Here's a quick reference for justifying why an organization should never mix development, test, and production configurations and data.
PCI DSS 3.2.1
- 6.4
– Follow change control processes and procedures for all changes to
system components. The process
must include the following:
- Development/test
environments are separate from production environments with access
control in place to enforce separation.
- A
separation of duties between personnel assigned to the development/test
environments and those assigned to the production environment.
- Production
data (live PANs) are not used for testing or development.
- 6.4.1
– Separate development/test environments from production environments,
and enforce the separation with access controls.
- Examine
network documentation and network device configurations to verify that
the development/test environments are separate from the production
environment(s).
- Examine
access controls settings to verify that access controls are in place to
enforce separation between the development/test environments and the
production environment(s).
- 6.4.2
Separation of duties between development/test and production environments
- Observe
processes and interview personnel assigned to development/test
environments and personnel assigned to production environments to verify
that separation of duties is in place between development/test
environments and the production environment.
- 6.4.3
– Production data (live PANs) are not used for testing or development
- Observe
testing processes and interview personnel to verify procedures are in
place to ensure production data (live PANs) are not used for testing or
development.
- Examine
a sample of test data to verify production data (live PANs) is not used
for testing or development.
National Institute of
Standards and Technology (NIST)
- SP.800-53
- CM-2(6)
BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS
- CM-4(1)
IMPACT ANALYSES | SEPARATE TEST ENVIRONMENTS
- Cybersecurity
Framework Version 1.1
International
Organization for Standardization (ISO)
- https://www.unifiedcompliance.com/products/search-controls/control/6088/
- Testing
of releases shall be conducted in a controlled acceptance test
environment. (§ 9.3 ¶ 4, ISO 20000-1, Information Technology - Service
Management - Part 1: Service Management System Requirements, Second
Edition)
- Development,
testing, and operational environments shall be separated to reduce the
risks of unauthorized access or changes to the operational environment.
(A.12.1.4 Control, ISO 27001:2013, Information Technology - Security
Techniques - Information Security Management Systems - Requirements,
2013)
- The
development, test, and operational systems should be separated to reduce
the chance of unauthorized modification to the operational system. The
test system should emulate the operational as closely as possible. (§
10.1.4, § 12.5.1, ISO 27002 Code of practice for information security
management, 2005)
Center of Internet
Security (CIS)