DSP-15: Limitation of Production Data Use

PF v1.0 References:

Previous Version:

Control Statement

Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments.

Implementation Guidance

Before replicating data or using data in non-production systems copied from the production system, perform a risk analysis and obtain data owner approval. Then, implement privacy risk mitigating techniques such as anonymization, pseudonymization, etc. (if required).

Auditing Guidance

  1. Examine the organization's procedures and technical requirements related to the use of production data in non-production environments or requests to replicate production data for use in non-production environments.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Select a sample of requests and assess whether such requests have followed the approval and secure deployment processes through to completion. Confirm that all relevant evidence was formally documented and recorded.
  4. Review the organization's data breaches for examples in which this requirement was not followed correctly. Further, confirm that any appropriate action plans were identified and carried out.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.