Back

Select the test data carefully.


CONTROL ID
12011
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To request the data manager to copy the data for production to be used in tests and obtain the approval. (P76.2. ¶ 2(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The testing of the high-risk AI systems shall be performed, as appropriate, at any point in time throughout the development process, and, in any event, prior to the placing on the market or the putting into service. Testing shall be made against preliminarily defined metrics and probabilistic thresh… (Article 9 7., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Test data shall be selected carefully, protected and controlled. (A.14.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Test data should be selected carefully, protected and controlled. (§ 14.3.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Test information should be appropriately selected, protected and managed. (§ 8.33 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • testing the security procedures or systems of such institution for maintaining the confidentiality of customer information; (§ 521(d)(1), GLB Gramm-Leach-Bliley Act (GLB), Title V, Nov. 12, 1999)
  • Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments. (SA-15(12) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments. (SA-15(12) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)