IOMG Technical Standard: Data in Non-Production Environments
Production data must not be used in any non-production environment. This includes, but is not limited to:
- Development
- User Acceptance Test
- Training
- Pre-production/staging
This standard applied to all systems managed, owned or hosted by the Isle of Man Government including:
- On-premises infrastructure
- Cloud Platforms (IaaS, PaaS, SaaS)
- Third-party or supplier managed environments (private cloud)
This standard adopts the following principles for all Isle of Man Government data sets:
- Protect personal and sensitive data at all times
- Prevent unnecessary exposure of confidential and/or high-risk datasets
- Ensure non-production environments reflect real world behaviour without compromising data protection and GDPR obligations.
- Apply appropriate authorisation to production data, adopting least-privilege principles
Exceptions
Exceptions may be granted only when justified, documented, risk assessed and approved by the data owner and a Data Protection Impact Assessment is completed. Exception requests will be submitted to, logged and approved by Government Transformation Services.
Government Transformation Services would recommend the generation of test data through automated processes that mimic the structure, distribution and logic of real data without containing any personally identifiable information. For more details regarding options and feasibility, please contact Government Transformation Services
Each exception will be considered on a case-by-case basis and allowed exception types include:
Data Obfuscation/De-identification
Production data may be used in non-production environments after irreversible transformation taking into consideration the following requirements:
- Obfuscation must occur before data is loaded into a non-production environment
- All sensitive and personal information must not be identifiable after transformation – this also includes reference identifiers
- The obfuscation process must be repeatable, documented and auditable
Strict Control of Production data (where obfuscation is not possible)
If obfuscation is not possible, then strict production-level controls must apply
- Access Control – it is crucial that appropriate RBAC roles and permissions must be applied and that all accounts must follow the principle of least privilege
- Environment Hardening - non-production environment must meet production-equivalent security requirements reflective of classification data being used and the security elements that is in-place for the corresponding production environment.
- Data Handling Restrictions – it is important to determine the minimum data set required for non-production purposes. It is also critical that data must remain within the boundaries of the system and not be subject to export, sharing, backups, printing or copied to local environments (PC. Virtual Machines etc.). No third parties may access the data without contractually binding controls
- Retention and Disposal – The identified data sets must only be retained for the duration of the approved process. Data deletion must be enforced on the conclusion of non-production activities with deletion evidence captured and audited
- Auditing – Access logs must be made available for reviewed by appropriate parties for the duration of the exception. Any identified anomalies must be escalated immediately via incident response procedures.
Documentation
The following would be required in obtaining an exception to use production data in non-production environments:
- Government Transformation Services (CTA) Exception request
- Data Protection Impact Assessment (DPIA)
- Security risk assessment
- Test purpose justification
- Retention and disposal plan
- Environment hardening checklist
Approval
Approval requires a minimum of
- Data Protection Officer (DPO)
- System Owner
- Government Transformation Services
Depending on the data classification, there may be additional approval requirements from the Senior Information Risk Owner (SIRO)
