More data privacy laws in the US, Europe, and other international jurisdictions have passed, and are being enforced. CISOs and data governance teams responsible for protecting data at risk must also prove they protected that data in the right places, and in the right ways.
Data Loss Prevention (DLP) systems and data masking software can discover and de-identify Personally Identifiable Information (PII). How well do they document their procedures? How easy it to modify specific protections if something needs to be redone, or done differently?
For proof, log all jobs to the query-ready XML audit file. The audit trail contains the job script, which shows the protection technique(s) applied to each field in each table or file processed. The log also contains other job metadata, like the:
- protection library function(s) used
- encryption keys or de-ID codes
- input and output tables or files
- user who ran the job
- job start and end times
- number of records processed
For prevention control, you can review FieldShield or SortCL job scripts to validate a developer’s protections of output fields prior to execution.
For example, to mask the SSN field in a payroll feed, a developer can modify target table or file fields in a FieldShield or SortCL job script with a few clicks. This modification can be one of many available protections:
- field-level encryption
- anonymization and pseudonymization
- data masking
- de-identification and re-identification
- field redaction
As a compliance officer, you can see the protection(s) in each self-documenting job script. Once approved, the job can be saved or run on any local or remote server running FieldShield or CoSort.
After execution, the job script can be isolated and protected for re-use in production.