Skip to contentCYBERINFO
|

Control 8.33 : Test Data

Summary

Test data should be selected, protected and managed appropriately. This ensures that the testing process does not inadvertently expose sensitive information or violate privacy regulations like Law 25.

Applicability

In-Scope: Mandatory for any organization performing software testing or system configuration validation. It addresses the high risk of data leakage via insecure testing environments.

Out-of-Scope: Only applicable if no testing or validation is ever performed using data.

Implementation Guidance

Microsoft 365 / Entra ID

  • Data Sanitization: Use automated scripts or Azure SQL Data Masking to scrub PII from production data copies before they are moved to the testing environment.

  • Synthetic Data: Encourage the use of Microsoft-provided or custom-generated synthetic data sets for testing purposes instead of using real-world information.

  • Access Restriction: Ensure that any environment containing a copy of production data (even if masked) is protected by the same MFA and Conditional Access rules as the live environment.

Evidence Checklist

  • Test Data Policy: Rules defining how data must be sanitized or generated for use in non-production environments.

  • Masking Logs: Evidence that a technical process was run to redact or mask sensitive fields before data was transferred to a test system.

  • Deletion Records: Proof that test data sets are securely deleted once the testing cycle is complete.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the organization's policy regarding the use of live production data in the testing environment?

  • How do you verify that the masking or anonymization process is effective and cannot be easily reversed?

  • Who is responsible for authorizing the use of a specific data set for a testing project?

  • Can you demonstrate that an unauthorized user or developer cannot access the source production data while working in the test environment?