The lie of the land: results of a survey conducted in May 2008

1. Testing Governance and Data Management The lie of the land: results of a survey conducted in May 2008 Jon Collins Freeform Dynamics Ltd +44 1285 771 433 [email_address] www.freeformdynamics.com

3. Thinking of your IT systems, how much does your organisation make use of the following? There’s plenty of custom application development going on

4. If you are using live data (e.g. from application databases), is this for any of the following reasons? Live data is a necessary part of the equation for a number of good reasons. The question is, though, how well is it controlled?

5. Is live data used during development or testing? (Those who knew) We are told by those that know, that live data is used in development and/or testing in almost three out of four organisations.

6. Knowledge of whether test data is used during the development or test cycle “ Those that know”: Many of those in the business responsible for risk and compliance are unaware of how live data is used in IT

7. Sanitisation of data for use in development/testing (Those who knew) About of third of organisations use data straight out of live systems, though many sanitise or anonymise data before use.

8. Who has primary responsibility for security policy in relation to application development and testing? The IT function is largely left to figure out and implement its own security policies in relation to application development and testing. The last bastion of the technical?

9. Security and the development cycle

10. How are your IT systems teams resourced? To begin with, we must understand who is involved, and it is clear that in the majority of cases, we need to consider external as well as internal staff.

11. Where does the majority of systems development and testing take place? The physical location and distribution of development and testing activity adds another interesting dimension to the consideration of lifecycle security.

12. Considering implementing new systems or significant upgrades to existing systems, how usual is it for you to set up development, test and live environments in the following ways? Then there is the question of how much development, test and live environments are separated during the lifecycle.

14. What priority do you give to improving the following aspects of your testing? The top two areas of improvement are both directly relevant to the use of live data. Policy is unclear from a business perspective and poor data test data management indicates a big potential risk.

15. What priority do you give to improving test data management? Ironically, those with more to lose (i.e. those using live data) are the ones who highlight the need for most improvement. This is no doubt in part due to a heightened awareness of the issues.

17. Do policies exist to deal with the way in which information is used and accessed? A mix of policy is the best bet for organisations using sanitised data.

18. Is your organisation subject to a lot of regulation with regard to record keeping? Note how “specific regulation” leads to higher use of sanitised data than more general regulation.

19. Is your organisation subject to a lot of regulation with regard to record keeping? (Priority given to improving test data management) Plus, more regulated organisations recognise the need to improve how they manage their test data.

20. How much do you agree or disagree with the following: ‘We have a single set of testing processes that we apply stringently to all of our testing’? Stringent application of testing process is more applicable in environments where data is sanitised

21. Turning specifically to software development and testing, which of the following statements fits your organisation? (Priority given to improving test data management) We can also see how important it is for business involvement to lead to test data management improvements.

22. What specific technical capabilities do you feel would make the most difference? Gaps in tooling that are consistent with the need for improvements in test data management and sanitisation of live data are clear.

23. What specific technical capabilities do you feel would make the most difference? Two thirds of those who use live data during test and development highlight the need for better tools to sanitise extracts.

25. Thank You Jon Collins, Service Director Freeform Dynamics Ltd [email_address] © 2008 www.freeformdynamics.com