One of the most important concerns many of our clients have today is security of data. Many clients are outsourcing support and even development of internal systems. Recently, some of our clients have undertaken data privacy or masking initiatives to ensure that sensitive data is protected, in order to enable such outsourcing efforts. Sensitive data is often classified as Personally Identifiable Information (PII) which refers to data related to individual’s identification, for example, social security number, credit card number, address, e-mail and phone numbers. This type of data is often found in HR, Benefits, Insurance, Claims and Patient systems among others. Personal data can refer employees, beneficiaries, vendors, customers and any persons the enterprise deals with. In addition to information related to specific people in the enterprise, it is important also to consider confidential information related to entities or businesses, such as client confidential information. Similar data elements should be considered for customer data as well such as name, address, phone, url, e-mail, etc. However, there are additional areas to consider here, and all systems that may contain sensitive customer information should be scrutinized. Some examples of areas to consider are: systems that store client interactions or CRM systems which might contain detailed conversations between the enterprise and customers, sales and marketing systems which might contain customer profile data and contact information, transaction systems which might contain details about the work the enterprise performs for customers, support systems which might contain information about customer issues, ERP systems which might contain billing, project or financial data. Any systems which have data that should not be exposed outside the enterprise’s relationship with its customers, should be reviewed and considered within data privacy initiatives.
Typically, our clients information security office, legal, and/or audit areas drive the requirements for data privacy, however, having a firm such as BTRG who specializes in data privacy can bring some expertise to augment requirements and make sure that all bases are covered. In our engagements, we bring both technical expertise with how to execute masking using the IBM InfoSphere Optim and Guardium solutions as well as understanding of what types of systems need to be reviewed for sensitive data and what elements inside those systems should be considered.