Are dev / test / production environments properly segregated and is segregation of duties enforced (developers can't deploy to production without approval)?
Demonstrate that development, test, and production environments are architecturally segregated with enforced access controls, and that no developer can deploy code to production without independent approval through a documented change management process.
Description
What this control does
This control ensures that development, testing, and production environments are logically and physically isolated to prevent unauthorized changes to live systems. Developers are restricted from directly deploying code to production without formal approval and release management processes. Segregation of duties (SoD) requires that individuals who write or modify code cannot be the same individuals who promote that code to production, enforcing a maker-checker model that reduces insider risk and accidental deployment of untested or malicious code.
Control objective
What auditing this proves
Demonstrate that development, test, and production environments are architecturally segregated with enforced access controls, and that no developer can deploy code to production without independent approval through a documented change management process.
Associated risks
Risks this control addresses
- Unauthorized deployment of untested or malicious code directly to production by a developer, bypassing quality assurance and security reviews
- Accidental overwrite or corruption of production data or configurations due to development or testing activities performed in the live environment
- Insider threat actors with developer privileges exfiltrating production data, installing backdoors, or sabotaging systems without detection
- Cross-contamination of environments where test data containing sensitive production information leaks into lower-security development systems
- Inability to reproduce production issues or perform root cause analysis due to configuration drift between environments
- Compliance violations stemming from unauditable changes to production systems made outside formal change control processes
- Regulatory penalties and loss of customer trust following security incidents caused by inadequate separation of environments
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's environment architecture diagram and network segmentation documentation to identify boundaries between development, test, and production environments.
- Review identity and access management (IAM) policies, role definitions, and permission matrices to identify which personnel have access to each environment and what level of privileges are granted.
- Select a sample of 10-15 developers and verify their user accounts and group memberships in production systems, confirming they lack deployment or write permissions to production assets.
- Examine the CI/CD pipeline configuration files, deployment scripts, and infrastructure-as-code templates to verify that production deployments require approval gates or manual intervention by non-developer roles.
- Select a sample of 15-20 production deployment records from the past audit period and validate that each includes evidence of approval by a change advisory board, release manager, or other independent authority.
- Review access logs and deployment logs from production systems for the sample period to confirm no direct code commits, file uploads, or configuration changes were made by developer accounts.
- Interview the release manager or DevOps lead to understand the workflow for promoting code from development through test to production, and verify controls preventing developers from bypassing the process.
- Test the segregation by attempting (in a controlled manner with management approval) a simulated deployment from a developer account to verify that technical controls block unauthorized promotion to production.