IT Operating Environments Best Practices

Overview

Governing what data does not belong in lower environments - the prohibitions - is necessary but insufficient. Effective environment data governance also requires defining what data should be in each environment and how it should be created, managed, and maintained to serve the governance purpose of that environment. Without this positive definition, teams fill the data governance vacuum created by the prohibition on Production data with whatever data is most convenient - which may be of insufficient quality, volume, or representativeness to support meaningful validation activities, or may be of a quality that technically complies with prohibitions while violating their spirit.

Best Practice

Define the data profile appropriate to each environment tier and provide guidance on how data meeting that profile should be created and maintained. RSC environments should contain only data created specifically for the research activity, with no relationship to any organizational data of any sensitivity level. DEV environments should contain synthetically generated or carefully anonymized data that is structurally representative of Production data but contains no real individuals, transactions, or sensitive records. SIT environments should contain integration-representative data sufficient to test the data exchange behaviors of all in-scope integrations, generated or anonymized to represent the volume and variety of Production data flows without containing Production data itself. UAT environments should contain scenario data that is sufficiently realistic and complete to support meaningful acceptance testing, generated to represent real-world usage patterns without using real individual records. TRN/EDU environments should contain training scenario data that supports all training exercises planned for the environment. PEN environments should contain data sufficient to test the security controls governing all data classifications the solution handles, without containing real data of any sensitivity level.

Benefit(s)

Defining the positive data profile for each environment tier ensures that environment data governance is complete rather than limited to prohibition enforcement. Teams have clear guidance on what data their lower environments should contain and how to create or obtain it, enabling them to populate their environments with data that is appropriate for their governance context and sufficient for their validation activities. The data landscape of the environment pipeline is coherent and governable because both the prohibited and the appropriate data profiles are defined, understood, and consistently applied.