Tsh, is there any lie that those operations people won't tell in order to keep us out of their sandbox?
Seriously though, I don't think that SOX is that detailed, and I don't believe any STIG is either. It sounds like that rule is more along the lines of an _interpretation_ of the regulations, or a quoting of the regulations to justify a rule (depending on your degree of cynicism).
I did DOD befoer this. I am doing financial now. The federal government actually passed security laws for financial companies as part of Sarbanes-Oxley(SOX). I was told by operations that one of the rules is that development cannot have access to production data. That is a problem for production support when you get data issues.
-- //www.freelists.org/webpage/oracle-l