The Complete Book of Data Anonymization From Planning to Implementation

The Complete Book of Data Anonymization: From Planning to Implementation supplies a 360-degree view of data privacy protection using data anonymization. It examines data anonymization from both a practitioner's and a program sponsor's perspective. Discussing analysis, planning, setup, and governance, it illustrates the entire process of adapting and implementing anonymization tools and programs.Part I of the book begins by explaining what data anonymization is. It describes how to scope a data anonymization program as well as the challenges involved when planning for this initiative at an enterprisewide level.Part II describes the different solution patterns and techniques available for data anonymization. It explains how to select a pattern and technique and provides a phased approach towards data anonymization for an application.A cutting-edge guide to data anonymization implementation, this book delves far beyond data anonymization techniques to supply you with the wide-ranging perspective required to ensure comprehensive protection against misuse of data.

Overview of Data AnonymizationPoints to PonderPIIPHIWhat is Data Anonymization?What are the Drivers for Data Anonymization? The Need To Protect Sensitive Data Handled As Part Of Business Increasing Instances of Insider Data Leakage, Misuse of Personal Data and the Lure of Money for Mischievous Insiders Employees Getting Even With Employers Negligence of Employees to Sensitivity of Personal Data Astronomical Cost to the Business due to Misuse of Personal DataRisks Arising out of Operational Factors Like Outsourcing and Partner Collaboration Outsourcing Of IT Application Development, Testing And Support Increasing Collaboration With Partners Legal and Compliance RequirementsWill Procuring and Implementing a Data Anonymization Tool by Itself Ensure Protection of Privacy of Sensitive Data? Ambiguity of Operational Aspects Allowing the Same Users to Access both Masked and Unmasked Environment Lack Of Buy-In From IT Application Developers, Testers and End-Users Compartmentalized Approach to Data Anonymization Absence of Data Privacy Protection Policies or Weak enforcement of Data Privacy PoliciesBenefits Of Data Anonymization ImplementationDATA ANONYMIZATION PROGRAM SPONSOR’S GUIDEBOOKEnterprise Data Privacy Governance ModelPoints to PonderChief Privacy OfficerUnit /Department Privacy Compliance OfficersThe Steering Committee for Data Privacy Protection Initiatives Management Representatives Information Security And Risk Department Representatives Representatives from the Department Security and Privacy Compliance OfficersIncident Response TeamThe Role of the Employee in Privacy ProtectionThe Role of the CIOTypical Ways Enterprises Enforce Privacy PoliciesEnterprise Data Classification Policy and Privacy LawsPoints to PonderRegulatory ComplianceEnterprise Data ClassificationPoints to ConsiderControls For Each Class Of Enterprise DataOperational Processes, Guidelines and Controls for Enterprise Data Privacy ProtectionPoints to PonderPrivacy Incident ManagementPlanning for Incident Resolution Preparation Incident Capture Incident Response Post Incident AnalysisGuidelines and Best Practices PII/PHI Collection Guidelines Guidelines for Storage and Transmission of PII/PHI PII/PHI Usage Guidelines Guidelines for Storing PII/PHI on Portable Devices and Storage Devices Guidelines for StaffThe Different Phases of a Data Anonymization ProgramPoints to PonderHow Should I Go about the Enterprise Data Anonymization Program? The Assessment Phase Tool Evaluation and Solution Definition Phase Data Anonymization Implementation Phase Operations Phase or the Steady-State phaseFood For Thought When Should the Organization Invest on a Data Anonymization Exercise? The Organization’s Security Policies Anyway Mandate Authorization to be Built-in For Every Application. Won’t This be Sufficient? Why is Data Anonymization Needed? Is there a Business Case for Data Anonymization Program in My Organization? When Can a Data Anonymization Program be Called as a Successful One? Why Should I go for a Data Anonymization Tool when SQL Encryption Scripts Can be Used to Anonymize Data? What are the Benefits Provided by Data Masking Tools for Data Anonymization? Why is a Tool Evaluation Phase Needed? Who Should Implement Data Anonymization? Should it be the Tool Vendor or the IT Service Partner or External Consultants or Internal Employees? How Many Rounds of Testing Must be Planned to Certify that Application Behavior is Unchanged with use of Anonymized Data?Departments Involved in Enterprise Data Anonymization ProgramPoints to PonderThe Role of the Information Security and Risk DepartmentThe Role of the Legal DepartmentThe Role of Application Owners and Business AnalystsThe Role of AdministratorsThe Role of the Project Management Office (PMO)The Role of the Finance departmentSteering CommitteePrivacy Meter- Assessing The Maturity Of Data Privacy Protection Practices In The OrganizationPoints to PonderPlanning A Data Anonymization ImplementationData Privacy Maturity ModelEnterprise Data Anonymization Execution Model Points to PonderDecentralized ModelCentralized Anonymization SetupShared Services ModelTools and TechnologyPoints to PonderShortlisting Tools for EvaluationTool Evaluation and Selection Functional Capabilities Technical Capabilities Operational Capabilities Financial ParametersScoring criteria for EvaluationAnonymization Implementation – Activities & EffortPoints to PonderAnonymization Implementation Activities For An Application Application Anonymization Analysis and Design Anonymization Environment Setup Application Anonymization Configuration and Build Anonymized Application TestingComplexity Criteria Application Characteristics Environment DependenciesArriving at an Effort Estimation Model Definition of Complexity Criteria Ready-Reckoner Preparation Determination Of The Complexity Of The Application To Be Anonymized Assignment of Effort to Each Activity Based on the Ready-ReckonerCase Study Context Estimation Approach Application Complexity Arriving at a Ball Park EstimateThe Next Wave of Data Privacy ChallengesDATA ANONYMIZATION PRACTITIONERS GUIDEData Anonymization PatternsPoints to PonderPattern OverviewData State Anonymization PatternsPoints to PonderPrinciples of AnonymizationStatic Masking Patterns EAL Pattern (Extract Anonymize Load Pattern) ELA Pattern (Extract Load Anonymize Pattern) Data SubsettingDynamic MaskingDynamic Masking Patterns Interception Pattern Invocation Patterns Application of Dynamic Masking patternsDynamic Masking vs. Static MaskingAnonymization Environment PatternsPoints to PonderTypical Application Environments in an enterpriseTesting Environments Standalone Environment Integration Environment Automated Integration Test environment Scaled-Down Integration Test EnvironmentData Flow Patterns Across EnvironmentsPoints to PonderFlow of Data from Production Environment Databases to Non-Production Environment DatabasesMovement of Anonymized Files from Production Environment to Non-Production EnvironmentsMasked Environment for Integration Testing-Case StudyData Anonymization TechniquesPoints to PonderBasic Anonymization Techniques Substitution Shuffling Number Variance Date Variance Nulling Out Character Masking Cryptographic Techniques Partial Sensitivity and Partial MaskingMasking Based on External DependencyAuxiliary Anonymization TechniquesAlternate Classification of Data Anonymization Techniques Substitution Techniques Translation TechniquesLeveraging Data Anonymization TechniquesData Anonymization ImplementationPoints to PonderPre-Requisites Before Starting The Anonymization Implementation Activities Sensitivity Definition Readiness - What is Considered as Sensitive Data by the Organization? Sensitive Data Discovery- Where does Sensitive Data Exist?Application Architecture AnalysisApplication Sensitivity Analysis What is Sensitivity Level and How Do We Prioritize Sensitive Fields for Treatment?Anonymization Design PhaseAnonymization Implementation, Testing, and Rollout PhaseAnonymization OperationsIncorporation of Privacy protection procedures as part of Software Development Life Cycle and Application Lifecycle for New Applications Impact on SDLC TeamChallenges Faced as part of Any Data Anonymization ImplementationBest Practices To Ensure Success Of Anonymization ProjectsGlossary

Balaji Raghunathan has more than 20 years of experience in the software industry. As part of his current role as General Manager, Technology Consulting & Enterprise Architecture, at ITC Infotech, Balaji Raghunathan is responsible for helping the clients of ITC Infotech simplify their technology landscape, assess their readiness for digital initiatives, modernize their technology architecture and prepare them for their digital journey Balaji Raghunathan has also lead the delivery of digital projects for banking, financial services, and insurance customers as well as helped them define their digital strategy. He has lead strategy engagements for enterprise mobility initiatives as well as developed, managed and commercialized intellectual property (IP) during his prior stints with Capgemini and Infosys. During the last decade, Balaji Raghunathan has been involved in architecting software solutions for the energy, utilities, publishing, transportation, retail, and banking industries Balaji Raghunathan’s core areas of interest revolves around digital technology strategy, data privacy management and enterprise mobility. He is an avid blogger on Digital Technology Strategy, and has authored the book "The Complete Book of Data Anonymization-From Planning to Implementation". He has also the co-authored a chapter "Mobility and Its Impact on Enterprise Security" for the book "Information Security Management Handbook, Sixth Edition, Volume 7." He holds a patent on "System and Method for Runtime Data Anonymization" and has a pending patent on "System and Method for categorization of Social Media Conversation for Response Management." He is a TOGAF 8.0 and ICMG-WWISA Certified Software Architect. Balaji Raghunathan has a postgraduate diploma in business administration (finance) from Symbiosis Institute (SCDL), Pune, India and has an engineering degree (electrical and electronics) from Bangalore University, India. He has also completed a Senior Leadership Certificate course from Indian Institute of Management, Kozhikode.