Major University Leads the Way to Compliance
Uses data masking to protect training databases

The Problem
Need for Secure, Repeatable and Realistic Training Environment

While fulfilling their mission of education, scholarship, and public service, institutions of higher learning need sound training methods when bringing new faces into a complex operation. A leading university trained and tested new employees using monthly refreshes (copies) of their production database in order to reduce the technical learning curve. This practice may have provided employees with a learning environment reflective of their new jobs, but a security risk was subsequently exposed.

The Risk
Identity Theft and Compliance

University trainees regularly performed functions such as setting up accounts, creating new students and searching for existing students using real, sensitive and unprotected data. This means that while the database itself was secure, students’ social security numbers, addresses and other Personally Identifiable Information (PII) were exposed to potentially thousands of new and existing employees each year. This put their students at risk for identity theft, and the university in non-compliance with several acts of government legislation. In addition, a complex environment like Oracle Applications stores PII in multiple locations and in different formats such as fiscal code, national identifier, fed tax I.D. and more. The fact that PII could be easily overlooked within the applications labyrinth augmented the risk.

The Goals
Protection, Ease, Compliance, Sound Procedures

The university has always implemented best practice policies in the spirit of doing what is right for their students and employees. The VP of Financial Systems sought a solution to protect student information from this little known but significant loophole involving non-production databases. His goals were to:

  • Protect student data from trainees and employees
  • Maintain Structure of the production database and provide a "real" environment for trainees
  • Execute a fresh, repeatable training environment with ease
  • Comply with all applicable acts of government legislation
  • Implement best practices that limit data access and quickly expose compliance issues
  • Maintain same cloning timeline: The new solution needed to manage a large amount of data overnight
  • Easily install, implement and use
The Alternatives

The Consequences

Build in-house scripts
  • Are difficult to maintain
  • Create extra costs when upgrading and patching
  • Are not approved by internal compliance and security groups for reasons of conflict of interest and
    technological independence
  • Create cost prohibitive additions to human resources
Ignore the problem
  • The VP of Financial Systems did not approve
  • The risk was too high: loss of student information, non-compliance, potential for loss of student
    relationships was not acceptable
  • Expensive Fallout: the potential for negative press, punitive damages, and/or civil suits was
    not acceptable

The Solution - iScramble

iScramble is a new approach that fulfills the obligation to protect private data from information exposure, comply with privacy legislation, and install strong internal controls. iScramble replaces private data with similarly constructed values that are useless to a data thief. Yet the iScrambled replacement data, unlike encrypted data, is completely useful for IT functions including programming, and requires no coding or decryption keys. The software is intelligent, determining which information should be scrambled, and can be customized for your industry and environment… Read full description here

The iScramble Benefits

iScramble has built-in best practices that address multiple levels of database security. As a result, iScramble naturally supports the collaboration between departments at the University and allows the IT team to take the initiative in preparing for an internal audit. Since iScramble provides unique data “rules” that comply with all legislative acts applicable to universities, the application itself can proactively fulfill certain IT audit requirements. The IT team also has a quick catalogue of every area, both obvious and obscure, where PII resides within the Oracle Applications framework.

The iScramble solution is both scaleable and intuitive. It can be run by someone without knowledge of Oracle Applications and runs in about two hours - well within the needed University timeframe. The trainees can continue to learn from a training database reflective of the jobs they will perform. However, now all personally identifiable information has been obfuscated and replaced with structurally sound but unidentifiable data. This protects sensitive data from a loophole that could result in theft. With the success of iScramble in training environments, the university has now rolled the product out to other non-production databases.

 

Legislation brought into Compliance

  • FERPA
  • California Senate Bill 1386
  • Other State notification bills
  • Gramm-Leach Bliley Act
  • PCI-DSS

 

© 2009 MENTISoftware. All rights reserved. Terms of Use Privacy Policy 212-861-2235 info@mentisoftware.com