All new code, etc. should be developed locally, tested on www-test.civicrm.org, and the deployed on production.
New configurations (i.e. configuration changes made via the UI etc. can/should be made on www-test.civicrm.org first before being deployed on production.
#Local development environments
You can develop locally as long as you are not storing any unencrypted personal data in your local development environment.
Drupal and CiviCRM databases can be encrypted on www-test.civicrm.org before being transferred to local development environments.