Back

Restrict production data from being used in the test environment.


CONTROL ID
01103
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A formal acceptance process should be established to ensure that only properly tested and approved systems are promoted to the production environment. System and user acceptance testing should be carried out in an environment separated from the production environment. Production data should not be u… (4.2.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • O68.2(1).1: The organization shall separate testing files from production files. O68.2(1).2: The organization shall ensure production files cannot be accessed from the testing terminal. The organization should change the log-on procedures, menu screen, and/or ID scheme for the testing terminal to a… (O68.2(1).1, O68.2(1).2, O68.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In order to protect production programs against tampering, destruction, and accidental erasure, it is necessary for the program library administrator to implement the registration, deletion, and other processing of programs to/from production according to predetermined procedures with attention paid… (P40.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To limit the number of personnel authorized to access the test data to a required minimum. (P76.2. ¶ 2(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The use of sensitive production data in non-production environments should be restricted. In exceptional situations where such data needs to be used in non-production environments, proper approval has to be obtained from senior management. The FI should ensure appropriate controls are implemented in… (§ 11.1.6, Technology Risk Management Guidelines, January 2021)
  • Do not store production data that contains personal data in non-production environments for testing or other purposes. Non-production environments include a network, operating system or other systems that are used as a development area or test bed for new software or technologies. (Annex A2: Websites and Web Application Security 32, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Test and development environments do not use the same database servers as production environments. (Security Control: 1273; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Development and testing environments do not use the same database servers as production environments. (Control: ISM-1273; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment. (Control: ISM-1420; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment. (Control: ISM-1274; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Development and testing environments do not use the same database servers as production environments. (Control: ISM-1273; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment. (Control: ISM-1420; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment. (Control: ISM-1274; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The information in production databases must not be used in the development databases or the testing databases unless it has been sanitized of sensitive information and classified information. (Control: 1274, Australian Government Information Security Manual: Controls)
  • The organization should desensitize production data and production information that is used for testing purposes. (Attach A ¶ 2(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • desensitising sensitive production data when used for development or testing purposes; and (47(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A financial institution should implement separate ICT environments to ensure adequate segregation of duties and to mitigate the impact of unverified changes to production systems. Specifically, a financial institution should ensure the segregation of production environments from development, testing… (3.6.2 72, Final Report EBA Guidelines on ICT and security risk management)
  • Production environments are separated physically or logically by non-production environments in order to avoid unauthorised access or changes to the production data. Production data is not replicated in test or development environments in order to maintain their confidentiality. (Section 5.11 BEI-11 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Examine relevant production data to verify (live Primary Account Numbers) are not used to test the system, or if production data is used, ensure the data is sanitized. (§ 6.4.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the policies and procedures to verify that production data is not used for testing or development. (Testing Procedures § 6.4 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe the testing process to verify that production data is not used for development or testing. (Testing Procedures § 6.4.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine a sample of test data to verify that production data is not being used for development or testing. (Testing Procedures § 6.4.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure that production data is not used to test and/or develop the software. (§ 6.4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Examine relevant production data to verify (live PANs) are not used to test the system, or if production data is used, ensure the data is sanitized. (§ 6.4.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Production data and live Primary Account Numbers must not be used for testing or development. (PCI DSS Requirements § 6.4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Production data (live PANs) are not used for testing or development (6.4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Production data (live PANs) are not used for testing or development (6.4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Production data (live PANs) are not used for testing or development (6.4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are production data (live PANs) not used for testing or development? (6.4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are production data (live PANs) not used for testing or development? (6.4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are production data (live PANs) not used for testing or development? (6.4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are production data (live PANs) not used for testing or development? (6.4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine a sample of test data to verify production data (live PANs) is not used for testing or development. (6.4.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development. (6.4.3.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Active primary account numbers (PANs) should not be used for testing or development. If they are, the PAN should be sanitized before being used in this environment. (§ 5.1.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify that processes are defined for not using live PANs in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine pre-production test data to verify live PANs are not used in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe testing processes and interview personnel to verify procedures are in place to ensure live PANs are not used in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are production data (live PANs) not used for testing or development? (PCI DSS Question 6.4.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are production data (live PANs) not used for testing or development? (PCI DSS Question 6.4.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Business information (e.g., customer data, medical records, prices, or manufacturing details) used for testing purposes should be protected. (CF.18.04.10, The Standard of Good Practice for Information Security)
  • Security tests should include the use of transaction data (e.g., sales order, financial payments, or foreign exchange deals), standing data (e.g., customer master file, pricing tables, or stock numbers), and specifically prepared test data (e.g., large numbers, Uniform Resource Locators, command-lin… (CF.18.05.05, The Standard of Good Practice for Information Security)
  • Business information (e.g., customer data, medical records, prices, or manufacturing details) used for testing purposes should be protected. (CF.18.04.10, The Standard of Good Practice for Information Security, 2013)
  • Security tests should include the use of transaction data (e.g., sales order, financial payments, or foreign exchange deals), standing data (e.g., customer master file, pricing tables, or stock numbers), and specifically prepared test data (e.g., large numbers, Uniform Resource Locators, command-lin… (CF.18.05.06, The Standard of Good Practice for Information Security, 2013)
  • Production data shall not be replicated or used in non-production environments. (DSI-06, Cloud Controls Matrix, v3.0)
  • Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments. (DSP-15, Cloud Controls Matrix, v4.0)
  • Production data shall not be replicated or used in non-production environments. (DG-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Test data should be protected and controlled. The use of production data should be avoided. If sensitive information is used for testing, the sensitive details should be removed; if they can't be removed, they should be modified beyond recognition. (§ 12.4.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, CRI Profile, v1.2)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Personal information is not used for testing and development, unless the personal information is anonymized or protected according to the privacy policies and procedures. (Generally Accepted Privacy Principles and Criteria § 1.2.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization shall not use personal information for testing and development, unless the personal information is anonymized or protected according to the privacy policies and procedures. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Is scoped systems and data ever used in the test environment? (§ I.2.18, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Is scoped systems and data ever used in the development environment? (§ I.2.18, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Is scoped systems and data ever used in the Quality Assurance environment? (§ I.2.18, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the test environment, is authorization required when production data is copied to the test environment? (§ I.2.18.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the development environment, is authorization required when production data is copied to the test environment? (§ I.2.18.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the Quality Assurance environment, is authorization required when production data is copied to the test environment? (§ I.2.18.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When scoped systems and data is used in the test environment, is test data masked or obfuscated during the testing phase? (§ I.2.18.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When scoped systems and data is used in the development environment, is test data masked or obfuscated during the testing phase? (§ I.2.18.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When scoped systems and data is used in the Quality Assurance environment, is test data masked or obfuscated during the testing phase? (§ I.2.18.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the test environment, is copying to the test environment logged? (§ I.2.18.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the development environment, is copying to the test environment logged? (§ I.2.18.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • If scoped systems and data is used in the Quality Assurance environment, is copying to the test environment logged? (§ I.2.18.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When application development is performed, are compilers present in the production environment? (§ I.2.24, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When application development is performed, are editors present in the production environment? (§ I.2.24, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When application development is performed, are other development tools present in the production environment? (§ I.2.24, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When application development is performed, does it provide an authenticated and maintained state for every data transaction? (§ I.2.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The organization must not use live test data for testing. (CSR 6.3.10, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Precautions to safeguard production data, such as performing a backup before performing a test in a test environment, or testing during non-peak hours. (App A Objective 10:7d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Controls to prevent testing in production environments to maintain confidentiality, integrity, and availability of data. (App A Objective 3:8c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Use of simulated synthetic data in non-production environments, when possible. (App A Objective 3:8b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The testing standards should prohibit the use of production data during the testing process. (Pg 10, FFIEC IT Examination Handbook - Development and Acquisition)
  • Testing should be completed with copies of the live data to prevent corruption of the actual data. (Pg 24, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine if the institution's training program adequately protects the integrity of funds transfer data. Ensure: ▪ The institution conducts training in a test environment that does not jeopardize the integrity of live data or memo files. ▪ There are adequate controls to protect the confidential… (Exam Tier II Obj 9.5, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (CC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. (SA-15(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. (SA-15(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (SA-3(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (SA-3(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Do not use data containing personal information in testing software or systems. (Part I ¶ 6, California OPP Recommended Practices on Notification of Security Breach, May 2008)