Data Masking

Client:

Data Security for Fortune 50 Global Financial Services Company.

Challenge:

Implementation of a Data Masking security program to mitigate risk ofdata breach of Personally Identifiable Information (PII) in non-production environments.

Results:

  • Reduction of risk in 61 applications (11 more than targeted by Board of Directors) in initial 6 months of program using data masking, process change and application sun setting techniques.
  • Program exceeded initial risk mitigation goal and was 6% under budget.
  • Established several risk management procedures and Business-As-Usual (BAU) governance framework to evergreen the program.

Background:

In today’s global integrated network environment, a data breach can be very costly to an organization and damage its brand and reputation. The average cost per event is $7.2 Million as stated in the 2010 Annual Study: US Cost of Data Breach by The Ponemon Institute. The safekeeping of client records helps sustain customer confidence and brand integrity, and is also the law. Our Client was taking steps to safeguard their data by protecting sensitive PII used in non-production environments for application testing purposes. Data masking was utilized to obscure specific data components within data stores, without altering the original production data. It ensures sensitive data is replaced with realistic but not identifiable data linked to a specific customer.

Project Details:

Major Oak Consulting was engaged to lead the Program Management Office and ensure the successful implementation of our client’s Data Masking program across 4 Business Units and 100+ program participants. A critical success factor identified by the Client was to establish a BAU governance framework to perpetuate the program into the future as a consistent and repeatable practice. Major Oak’s role included all program management reporting, managing the master project plan and issue/risk logs, facilitating steering committee meetings, RFP development, vendor evaluation, contract review for outsourced data masking factory services, directing the annual planning process, driving the development of several risk management procedures and policies, implementing a standard SDLC for Data Masking across lines-of-business, generated multi-year senior management action plan, and creating a Risk Self Assessment mechanism to identify and track total population of applications with PII, for initial and ongoing mitigation effort. Major Oak also managed the Data Masking vendor.

The Major Oak Difference:

Major Oak successfully managed the Data Masking program, reporting to our Client’s Senior Management on this project, which had Board level exposure. Major Oak’s experience, led by a former CIO who acted as both the Client Advocate and Project Liaison, allowed us to more rapidly direct the program in the appropriate direction, as well as make recommendations based on real world experience to best manage program progress while mitigating Client risk. Our efforts to establish BAU governance framework and processes allowed our Client to take over the process and end our engagement 4 months earlier than originally planned. Major Oak’s involvement allowed the project to mask 20%+ applications than targeted and deliver results far greater than originally anticipated.