Back

Protect test data in the development environment.


CONTROL ID
12014
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Preventing the leakage of testing data for system development and modification (P25.1. ¶ 2(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When test data are created based on the production data, the information for identification of individuals should be deleted or scrambled. (P76.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The use of sensitive production data in non-production environments should be restricted. In exceptional situations where such data needs to be used in non-production environments, proper approval has to be obtained from senior management. The FI should ensure appropriate controls are implemented in… (§ 11.1.6, Technology Risk Management Guidelines, January 2021)
  • desensitising production data/information when it is used for testing purposes; (Attachment A ¶ 2(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Examine policies and procedures to verify that processes are defined for not using live PANs in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine pre-production test data to verify live PANs are not used in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe testing processes and interview personnel to verify procedures are in place to ensure live PANs are not used in pre-production environments, except where those environments are in a CDE and protected in accordance with all applicable PCI DSS requirements. (6.5.5.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments. (DSP-15, Cloud Controls Matrix, v4.0)
  • Test data shall be selected carefully, protected and controlled. (A.14.3.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Test data should be selected carefully, protected and controlled. (§ 14.3.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Test information should be appropriately selected, protected and managed. (§ 8.33 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, CRI Profile, v1.2)
  • The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. (PR.DS-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Application lifecycle management typically involves an application development Zone B, an application test Zone A, and a production zone. Each zone has its own cyber security requirements that must be implemented to protect the zone itself and the DoDIN. As with DoD production applications, T&D zone… (Section 5.14 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Processes for controlling non-masked data in non-production environments. (III.A Action Summary ¶ 2 Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Confidentiality of test plans and data. (App A Objective 10.2.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. (PO.4.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)