Back

Control the test data used in the development environment.


CONTROL ID
12013
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To request the data manager to copy the data for production to be used in tests and obtain the approval. (P76.2. ¶ 2(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Return to the data management department after use (at the time of rental expiration) and delete from the development/test environment. (P76.2. ¶ 2(3), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The use of sensitive production data in non-production environments should be restricted. In exceptional situations where such data needs to be used in non-production environments, proper approval has to be obtained from senior management. The FI should ensure appropriate controls are implemented in… (§ 11.1.6, Technology Risk Management Guidelines, January 2021)
  • Requirements for the lifecycle of test data (e.g. deletion, maximum lifetime on the IT system), (5.3.1 Requirements (should) Bullet 4 Sub-Bullet 2, Information Security Assessment, Version 5.1)
  • The use of productive data for testing purposes is avoided as far as possible (if applicable, anonymization or pseudonymization): (5.3.1 Requirements (should) Bullet 4, Information Security Assessment, Version 5.1)
  • Test data shall be selected carefully, protected and controlled. (A.14.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Test data should be selected carefully, protected and controlled. (§ 14.3.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Test information should be appropriately selected, protected and managed. (§ 8.33 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Use of masked or sanitized test data in non-production environments when production is used; if this is not feasible, approvals to use non-sanitized data with implementation of the same level of controls in non-production environments as in production environments. (App A Objective 3:8d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Record and manage test data. (T0540, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Record and manage test data. (T0540, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (SA-3(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (SA-3(2)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)