PCI DSS 3.2.1
- 6.4 – Follow change control processes and procedures for all changes to system components. The process must include the following:
- Development/test environments are separate from production environments with access control in place to enforce separation.
- A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
- Production data (live PANs) are not used for testing or development.
- 6.4.1 – Separate development/test environments from production environments, and enforce the separation with access controls.
- Examine network documentation and network device configurations to verify that the development/test environments are separate from the production environment(s).
- Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
- 6.4.2 Separation of duties between development/test and production environments
- Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment.
- 6.4.3 – Production data (live PANs) are not used for testing or development
- Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development.
- Examine a sample of test data to verify production data (live PANs) is not used for testing or development.
National Institute of Standards and Technology (NIST)
- CM-2(6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
- Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
- CM-4(1) IMPACT ANALYSES | SEPARATE TEST ENVIRONMENTS
- Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice
- Cybersecurity Framework Version 1.1
- PR.DS-7: The development and testing environment(s) are separate from the production environment ·
- CIS CSC 18, 20
- COBIT 5 BAI03.08, BAI07.04
- ISO/IEC 27001:2013 A.12.1.4
- NIST SP 800-53 Rev. 4 CM-2
International Organization for Standardization (ISO)
- Testing of releases shall be conducted in a controlled acceptance test environment. (§ 9.3 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
- Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. (A.12.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
- The development, test, and operational systems should be separated to reduce the chance of unauthorized modification to the operational system. The test system should emulate the operational as closely as possible. (§ 10.1.4, § 12.5.1, ISO 27002 Code of practice for information security management, 2005)
Center of Internet
- Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.