Back

Establish test environments separate from the production environment to support feasibility testing before product acquisition.


CONTROL ID
01130
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct an acquisition feasibility study prior to acquiring assets., CC ID: 01129

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should ensure there are at least the following three environments for software development: development, testing, and production. (Control: 0400 Bullet 1, Australian Government Information Security Manual: Controls)
  • Separate database servers must be used for the databases in the production environment, development environment, and test environment. (Control: 1273, Australian Government Information Security Manual: Controls)
  • The software development environment should be separate from the testing environment and the production environment. (§ 3.5.25, Australian Government ICT Security Manual (ACSI 33))
  • Is any unknown code limited to execute within a sandbox and cannot access other resources unless the user grants explicit permission. (Malware protection Question 44, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • The development and production environments should be separated. (§ 5.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • One or more environments (e.g., a dedicated network or group of Information Systems) should be established, in which development and testing activities can be performed. (CF.17.02.01, The Standard of Good Practice for Information Security)
  • Live environments should be segregated from development and acceptance testing activity by using different computer rooms, processors, virtual servers, domains, and partitions. (CF.07.01.08a, The Standard of Good Practice for Information Security)
  • One or more environments (e.g., a dedicated network or group of Information Systems) should be established, in which development and testing activities can be performed. (CF.17.02.01, The Standard of Good Practice for Information Security, 2013)
  • Live environments should be segregated from development and acceptance testing activity by using different computer rooms, processors, virtual servers, domains, and partitions. (CF.07.01.08a, The Standard of Good Practice for Information Security, 2013)
  • The development, test, and operational systems should be separated to reduce the chance of unauthorized modification to the operational system. The test system should emulate the operational as closely as possible. (§ 10.1.4, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)
  • The system security officer (SSO) must verify that security controls for the evaluation/test procedures are developed before procurement actions are taken. (CSR 1.5.7(2), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • If Federal Tax Information is used in both production and test environments, the two environments must be segregated. (Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is there a specific test environment that is separate from the production environment to allow installed patches and updates to be tested absent destroying or damaging critical data? (IT - Networks Q 33, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union maintain separate production environments, development environments, and test environments? (IT - Networks Q 40, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization may not use the production smart grid Information System for developmental security tests. (SG.SA-10 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)