Computing Canada is the crossroads of business and technology. Delivering enterprise technology, networking, telecom, career, managed services, cloud computing, and other technologies and services that enable business.
Issue link: http://epubs.itworldcanada.com/i/38461
IT business STRATEGIES TO IMPROVE OPERATIONS, MANAGE COMPLEXITY AND REDUCE COSTS How to start a privacy-focused legacy redesign Safeguarding customer information on legacy systems comes with a unique set of challenges What they are, and how to overcome them By Rafael Ruffolo M 16 I August 2011 ost large organizations today are concerned with safe- guarding their IT systems and the private data they collect from their customers. But the same effort that goes into ensuring newly provisioned IT systems or software are built with privacy in mind hasn’t extended retroactively to legacy infrastructure. Like most IT adventures, the challenge for the department is the lack of high-level support from business leaders. While this sentiment could be waning in wake of Apple Inc.’s “Locationgate” scandal making news, plus recent pub- lic data breaches at organiza- tions like Sony Entertainment Inc., Amazon.com Inc., and EMC Corp.’s security wing RSA, Ontario’s Information and Privacy Commissioner Ann Cavoukian said that IT leaders will still have to fight hard to make the case for privacy- focused redesign projects. Here are some of the biggest issues and how you can start to address them. ISSUE: Out-of-control data The biggest privacy risks aris- ing from legacy systems always revolve around the sensitive I ComputerWorld Canada information kept about consumers. Cavoukian said the concept of data minimization should be embraced at every organization looking to build a strong framework for privacy. She said that systems in existence today were designed in the era of cheap data storage, which has led to the collection of unnecessary data and an increased burden of care for enterprises. Moving away from the “data hoarding” mindset is the hallmark of an effective legacy redesign. “Quite simply, if you don’t need the data, don’t keep it,” she said. SOLVING IT Cavoukian advised IT staff to counter the view that “more is better” when it comes to data collection. “I would impress upon the business executives that the more information we protect and retain in person- ally identifiable form, the greater the onus and duty of care for us,” she said. If that argument alone does not work, emphasizing the impact data hoarding can have on data accuracy might do the trick. Sagi Leizerov, executive director and leader of Ernst & Young Inc.’s privacy practice, said that because data reten- tion goes beyond privacy, its management actually becomes an “interdisciplinary” priority across the organization. The IT department must work with legal, privacy, security and auditing teams to identify weaknesses. “The initial step would be to identify the information and understand the business requirements of the informa- tion,” he said. That also entails understanding the conditions in which the organization collected the data and what limitations were made in the privacy notice. Leizerov said organizations should define a policy before launching or redesigning a system that interfaces with your customer database. With the number of systems and apps and the ongoing shar- ing of information between business units, even companies that want to cut back on what they’ve collected will find it difficult to determine what they actually have and where it’s located. For Cavoukian, cleaning up your stored data and changing your future collection policies will include revisiting assump- tions about how much personal information is necessary to operate your system, reviewing your retention time policies, altering database permissions and destroying data that no longer serves a business purpose. ISSUE: Hand-me-down apps Talking about the challenges with modernizing legacy apps often means dealing with the issue of aging custom ap- plications, according to Derek Silva, research analyst at London, Ont.-based Info-Tech Research Group Inc. “Legacy custom apps were typically designed for closed access and were not connected to a broader network,” he said. “While that may have worked 10 or 15 years ago, this should no longer be the case.” As privacy legislation has in- creased over the last ten years with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the Health Insur- ance Portability and Account- ability Act (HIPAA) privacy rule in the U.S., organizations have felt the pressure to avoid an embarrassing and harmful data breach. ITWorldCanada.com • ITBusiness.ca