Thursday, September 2, 2021

Separation of Duties: Do not cross the Production and Test Streams

Here's a quick reference for justifying why an organization should never mix development, test, and production configurations and data.

PCI DSS 3.2.1

    • 6.4 – Follow change control processes and procedures for all changes to system components.  The process must include the following:
      • Development/test environments are separate from production environments with access control in place to enforce separation.
      • A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
      • Production data (live PANs) are not used for testing or development.
    • 6.4.1 – Separate development/test environments from production environments, and enforce the separation with access controls.
      • Examine network documentation and network device configurations to verify that the development/test environments are separate from the production environment(s).
      • Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
    • 6.4.2 Separation of duties between development/test and production environments
      • Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment.
    • 6.4.3 – Production data (live PANs) are not used for testing or development
      • Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development.
      • Examine a sample of test data to verify production data (live PANs) is not used for testing or development.

National Institute of Standards and Technology (NIST)

    • Cybersecurity Framework Version 1.1

International Organization for Standardization (ISO)

      • Testing of releases shall be conducted in a controlled acceptance test environment. (§ 9.3 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
      • Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. (A.12.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
      • The development, test, and operational systems should be separated to reduce the chance of unauthorized modification to the operational system. The test system should emulate the operational as closely as possible. (§ 10.1.4, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)

 Center of Internet Security (CIS)