IVS-05: Production and Non-Production Environments

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Separate production and non-production environments.

Implementation Guidance

Separation of the environments may include:

  • Stateful inspection firewalls
  • Domain/realm authentication sources
  • Clear segregation of duties for personnel accessing these environments as part of their job duties

Apply sanitization routines on data before loading into non-production, and define environmental boundaries. Production workloads should be isolated from the lower environments (e.g., development, testing) when possible.

Auditing Guidance

  1. Verify if production and non-production environments are appropriately segregated.
  2. Verify if the segregation is reviewed and managed during change management.
  3. Verify the classification of data contained in each environment.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.