W1T3H4T Security: Separation of Duties: Do not cross the Production and Test Streams

Here's a quick reference for justifying why an organization should never mix development, test, and production configurations and data.

6.4 – Follow change control processes and procedures for all changes to system components. The process must include the following:

Development/test environments are separate from production environments with access control in place to enforce separation.
A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Production data (live PANs) are not used for testing or development.

6.4.1 – Separate development/test environments from production environments, and enforce the separation with access controls.

Examine network documentation and network device configurations to verify that the development/test environments are separate from the production environment(s).
Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).

6.4.2 Separation of duties between development/test and production environments

Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment.

Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development.
Examine a sample of test data to verify production data (live PANs) is not used for testing or development.

https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-2
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-4
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
PR.DS-7: The development and testing environment(s) are separate from the production environment ·

Testing of releases shall be conducted in a controlled acceptance test environment. (§ 9.3 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. (A.12.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
The development, test, and operational systems should be separated to reduce the chance of unauthorized modification to the operational system. The test system should emulate the operational as closely as possible. (§ 10.1.4, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)

https://controls-assessment-specification.readthedocs.io/en/0.0.1/control-18/control-18.9.html

Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.

W1T3H4T Security