maravis.com

The BP oil leak has been going on for weeks now and there does not seem to be an end in sight. As the saying goes, wise people learn from others’ mistakes and there are a couple of important lessons for organizations from this disaster.

One of the things that I have noticed is that a lot of companies use production data for testing. They usually justify this by saying that some use cases can only be reproduced by using production data. PCI-DSS requires that production data is scrubbed or sanitized before being used for testing purposes. The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

Almost every regulation and standard has logging requirements. This requirement is there to ensure that there is data that can show attacks and breaches. But there have been numerous breaches in which the the breach happened over a period of time and they were not discovered for a long time after.