Test data is often overlooked, by those using it as well as those that are charged to protect it. Often test databases are compiled from production data. The production database contains corporate specific if not sensitive data, such as employee informa-tion, payroll data, sales forecasts, customer information, etc. This data must be sanitized by whatever means possible before it can be used.
RISK If sensitive data is extracted from production databases and moved or used as test data, the security of the sensitive data is compromised.
Once data has been moved out of production, security controls are often not as restrictive. Often it is moved to a less restrictive site and access is given to a wide variety of developers and QA personnel.
AP-ADVICE-TESTDATA-01 Test data should be generated from generic data or sanitized to eliminate security issues regarding sensitive data.