sounds like a good setting for me ... we have no areas where I work. We have DEV> QA> Production.
1) I'm not quite sure what “best practice” is, but your installation seems to me very good practice. My only concern will be in the Sandbox environment. Are there any assurances that the developer code is backed up daily? in case their car works hard? I would really like to lose some good developer code.
2) There is a “release coordinator” that provides access to Sourcesafe and TFS, and also controls access to the QA environment, so there are only certain points when they are available.
3) The same applies to business testers, except that their credentials come through project managers. PM has a document that is filled out for each project and test teams are indicated.
We only advance on certain days (every Thursday). However, we understand that emergencies can occur, and we produced products on weekends when it is required, but these emergencies are documented after the fact and analyzed to understand what went wrong and where we can make improvements.
I would say that while your environment is monitored and documented, you should be fine. It would be nice to make sure that everything in the backup storage is in the sandbox area and that a small group of people control access to other environments. I would also recommend keeping good documentation of the arrivals and events of “secured” environments, just in case something goes wrong, you can go back through the magazines and see what could happen or who could do it, it’s not necessary to indicate fingers but go back and say: "What exactly did you upload / change?" therefore we can see what might cause the problem.
Good luck to you,