SA-15(9) — Use of Live Data

Limit the use of live (production) data in development and test environments. Real data in non-production environments exposes it to weaker controls and broader access.

Example 1: Establish a policy that requires approval and data masking before production data can be used in development or testing. If live data is absolutely necessary for a specific test scenario, create a time-limited exception with a specific purge date for when the data must be removed from the test environment.

Example 2: Invest in synthetic data generation tools that create realistic test data without using real information. For database testing, use tools that generate fake but realistic names, addresses, and other data elements that exercise the same code paths as real data without the privacy risk.