Back

Configure the test environment similar to the production environment.


CONTROL ID
06837
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system testing policy., CC ID: 01102

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Information in production databases is not used in testing or development databases unless the testing or development environments are secured to the same level as the production environment. (Security Control: 1274; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Information in production environments is not used in testing or development environments unless the testing or development environments are secured to the same level as the production environments. (Security Control: 1420; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The organization should use a test environment that is configured similar to the production environment. (Attach A ¶ 2(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • testing environments that are representative of production in order to reduce the risk of changes in behaviour when deployed to production; (Attachment A ¶ 2(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should have a methodology in place for testing and approval of ICT systems prior to their first use. This methodology should consider the criticality of business processes and assets. The testing should ensure that new ICT systems perform as intended. They should also use test… (3.6.2 70, Final Report EBA Guidelines on ICT and security risk management)
  • test environments that adequately reflect production environments; (Title 3 3.3.4(c) 56.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced. The scope of the tests shall include the functionality of the application, the security controls and system performance under various stress scenarios. The organisational… (II.6.41, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Where productive data are used for testing purposes, it shall be ensured that the test system is provided with protective measures comparable to those on the operational system, (5.3.1 Requirements (should) Bullet 4 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • Define and establish a secure test environment representative of the planned operations environment relative to security, internal controls, operational practices, data quality and privacy requirements, and workloads. (AI7.4 Test Environment, CobiT, Version 4.1)
  • Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. (Control 20.8, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should create a test bed that looks like the production environment for specific Red Team attacks and penetration tests that are not tested in production environments. (Critical Control 20.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. (CIS Control 20: Sub-Control 20.5 Create a Test Bed for Elements Not Typically Tested in Production, CIS Controls, 7.1)
  • Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. (CIS Control 20: Sub-Control 20.5 Create a Test Bed for Elements Not Typically Tested in Production, CIS Controls, V7)
  • Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. (A.14.2.6 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. (§ 14.2.6 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Development, testing and production environments should be separated and secured. (§ 8.31 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Workstations are NIPRNet connected. As with the production application, STIGed Government Furnished Equipment (GFE) must be used to manage the environment and test the application. (Section 5.14.1 ¶ 1 Bullet 1, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD application test Zone A instantiated in cloud infrastructure must be implemented in the same CSP/CSO with the same information impact level and having the same connectivity model as the production application zone to support lifecycle management of the application. The sensitivity of the informa… (Section 5.14 ¶ 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • User site testing should occur at the user's site with the actual hardware and software that will be part of the installed system configuration. (§ 5.2.6 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Determine whether management considers design, placement, and effective security controls for non-production environments (e.g., development, test, and quality assurance). Consider the following: (App A Objective 3:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • ISCP testing is a critical element of a viable contingency capability. Testing enables plan deficiencies to be identified and addressed by validating one or more of the system components and the operability of the plan. Testing can take on several forms and accomplish several objectives but should b… (§ 3.5.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))