Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).
What is the control?
Development, testing, and production environments all have different purposes. It’s important they be kept separate as the different activities could otherwise negatively impact each other.
Why should I have it?
For example, development could potentially freeze a server due to errors in programming code or an experimental approach, while testing could also cause unpredictable events or load on the infrastructure that could cause production outages. Conversely, the requirements (and restrictions) of a production environment could mean that your development and testing possibilities are severely limited.
It’s therefore important to have separate environments for these activities. They allow the maximum output of testing and development activities while safeguarding your production environment from being corrupted, slowed, or even brought down. It also reduces the risks of data being incorrectly uploaded or deleted to or from a production environment, or of permissions being incorrectly set, as well as other scenarios that could result in a data breach.
You should have multiple environments separated for purposes such as development, testing, and production. Some organisations may also have other environments such as staging. There can be as many environments as needed as long as the necessary segregation exists and each environment’s purpose is defined. Note that there may be differences between the environments due to their purposes. For example, production may have more capacity than development.
You should create a policy that clearly defines what each environment is for. These criteria should then be used by any relevant processes in your organisation that prescribes interaction with one or more of these environments.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.