Data Masking for non-

prod Applications
Project - Scope of Work
(SOW)
Department: BAS
PR no: XXX
CRC no: XXX

Sidra Medicine | Data Masking for non-prod Applications Project 2

Contents
1. Introduction/Background .................................................................................................................................. 1
2. Objectives .......................................................................................................................................................... 1
3. Scope of Work .................................................................................................................................................... 1
4. Evaluation Criteria / Response Requirements ................................................................................................... 2
5. Deliverables ....................................................................................................................................................... 2
6. Data Masking Flow Chart Description................................................................................................................ 2

Sidra Medicine | Data Masking for non-prod Applications Project 3

1. Introduction/Background

In response to the increasing need for data privacy and compliance, the project focuses on implementing
data masking techniques for PII, and sensitive data in non-production environments after data is
refreshed from production. This is critical for safeguarding sensitive information across applications such
as Oracle Fusion (Cloud), Oracle PaaS database (Cloud), Datix, CAFM, MD Staff, and other clinical
applications.

We scramble element entries for all Oracle fusion person records using HDL load. This is a manual and
time-consuming process where our admin has to monitor the error and fix and reload it until all records
are scrambled. This impacts the timely delivery of instances to the developer and business users.

2. Objectives

The project aims to achieve the following:

• Ensure the privacy and security of PII, sensitive data like payslips, patient data, and jobs with files
generated in non-production environments after refresh are scrambled.
• Implement robust data masking processes that are compliant with data protection regulations.
• Maintain system performance and data usability for development and testing purposes.
• This automation will minimize the manual and time-consuming process.

3. Scope of Work

The responsibilities of the involved resources will include:

• Analyzing and identifying PII and sensitive data (Patient data, pay data, National ID, etc.) across all
involved systems.
• Developing masking rules and logic appropriate to each data type and system.
• Implementing data masking solutions tailored to Oracle Fusion, Oracle PaaS database, Datix, CAFM, MD
Staff, and other clinical systems.
• Ensuring that data masking does not disrupt the integrity and usability of the data for testing, validation,
and development.
• Conducting regular updates and maintenance of the data masking rules as per compliance changes and
system updates.
• Collaborating with IMT security, compliance, and database teams to align the data masking strategies.
• The tool should have the capability to work with Cloud and On-Prem applications.
• Masked data should not disturb the data validation process. It should represent the correct mapping.
This will be required while signing off UATs with business based on project requirements.
• Flexibility to configure masking rules at our own.
• Tool should be driven through proper access control matrix and also should be integrated with our
LDAP/MFA authentication

Sidra Medicine | Data Masking for non-prod Applications Project 1

4. Evaluation Criteria / Response Requirements

The ideal resource or vendor should demonstrate:

• Proficiency in data masking techniques and tools.
• Ability to identify the sensitive data in the application.
• Familiarity with the specific systems involved: Oracle Fusion, Oracle PaaS database, Datix, CAFM, MD
Staff, and other clinical systems.
• A proven track record in handling sensitive data in compliance with data protection laws.
• Proven experience on Oracle Fusion Data masking.

5. Deliverables

Key deliverables of the project include:

• A comprehensive data masking plan for each application involved.
• Documentation of fields and tables identified for masking and the encryption or the logic applied for each
field specific to the application.
• Execution of data masking processes following the data refresh from production to non-production.
• Documentation detailing the data masking rules, logic, and processes implemented.
• Regular reports on the effectiveness of the data masking, including any data integrity and compliance
issues.
• Updated guidelines and training materials for future data masking initiatives.

6. Data Masking Flow Chart Description

The data masking workflow involves:

• Identification of all PII and sensitive data types across applications.

• Development of masking rules based on the sensitivity and use-case of the data.
• Application of these rules during the data refresh cycle from production to non-production environments.
• Validation and testing of the masked data to ensure it meets the functional requirements for testing and
development.
• Regular reviews and updates of the masking processes to adapt to new data protection laws and system
changes.

Sidra Medicine | Data Masking for non-prod Applications Project 2