Policy
Policy Name
Separation of Non-Production and Production Environment Policy

Overview
Separation of Development and Production is the practice of separating non-production (to include Development and testing) from Production environments. The objective is to ensure non-production activities do not impact confidentiality, integrity and availability of critical business services and sensitive information.

Statement
Environments must be segregated to include separate systems, access, network and tools to reduce the risk of unintended modification, unauthorized access and malicious or fraudulent activity.

The following security controls must be used to separate non-production from Production environments:
  • Development systems shall be segregated from Production systems (separated by firewalls and network rules).
  • Separate Development and Production roles shall be used for privileged system, application and network access entitlements.
  • Role membership must be reviewed periodically by role owner or management (for membership or role changes).
  • Separate access mechanisms must be used for Development and Production access (e.g. separate Active Directory forests or domains, login ID's, or password repositories).
  • Privileged access monitoring for login and change activity on Production systems.

Justification
The following benefits will be achieved:
  • Secure operation of production environments
  • Information security controls appropriate for each environment
  • Minimize impact of non-production activities on the production environment  

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Network Security
Access Control