What security controls should be employed in the development environment?

This will depend greatly on the organization, their culture, and any compliance regulations they must follow.  Out of the box, RTC comes with process templates that use role-based permissions for what actions can be performed and what work items can be created.  I would recommend trying these process templates on a project and see how they work rather than spend a lot of time trying to come up with a usage model that enforces a lot of security.  These process templates can be easily tweaked as new usage scenarios emerge that have the wrong restrictions or permissions.

I would share the information in the view of engineering.  The idea of an optimized (Application Life cycle Management) ALM program (Let security be the main objective of the program) suggests that an adequate mix of ALM actions and domain policies needs to be selected and fine-tuned in order to improve organization ALM.

Choosing and implementing the best ALM concept in a given context is a difficult task. To the question “what ALM concept is best for us?”, there is no short and straight forward answer exists. The right answer to the question is determined by the context, with its complex interaction of technology, organizational and business context. Designing and implementing a good ALM concept will take time and effort. Many companies establish teams with members from different disciplines to accomplish this difficult task.

I am agree on the Carson's comment. To follow up the process template and learn from it first. Any wanted detail both positive and negative viewpoint, You can set the topic and go to discuss with an expert in your local Rational User Group Meeting.