CCI-004680

Approve the use of live data in preproduction environments for the system, system component, or system service.

Implementation Guidance

Determine if: - the use of live data in pre-production environments is approved for the system, system component, or system service. - the use of live data in pre-production environments is documented for the system, system component, or system service. - the use of live data in pre-production environments is controlled for the system, system component, or system service.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy into the system development life cycle process; system development life cycle documentation; security risk assessment documentation; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; data mapping documentation; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; procedures addressing the minimization of personally identifiable information used in testing, training, and research; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy responsibility; organizational personnel with system life cycle development responsibilities]. Test: [SELECT FROM: Organizational processes the use of live data in pre-production environments; mechanisms for protecting live data in pre-production environments].

The controls below (if any) were marked by NIST as being related to CCI-004680.