Leadline Inc.CM-15: Data De-identification for Non-Production Environments
De-identification of confidential data before use in non-production environments
Control Description
All confidential data related to the in-scope applications and related databases is de-identified prior to use within non-production environments.
Plain Meaning
Before using any sensitive or confidential data in development, testing, or staging environments, you must remove or mask the identifying information so that individuals cannot be identified from the data. This protects privacy and ensures that sensitive information doesn't accidentally get exposed in non-production systems where security might be less strict.
Releted Links
Security Guides
Implementation Resources
Tools and Automation
CM-13: Formal Change Management Methodology
Documented formal change management methodology for computerized information systems and related technology
CM-16: Monthly Production Change Review
Monthly review of production environment changes by information security team to verify authorization and separation of duties