...
Pre, beta, and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in the development or test environments without the express approval of the <approver of the use of customer data, e.g., VP of Customer Support>CCO.
Refer to the Data Management Policy for a description of Confidential data. If production customer data is approved for use during development or testing, it shall be scrubbed of any such sensitive information whenever feasible.
...
Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.
The company shall perform an annual network security assessment that includes a review of major changes to the environment, such as new system components and network topology.
...
Since ecoPortal uses AWS cloud we must follow the recommendations on this link to be compliance compliant with security standards.
https://aws.amazon.com/compliance/resources/
...