CM-05 Change Management
Environment Segregation
Dev, test and production are isolated.
- Domain
- Change Management
- Control type
- Preventive
- Automated / manual
- Hybrid
- Frequency
- Continuous
- Framework reference
- COBIT BAI07; MAS TRM – Change
What good looks like
Environments are segregated; production data is not used unmasked in lower environments.
Risk if it fails
Untested code/test artefacts in production; data exposure.
How Tess tests it
3 tests — each concludes only on cited evidence.
Dev/test/prod separation designed
Design- Procedure
- Inspect the architecture.
- Expected
- Environments segregated.
- Sample
- 1 (design inspection)
- Evidence
- Architecture diagram, env configs, masking evidence.
Access boundaries enforced between envs
Operating- Procedure
- Inspect access controls.
- Expected
- Separate access per environment.
- Sample
- 25 (or full config inspection)
- Evidence
- Architecture diagram, env configs, masking evidence.
Production data not used unmasked in lower envs
Operating- Procedure
- Inspect lower-env data.
- Expected
- Synthetic or masked.
- Sample
- 25 (or full config inspection)
- Evidence
- Architecture diagram, env configs, masking evidence.
Evidence Tess looks for
Architecture diagram, env configs, masking evidence.
More in Change Management
Want Tess to test CM-05 against your evidence?
Book a demo