. Secure Repositories: Test cases, test scripts, and test results should be stored in a private, shared repository, accessible only to the project team. Public or shared cloud storage should be avoided.

How RCG Global Services Implements the Five Key Factors

In maintaining compliance with data privacy laws and standards, all organizations are expected to protect data across all stages of the software testing process. It’s a necessary focus in fighting cybercrime and keeping data secure.

RCG Global Services, as an ISO 27001:2013 Certified and PCI-DSS v2.3 compliant company, is certainly doing its part. We’ve established both an Information Security Management System (ISMS) and a Data Privacy Management Program.

Our ISMS and Data Privacy Management Programs are audited annually by TUV Rheinland, an ISO-accredited third-party auditor. Certification is renewed every three years, and annual surveillance audits ensure ongoing compliance. All employees undergo annual refresher training on information security policies and data privacy laws. Internal audits and regular floorwalks are performed to verify compliance with RCG security policies and client security requirements. Compliance dashboard and metrics are reported to management monthly.

RCG is also a certified PCI-DSS service provider. SISA, a PCI-DSS authorized scanning vendor (ASV) and qualified security assessor (QSA), performs quarterly vulnerability scans and annual external penetration tests on the RCG network.  And the SISA QSA conducts audits annually to verify compliance with PCI-DSS requirements.

Maintaining Data Security Throughout Global Software Testing Operations

RCG is truly a global operation. We provide offsite software testing services to clients at our Offshore Delivery Center (ODC) in the Philippines. And we maintain rigid data security throughout our offshore testing operations.

RCG ODC connects to our client environments via secure VPN connections using 2-factor authentication. All project teams’ connectivity to the clients are network segregated.

Depending on client security requirements, the project teams may work in a clean room or in a dedicated room. The minimum clean room policy bans personal items inside the project room. All bags, mobile phones, and devices are kept in lockers outside of the project room. Pens and papers are supplied inside the project room, and may be neither removed from nor brought into the room. Shredders provided inside the project room facilitate the secure disposal of paper artifacts. And all client data are stored in the client environment and not in the RCG environment.

Personnel security is also strictly enforced. Criminal record clearance is a standard requirement for all employees upon joining RCG. Additional background checks may be obtained depending on client security requirements.

Do as We Do…

If you’re unsure whether your organization is adequately protecting PII data during software testing, just do as we do at RCG Global Services — exactly as we’ve detailed above.

No empty boasting intended with the above statement. It’s just that we’re quite confident in our testing data-security standards.

The RCG ISMS and Data Privacy Management programs were established specifically for the protection of client confidential and sensitive data. We take information security and data privacy very seriously. All of our clients enjoy the assurance that their data are protected and safe — always.

If only all organizations — including those that have their hands on your personal, private data — could confidently and truthfully make the same proclamation!

To Learn more:

Subscribe to receive more blogs like this from RCG

#IdeasRealized

Works Cited

1. Identity Theft Resource Center https://www.idtheftcenter.org/notified

2. Enterprise Times (2018, April 5) "Shutterfly reacts to data breach"
Retrieved from https://www.enterprisetimes.co.uk/2018/04/05/shutterfly-reacts-to-data-breach/

3. Chalkbeat New York (2018, Jan 18) "Personal data of 52 New York students is compromised after testing-company breach"
Retrieved from https://ny.chalkbeat.org/2018/1/18/21104183/personal-data-of-52-new-york-students-is-compromised-after-testing-company-breach

4. Insurance Journal (2018, Jan 29) "School Testing Vendor Data Breach Exposes Info of 663 Mississippi Students" Retrieved from https://ny.chalkbeat.org/2018/1/18/21104183/personal-data-of-52-new-york-students-is-compromised-after-testing-company-breach