Is your development, test, and staging environment separate from the production environment?

environment separation

Production and test/development environments should be separated from each other both physically and logically.  Data and applications should not flow between the two without safeguards.

Why are they asking this?

Separation of production and non-production environments provides safeguards for the production environment and the data in that environment.  Test and development environments are inherently less stable than production environments and could contain vulnerabilities in new code which have not been tested and remediated.


Additionally, test or development environments should not contain production user data.  Test and development environments have less stringent controls on who has administrative or other privileges to the system and could expose data to users, developers, or testers that do not need to know the information. Additionally, more people, possibly including outside vendors or contractors may have access to the systems and thus the data.

What do they expect?

Details on the different environments may be requested including how the environments are separated, what if any data flows between the multiple environments.  This information may be in the form of engineering documentation, deployment plans, and development procedures.