‘Privacy’ and ‘Confidentiality’ are two terms that frequently come up when we talk about the security of personal information and how to properly protect it.
They are often used interchangeably but they are not the same.
Let’s look at it from a real-life perspective -- where the privacy of a person is crucial.
We will use an example of the average patient in a healthcare organization. This person is an individual who has to give the health organization their consent to process their personal information.
Any information that the patient voluntarily gives to this medical company is considered “private information.” Privacy protects the patient’s rights to declare how much information they are willing to share, as well as the extent to which it is shared.
Alternatively, as a professional institution, the health organization has to guarantee confidentiality and protect personal information from unsanctioned access by others. This guarantee falls under the criteria of “confidentiality.”
The next link in this chain is the doctor, who is the link between the individual and the health organization. The doctor is also a part of this health organization and must agree to adhere to patient confidentiality agreements and privacy policies. This agreement binds medical offices, doctors, nurses, as well as all persons employed under the umbrella of the medical institution.
Healthcare staff are also obliged to refrain from discussing a patient’s information in their personal lives. Otherwise, they will break confidentiality and a person’s privacy can be compromised. This can lead to the healthcare professional becoming subject to legal repercussions.
This situation with privacy and confidentiality in the medical sphere has parallels with the QA testing process. Whenever an individual user (patient) signs up for a service or software, the software company (health organization) requires that the user divulges personal information and access to this. After this information is processed in their system, the QA tester (The doctor) is given access to this personal information and must follow privacy and confidentiality agreements.
To sum things up, we can highlight a few main differences between Privacy and Confidentiality.
Privacy – Applies to an individual and the protection of their personal rights with respect to deciding whether or not to share a particular piece of information.
Examples of Personal (Private) information that can be attributed to an individual:
Name and details such as Date and Place of Birth.
Physical characteristics, Medical or health condition records.
Any contact information such as phone numbers, emails, addresses.
Your Identification Number (Passport or Driver License).
Confidentiality – Applied to the professional agreements by which others are bound to make sure that the information they encounter remains private. This means that they have an obligation not to share details of individuals with any third party without their consent.
Here are a few examples of confidential information:
Transaction details and Banking information.
Technical or Legal documents.
Logins, Passwords, etc.
There are several laws and privacy and confidentiality standards in Europe and the US: Sarbanes-Oxley Act, Federal Information Security Management Act, EU General Data Protection Regulation, etc.
Their primary goal is to create and implement security programs, to prevent Privacy and Confidentiality risks and protect individuals and businesses from fraud.
Now that we understand the difference between privacy and confidentiality and how it can affect a person, we can discuss how to keep private things private, and confidential things confidential.
The increasing number of malware bots means business owners are concerned about keeping data confidential. It also makes implementing security testing vital for any software development -- especially for web applications.
Knowing how to test software to prevent personal data from being compromised from their site is essential. For this, let’s go through the steps QA testers can take to implement security testing:
Before any basic testing, the first step we must take is to determine the business’s particular security goals. Additionally, understanding business processes will help you find vulnerabilities of the product and define the actual and hidden security needs.
The system setup is the key to conducting accurate testing, and this step is usually pretty straightforward.
Gather all system specifications, including the network operating system, information about hardware, and what technology they used to build their system.
The main goal of security testing is to prevent applications from malware penetrations.
To do this, we need to collect information about potential risks and possible privacy vulnerabilities, create a list of these threats, and then a threat profile based on this list. This list is also suitable for creating a Traceability Matrix which helps to track how each entity affects the other.
Having a threats profile can help us evaluate the critical nature of the tests we will run and what risks need to be assessed.
Here is an Aqua ALM requirements coverage & traceability matrix:
The combination of automatic and manual tests can be a good idea for security testing.
But before starting or executing tests, one should finalize the software security document to address all privacy and confidentiality vulnerabilities.
You can systematize all requirements in a Details tab of aqua ALM
By the time we get to this step, we will have to run all planned tests to identify vulnerabilities.
After these tests are carried out, we will need to fix these tests and, if required, rerun the tests. We should also remember the regression test to ensure that the new changes didn’t produce new bugs.
With a test scenarios function of aqua ALM, it becomes possible for QA testers to plan and also execute different test cases at once
Based on the results of the test, one must make a detailed report. Highlight weaknesses and problems of the software you managed to fix, and don’t forget to describe potential vulnerabilities that can still persist.
There are many privacy and confidentiality risks that business owners can’t predict, including surveillance breaches, lack of control from authorities, etc. The QA team is the one that must take action and work in sync with developers to avoid these risks.
However, It might be challenging to implement security testing if your QA team doesn’t have any application security background. That being said, it is easy to grasp security testing methods and processes from QA solutions that can be integrated with your software.
First published here.