16.8
IG2 IG3

Separate Production and Non>Production Systems

Control Group: 16. Application Software Security
Asset Type: Applications
Security Function: Protect

Description

Maintain separate environments for production and non-production systems.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription
VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription
Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Test Data Leak from Development Database in Production Network

Confidentiality

An attacker compromises a development database containing a copy of production customer data because development and production systems share the same network segment and security controls.

Unstable Development Code Crashes Production System

Availability

A developer accidentally deploys experimental code to a production server because development and production environments are not separated, causing a production outage.

Attacker Pivots from Development to Production Environment

Confidentiality

An attacker compromises a weakly secured development server and uses it as a pivot point to access production systems because both environments share infrastructure and credentials.

Vulnerabilities (When Safeguard Absent)

No Separation Between Production and Non-Production Environments

Without environment separation, development, staging, and production systems share networks, credentials, or infrastructure, allowing issues or compromises in non-production to directly impact production.

Shared Credentials and Access Between Environments

Co-mingled environments often share database credentials, API keys, and service accounts, meaning a compromise of the less-secured development environment exposes production secrets.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Secure Software Development Lifecycle Policy
Control 16
Application Security Policy
Control 16

Related Safeguards in Control 16

16.1 Establish and Maintain a Secure Application DevelopmentĀ Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third>Party Software Components
16.5 Use Up>to>Date and Trusted Third>Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code>Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
16.7 16.9