CIS Control 16.8: Maintain Separate Production and Non-Production Systems
Production and non-production environments require strict isolation to prevent unauthorized changes, data exposure, and compliance violations. CIS Control 16.8 mandates maintaining separate systems to reduce your attack surface and protect customer data. Without proper segmentation, testing activities, development mistakes, and unauthorized access in staging can directly compromise your live systems.
What this means
This control requires organizations to establish and maintain distinct, isolated environments for production systems (where real customer data and business operations run) and non-production systems (development, testing, and staging). Separation prevents unauthorized or accidental changes in development from affecting live systems, limits exposure of sensitive data in test environments, and ensures compliance auditors can verify environment controls independently.
How to comply
- 1.Identify and document all production systems that handle sensitive customer data or critical business functions.
- 2.Create separate physical or logical environments for development, testing, staging, and production with distinct access controls.
- 3.Implement network segmentation using firewalls, VLANs, or cloud security groups to restrict traffic between environments.
- 4.Use separate credentials, API keys, and authentication mechanisms for each environment—never reuse production credentials in non-production.
- 5.Enforce separate database instances or schemas so non-production cannot access production data.
- 6.Restrict administrative access to production systems only to authorized personnel with documented justification.
- 7.Disable or limit external connectivity from non-production systems to prevent lateral movement into production.
- 8.Audit and log all inter-environment communications and changes monthly.
- 9.Review environment configurations quarterly to detect unauthorized connections or credential sharing.
Evidence auditors look for
- Network diagrams showing isolated subnets for production vs. development with firewall rules documented
- AWS/Azure/GCP console screenshots confirming separate VPCs, security groups, or resource groups per environment
- Access control lists (ACLs) proving different user groups have permissions only in their assigned environments
- Credential management documentation showing production API keys stored in separate vaults with restricted access
- Database configuration reports confirming separate instances or isolated schemas per environment
- Change logs showing non-production deployments rejected or isolated from production pipelines
- Network segmentation audit reports from vulnerability scans confirming environment isolation
- Signed statements from IT leadership confirming environment separation policies and quarterly reviews
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates environment isolation verification by scanning your cloud infrastructure, validating security group rules, and flagging unauthorized cross-environment credentials—eliminating manual CIS 16.8 audit work.
See how GRCWatch handles this control automatically
Start free trial