Standard for Protection of Test Data

I. Purpose

The purpose of this standard is to establish the university’s obligation to ensure the protection of data used for testing.

II. Scope

It is the responsibility of any party working with test data within the University environment to understand and apply information security rules to ensure appropriate security for that data.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at

IV. Standard

Protection of test data

The use of production data containing personally identifiable information, confidential or otherwise sensitive data for testing should be avoided. If that data must be used, access controls and other securities in place for the production system should also be applied to the test system.

These requirements should be considered when using production data for testing purposes:

  • Copying production information to a test environment requires documented authorization every time that information is copied.
  • When practical, production information should be erased from a test environment immediately after the testing is complete.
  • An audit trail should be maintained to log the copying and use of production information.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 5/15/15
Updated 2/04/21