Limitations on Production Data on Non-Production Environments Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
The purpose of this policy is to establish parameters for the use of Production Data in non-production environments.
Scope
This IT policy, and all policies referenced herein, shall apply to the following members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Production Data shall not be replicated or used in non-production environments except for QA and Pre-Production (PPRD).
- Data impacted must comply with legal and regulatory requirements per the Data Classification Guidelines and Data Classification and Protection Policy.
- Any use of Production Data in non-production environments other than QA and PPRD requires explicit, documented approval from the Vice President and Chief Information Officer, the Associate Vice President for IT/CISO, and the Associate Vice President of DevOps.
- When it is not viable to segregate the production data from the non-production environments, controls must be implemented to match production environment requirements, or the data must be anonymized to the satisfaction of the data owners.
Definitions
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Non-production is any application environment that allows testing without impacting University operations. Non-production environments may otherwise be known as development, test, stage, or Sandbox environments.
Production Data refers to live and operational information.
A Production environment is an operational environment in which a software application or system is deployed and used to perform its intended tasks.
A QA environment, also known as a test environment, is used to validate a software application’s quality before it is deployed to production and to optimize software development processes so that the software works. This environment is typically isolated from other environments, such as development and staging, to ensure that any issues found in the QA environment do not impact the live production system.
Related Policies and Procedures
Implementation Information
|
Review Frequency:
|
Triennial
|
|---|---|
|
Responsible Person:
|
Senior Director of IT Security and Assurance |
|
Approved By:
|
CISO
|
|
Approval Date:
|
November 1, 2023
|
Revision History
|
Version
|
Date
|
Description
|
|---|---|---|
|
1.0
|
11/01/2023
|
Initial document
|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.