The purpose of this standard is to establish the university’s obligation to ensure the protection of data used for testing.
It is the responsibility of any party working with test data within the University environment to understand and apply information security rules to ensure appropriate security for that data.
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliancefirstname.lastname@example.org.
Protection of test data
The use of production data containing personally identifiable information, confidential or otherwise sensitive data for testing should be avoided. If that data must be used, access controls and other securities in place for the production system should also be applied to the test system.
These requirements should be considered when using production data for testing purposes:
- Copying production information to a test environment requires documented authorization every time that information is copied.
- When practical, production information should be erased from a test environment immediately after the testing is complete.
- An audit trail should be maintained to log the copying and use of production information.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initially approved by Information Assurance Committee 5/15/15