Back

Separate the design and development environment from the production environment.


CONTROL ID
06088
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle planning phase., CC ID: 06266

This Control has the following implementation support Control(s):
  • Specify appropriate tools for the system development project., CC ID: 06830


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A formal acceptance process should be established to ensure that only properly tested and approved systems are promoted to the production environment. System and user acceptance testing should be carried out in an environment separated from the production environment. Production data should not be u… (4.2.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization should, if possible, put production machines and development machines in different rooms. (O68.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • If a training environment was used anywhere during the course of training, the production environment must be used at the end to confirm that no problems would occur during production operation. (C16.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended to separate the production machines and the test machines. (P76.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The development, test and production environments need to be properly segregated. (Critical components of information security 11) c.9., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Separate physical or logical environments for systems development, testing, staging and production should be established. (§ 7.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should maintain separate physical or logical environments for unit, integration, as well as system and user acceptance testing (“UAT”), and closely monitor vendor and developers’ access to UAT environment. (§ 6.2.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should maintain separate physical or logical environments for unit, system integration and user acceptance testing, and restrict access to each environment on a need-to basis. (§ 5.7.3, Technology Risk Management Guidelines, January 2021)
  • Development, testing and production environments are segregated. (Security Control: 0400; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Development and modification of software only takes place in development environments. (Security Control: 1419; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Development, testing and production environments are segregated. (Control: ISM-0400; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Development and modification of software only takes place in development environments. (Control: ISM-1419; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Development, testing and production environments are segregated. (Control: ISM-0400; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Development and modification of software only takes place in development environments. (Control: ISM-1419; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The organization should ensure there are at least the following three environments for software development: development, testing, and production. (Control: 0400 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should ensure that new development and modifications only occur in the development environment. (Control: 0400 Bullet 3, Australian Government Information Security Manual: Controls)
  • Separate database servers must be used for the databases in the production environment, development environment, and test environment. (Control: 1273, Australian Government Information Security Manual: Controls)
  • The organization should implement deployment and environment controls to ensure that the production, development, and test environments are segregated. (¶ 54(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should segregate the development and verification of changes, including planned changes and emergency changes, from the production environment. (Attach A ¶ 2(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • deployment and environment controls to ensure that development, test and production environments are appropriately segregated and enforce segregation of duties; (¶ 54(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The software development environment should be separate from the testing environment and the production environment. (§ 3.5.25, Australian Government ICT Security Manual (ACSI 33))
  • Security of the development environment (e. g. separate development/test/production environments) (Section 5.11 BEI-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The requirements for development and testing environments are determined and implemented. The following aspects are considered: (5.2.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • Separation of development, testing and operational systems, (5.2.2 Requirements (should) Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • Establish development and test environments to support effective and efficient feasibility and integration testing of infrastructure components. (AI3.4 Feasibility Test Environment, CobiT, Version 4.1)
  • Examine written software development processes to verify the production environment is separated from the test/development environment. (§ 6.3.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine written software development processes to verify the test/development environment is separate from the production environment and access controls exist to ensure the environments are separated. (§ 6.4.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview the software developers to verify the test/development environment is separate from the production environment and access controls exist to ensure the environments are separated. (§ 6.4.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the policies and procedures to verify the development and test environments are separated from the production environments with access controls enforcing the separation. (Testing Procedures § 6.4 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the network device configurations and documentation to verify that the production environment is separate from the development and test environment. (Testing Procedures § 6.4.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Separate development/test and production environments. (§ 6.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Examine written software development processes to verify the test/development environment is separate from the production environment and access controls exist to ensure the environments are separated. (§ 6.4.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Interview the software developers to verify the test/development environment is separate from the production environment and access controls exist to ensure the environments are separated. (§ 6.4.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The development and test environment must be separated from the production environment with access controls. (PCI DSS Requirements § 6.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is access control in place to enforce the separation between the development/test environments and the production environment? (6.4.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • The development and production environments should be separated. (§ 5.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Pre-production environments are separated from production environments and the separation is enforced with access controls. (6.5.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine network documentation and configurations of network security controls to verify that the pre-production environment is separate from the production environment(s). (6.5.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are development and test environments separate from the production environment? (PCI DSS Question 6.4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are development and test environments separate from the production environment? (PCI DSS Question 6.4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Pre-production environments are separated from production environments and the separation is enforced with access controls. (6.5.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Pre-production environments are separated from production environments and the separation is enforced with access controls. (6.5.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The system development methodology should require that the duties of individuals responsible for development, testing, and implementation are segregated. (CF.17.01.04f, The Standard of Good Practice for Information Security)
  • Development and test environments should be isolated from live environments and from each other (e.g., by hosting development and test systems on a separate, standalone network or segregating the network using a Virtual Local Area Network and a firewall). (CF.17.02.02, The Standard of Good Practice for Information Security)
  • Live environments should be segregated from development and acceptance testing activity by using different computer rooms, processors, virtual servers, domains, and partitions. (CF.07.01.08a, The Standard of Good Practice for Information Security)
  • One or more environments (e.g., a dedicated network or group of Information Systems) should be established, in which development and testing activities can be performed. (CF.17.02.01, The Standard of Good Practice for Information Security)
  • The system development methodology should require that testing is performed in an environment (e.g., a staging environment) which is separate from the development environment and the live environment. (CF.17.01.04e, The Standard of Good Practice for Information Security)
  • The system development methodology should require that the duties of individuals responsible for development, testing, and implementation are segregated. (CF.17.01.04f, The Standard of Good Practice for Information Security, 2013)
  • Development and test environments should be isolated from live environments and from each other (e.g., by hosting development and test systems on a separate, standalone network or segregating the network using a Virtual Local Area Network and a firewall). (CF.17.02.02, The Standard of Good Practice for Information Security, 2013)
  • Live environments should be segregated from development and acceptance testing activity by using different computer rooms, processors, virtual servers, domains, and partitions. (CF.07.01.08a, The Standard of Good Practice for Information Security, 2013)
  • One or more environments (e.g., a dedicated network or group of Information Systems) should be established, in which development and testing activities can be performed. (CF.17.02.01, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should require that testing is performed in an environment (e.g., a staging environment) which is separate from the development environment and the live environment. (CF.17.01.04e, The Standard of Good Practice for Information Security, 2013)
  • Maintain separate environments for production and nonproduction systems. Developers should not typically have unmonitored access to production environments. (Control 18.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should separate the production system environment from the nonproduction system environment. (Critical Control 6.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. (IVS-08, Cloud Controls Matrix, v3.0)
  • Separate production and non-production environments. (IVS-05, Cloud Controls Matrix, v4.0)
  • Production software and hardware changes may include applications, systems, databases and network devices requiring patches, Service Packs, and other updates and modifications. (RM-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. (SA-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments. (CIS Control 18: Sub-Control 18.9 Separate Production and Non-Production Systems, CIS Controls, 7.1)
  • Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments. (CIS Control 18: Sub-Control 18.9 Separate Production and Non-Production Systems, CIS Controls, V7)
  • Maintain separate environments for production and non-production systems. (CIS Control 16: Safeguard 16.8 Separate Production and Non-Production Systems, CIS Controls, V8)
  • Testing of releases shall be conducted in a controlled acceptance test environment. (§ 9.3 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. (A.12.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The development, test, and operational systems should be separated to reduce the chance of unauthorized modification to the operational system. The test system should emulate the operational as closely as possible. (§ 10.1.4, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those he… (§ 12.1.4 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. (§ 12.1.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Development, testing and production environments should be separated and secured. (§ 8.31 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The development and testing environment(s) are separate from the production environment. (PR.DS-7, CRI Profile, v1.2)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, CRI Profile, v1.2)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Is the development environment separate from the production environment? (§ G.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the test environment separate from the production environment? (§ G.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the staging environment separate from the production environment? (§ G.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the development environment logically separate from the production environment? (§ G.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the test environment logically separate from the production environment? (§ G.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the staging environment logically separate from the production environment? (§ G.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the development environment physically separate from the production environment? (§ G.3.1.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the test environment physically separate from the production environment? (§ G.3.1.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is the staging environment physically separate from the production environment? (§ G.3.1.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there no segregation between the development environment and the production environment? (§ G.3.1.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there no segregation between the test environment and the production environment? (§ G.3.1.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there no segregation between the staging environment and the production environment? (§ G.3.1.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When application development is performed, does the version management system provide segregation of environments? (§ I.2.16, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The organization must segregate the following systems support functions: system design; IS management; data administration; data security; systems programming; application programming; network administration; computer operations; production control and scheduling; library management/change managemen… (CSR 4.7.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Workstation connectivity to all T&D zones instantiated in the Cloud will use remote connectivity methods as a result of the nature of Cloud. The different zones require different types of workstations and remote connectivity models. The options are as follows: (Section 5.14.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.) (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 10, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • If Federal Tax Information is used in both production and test environments, the two environments must be segregated. (Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union maintain separate production environments, development environments, and test environments? (IT - Networks Q 40, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The development and testing environment(s) are separate from the production environment (PR.DS-7, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The development and testing environment(s) are separate from the production environment (PR.DS-7, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The development and testing environment(s) are separate from the production environment. (PR.DS-7, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The development and testing environment(s) are separate from the production environment. (PR.DS-P7, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Organizations should institute separate environments for development, test, production, and other scenarios, each with specific controls to provide role-based access control for container deployment and management activities. All container creation should be associated with individual user identitie… (4.4.5 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Separate and protect each environment involved in software development. (PO.5.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)