8-3.2 Environment Restrictions

Restrictions are defined for the following distributed PCEs including the subcategories noted above:

  1. DEV.
  2. SIT.
  3. CAT.
  4. PROD.

Separation of duties and other restrictions defined for each of the PCEs must be maintained. Modification of environment restrictions is not authorized.

8-3.2.1 Development Environment

Developers get full access (e.g., read, write, execute, allocate, and delete) in this environment to application software. Restrictions for the development environment include the following:

  1. Developers are restricted to read and execute privileges for database and operating system software.
  2. Personally identifiable information (PII), which is defined in 3-2.3.2, and payment card industry (PCI) primary account number (PAN) must not be used in this environment.
  3. No access to production systems is allowed from this environment.
  4. Development environment is an isolated infrastructure (DEVSUB) or enclaved.
  5. Use of nonsensitive production information in this environment requires the creation of a generic production data usage letter (PDUL). This letter approves the use of nonsensitive production data until the end of the current fiscal year. The PDUL is needed only for the application to be tested not for every system the application touches.
  6. Use of sensitive or sensitive-enhanced production information in this environment requires:
    1. A specific PDUL that approves the use of this data until the end of the current fiscal for one year from the time of the request at which time another PDUL will be required. The PDUL is needed only for the application to be tested, not for every system the application touches.
    2. The development environment must implement the same controls as the production environment or the PII or PCI PANs, and sensitive information must be de-identified in the production environment before data is transferred to the development environment. The project manager must validate (and attest in a letter to the CISO and the privacy office) that all PII and PCI PANs, and sensitive information have been de-identified.
  7. All connections of developer workstations to databases in all environments must be added as a temporary request for no more than 6 months with the option to renew when the NCRB team (coordinating with the ISSO) contacts the requester prior to expiration; contact the users listed in the database connections in the general tab of ServiceNow. This fits the 6-month access review policy.
  8. All connections for developers will be from their workstations/laptops and not from a subnet.

8-3.2.2 SIT Environment

Developers have full access (e.g., read, write, execute, allocate, and delete) in this environment to application software. Code is migrated from the SIT environment back to the development environment to apply updates/fixes. Restrictions for the SIT environment include the following:

  1. Developers may have access to the SIT environment with documented management approval.
  2. Systems moved to the SIT environment are documented and managed by a version control library system.
  3. PII and PCI PANs and sensitive information must not be used in this environment.
  4. Use of nonsensitive production information in this environment requires a generic PDUL that approves upfront the use of nonsensitive production data for up to 1 year from the time of the request until the application requires recertification and reaccreditation at which time another PDUL will be required.
  5. Use of production PII and PCI PANs, and sensitive information in this environment requires:
    1. A specific PDUL that approves the use of this data for 1 year from the time of the request; then they would be required to request another PDUL. The PDUL is only needed for the application to be tested not for every system the application touches.
    2. The SIT environment must implement the same controls as the production environment or the PII, or PCI PANs, and sensitive information must be de-identified in the production environment before the data is transferred to the SIT environment. The project manager must validate (and attest in a letter to the CISO and the privacy office) that all PII, and PCI PANs, and sensitive information have been de-identified.
  6. All connection of developer workstations to databases in all environments must be added as a temporary request for no more than 6 months with the option to renew when the NCRB team (coordinating with the ISSO) contacts the requester prior to expiration; contact the users listed in the database connections in the general tab of ServiceNow. This fits the 6-month access review policy.
  7. All connections for developers are from their workstations/laptops and not from a subnet.

8-3.2.3 CAT Environment

Access is restricted to production operations personnel, executive sponsorship, and developers with proper authorization. The CAT environment must implement the same controls and security requirements as production. Restrictions for the CAT environment include the following:

  1. Developers may have access to the CAT environment with documented management approval.
  2. Systems moved to the CAT environment are documented and managed by a version control library system.
  3. PCI PANs must not be used in this environment.
  4. PII and sensitive information must be de-identified prior to use in the CAT environment; any exceptions to the de-identification requirement must be approved by the CIO, CPO, and the executive sponsor. If PII that is not de-identified is approved for use in the CAT environment, the PII and sensitive information must be encrypted.
  5. Use of nonsensitive production information in this environment requires a generic PDUL that approves upfront the use of nonsensitive production data for up to 1 year from the time of the request until the application requires recertification and reaccreditation at which time another generic PDUL is required. See 8-3.2.5, Other Environments.
  6. Use of PII, and PCI PANs,sensitive information in this environment requires:
    1. A specific PDUL that approves the use of this data until the end of the current fiscal for 1 year from the time of the request at which time another PDUL is required. The PDUL is only needed for the application to be tested, not for every system the application touches.
    2. The CAT environment must implement the same controls as the production environment or the PII and PCI PANs, and sensitive information must be de-identified in the production environment before data is transferred to the CAT environment. The project manager must validate and attest in a letter to the CISO and the Privacy Office that all PII and PCI PANs, and sensitive information have been de-identified.
  7. All connection of developer workstations to databases in all environments must be added as a temporary request for no more than 6 months with the option to renew when the NCRB team (coordinating with the ISSO) contacts the requester prior to expiration; contact the users listed in the database connections in the general tab of ServiceNow. This fits the 6-month access review policy.
  8. All connections for developers will be from their workstations/laptops and not from a subnet.

8-3.2.4 Production Environment

Restrictions for the production environment include:

  1. Developers must not have ongoing read access or privileged access to application, database, and operating system software in this environment.
  2. Developer access to production systems must be authorized by the executive sponsor, CIO or designee, and CPO via eAccess or PS Form 1357, Request for Computer Access. PS Form 1357 is only to be used for applications where eAccess is unable to handle the requested computer access.
  3. Developer access to the production system, if approved in eAccess, must be managed and documented in eAccess.
  4. A Remedy Problem Ticket must be opened to implement the approved access to the production system and the access must be removed when the Problem Ticket is closed.
  5. The developer account must be temporary and disabled/removed upon completion of the task.
  6. Developer access must be logged while the account is active.
  7. The CISO must be informed of the access.
  8. Production data must not be copied by the developer.
  9. Extreme care must be exercised when accessing PII and cardholder information. If not necessary for the task, PII and cardholder data must be masked from view or de-identified. Masking is the method of concealing portions of cardholder data when displayed or printed. De-identifying production data is the process of systematically transforming PII and cardholder data elements so they can no longer be used identify an individual or cardholder data. When masking the PAN, the first six and the last four digits are the maximum number of digits to be displayed or printed.
  10. Sensitive and sensitive-enhanced information must be protected according to the requirements in 3-5.

8-3.2.5 Other Environments

The restrictions are the same as for the development environment.