The primary concern is PII + FERPA data. Cornell has stringent requirements on how to handle that. We'd need to have our IT Security Office do an in-depth evaluation of the system, there are regulations about encrypting, backing up, storing, and deleting the data, and we'd want to have far more robust in-app security than our test system currently has (it's basically all-or-nothing right now). It's also not SSO yet, which is something we want.

Our PeopleSoft team uses an anonymizer tool on their test environments, so that should address some of the weaknesses.

Another dimension of this is what if FOLIO institutions want to share data sets for troubleshooting etc? How should we manage that?



Philip Robinson
Director of Library Systems
Cornell University
(607) 255-0098
www.library.cornell.edu
From: user-mgmt@ole-lists.openlibraryfoundation.org <user-mgmt@ole-lists.openlibraryfoundation.org> on behalf of Erin Nettifee <erin.nettifee@duke.edu>
Sent: Wednesday, July 3, 2019 12:28:51 PM
To: user-mgmt@ole-lists.openlibraryfoundation.org
Subject: RE: User data in test environments
 
Out of curiosity, Phil, what are the gaps that you all are seeing between the local instance and your standards for housing private data?

Erin


-----Original Message-----
From: user-mgmt@ole-lists.openlibraryfoundation.org <user-mgmt@ole-lists.openlibraryfoundation.org> On Behalf Of Philip Robinson
Sent: Wednesday, July 3, 2019 11:13 AM
To: user-mgmt@ole-lists.openlibraryfoundation.org
Subject: User data in test environments

Hi,

Seeking some sage counsel from our SIG ...

Our FOLIO data migration team is trying to get a handle on privacy issues for doing test loads of user data. In a meeting today three options were considered:

- Anonymizing user data
- Bringing the test system (in our case, a local FOLIO instance) up to standards that would allow it to house private data
- Testing with only a small group of select users (staff members who give us permission)

My initial response to them was to anonymize the data. Maybe some whizbang developer could run an efficient script to give everyone a random first and last name, phone number, etc.

I’d eventually like to see the test system (and certainly the prod system) brought up to privacy standards, but we’re a bit hamstrung by whatever the FOLIO developers throw at us in their releases. I opined that the third option isn’t great, because the pool of user data would be too small.

How are your institutions dealing with test user data? Do you have recommendations?

Thanks!

Phil


 
Philip Robinson
Director of Library Systems
Cornell University
(607) 255-0098
www.library.cornell.edu
 


To unsubscribe from this list please go to https://urldefense.proofpoint.com/v2/url?u=http-3A__www.simplelists.com_confirm.php-3Fu-3DmSqmaJzM1rGNkoh00drADsavQrz31wcM&d=DwIGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=V6wYZ_ugeMEfaUTYQDN-iDFY0gVE7E-duUuihBgxZuM&m=SVZu7swZ8cUvlwB0A_WtN8PnWDTZp1rj7-0xKzgj0eY&s=UTAj3s-IcmFLAQMZuDsSRRbNf3yygLYNDzxFHXq-LQ0&e=
To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=INkW2zBdNZfgb0WsAyyyeISlPZ6F7qMb