You are here

en-us-min-sec-cont-annex

Primary tabs

Minimum Security Controls Annex

The following minimum security requirements are intended to serve as guidelines for the level of protection Nike expects for any Contractor information technology system that Handles Nike Data. These security requirements are based on generally accepted information security practices and information protection governance practices.

These security requirements apply to (1) all Contractor systems and networks, including Contractor Resource systems and networks, that are integrated with Nike systems and networks or are used to Handle Nike Data; and (2) Nike Data in any form.  Contractor represents and warrants that it has completed Nike’s vendor risk assessment process and will maintain all safeguards and controls identified by Contractor in the assessment and take any further steps required in Annex C.

1.       Policy and Procedures

1.1.     Contractor maintains an established lifecycle process for policy creation, maintenance, review, approval, and communication to relevant parties. These will include application and infrastructure development standards, security policy, data storage, incident management, and IT operations management.

1.2.     Contractor will implement and maintain policies and procedures for the definition and maintenance of baseline security configurations that are documented, approved, reviewed on an annual basis, and communicated to relevant Contractor Personnel.

1.3.     Contractor will implement and maintain an enterprise information security management system (“ISMS”) and security policy that defines: (a) segregated information security (“IS”) roles and responsibilities, (b) the role and importance of IS, (c) objectives of the policy, (d) employee and third-party security responsibilities, and (e) regulatory requirements including privacy and data security.  Contractor will ensure that such policy has been approved by the appropriate level of senior management and been communicated to relevant Contractor Personnel.

1.4.     Contractor will implement and maintain procedures for the generation, distribution, and storage of encryption keys that include: generation of strong keys, distribution using secure methods, secure storage of keys, periodically rotating keys (cryptoperiods), managing end of life, and retiring or replacing keys if suspected of compromise.

2.       Asset Management.  Contractor will implement and maintain policies and procedures around asset identification, classification, and management (from procurement to disposal) that are documented, implemented, and communicated to Contractor Personnel.

3.       Business Continuity and Disaster Recovery

3.1.     Contractor will implement and maintain policies and procedures for business continuity and disaster recovery that are documented, approved, reviewed on an annual basis, and communicated to Contractor Personnel.

3.2.     Contractor will ensure that critical systems are identified and documented, and procedures are in place to maintain operations in case of an adverse event.

3.3.     Contractor will implement and maintain: (a) backups that are automated and follow a predetermined and approved schedule; (b) alerts that are generated in case of backup job errors and are dispositioned in a timely manner; and (c) backup processes that are tested periodically to obtain assurance in the ability to recover in the event of system failure or data corruption.

4.       Change Management

4.1.     Contractor will implement and maintain an overarching change management policy that is documented, approved, reviewed on an annual basis, and communicated to Contractor Personnel. For every layer of the system (application, database, operating system, virtualization technologies, and microservices), the policy will define change types, approval requirements, and testing requirements.

4.2.     Contractor will apply system/application changes that follow an established change control process for review, approval, and testing before the changes are made to the production system.

4.3.     Contractor will apply emergency changes that are requested, approved, and implemented, and evidence is maintained in alignment with, the change management policy.

5.       Human Resource Security

5.1.     Contractor shall perform appropriate background screening, including criminal background checks, on all Contractor Personnel (to the extent permitted by applicable law) prior to allowing any Contractor Personnel to Handle Nike Data or access Nike computer networks, information systems, databases, secure applications, or non-public areas of a Nike facility.  Contractor shall ensure that no Contractor Personnel who has been convicted of a felony or certain repeated misdemeanors involving violence or harassment will provide services in non-public areas of a Nike facility.

5.2.     Contractor will ensure that all Contractor Personnel successfully complete adequate and appropriate privacy and information security training prior to Handling Nike Data and Contractor Resources are required to regularly provide adequate and appropriate privacy and information security training to their personnel.

5.3.     All Contractor Personnel shall be required to keep Nike Data confidential and adhere to Contractor’s information security policies and procedures. Contractor shall provide (a) managerial oversight to require adherence to Contractor’s information security policies and procedures, and (b) a disciplinary process (including termination) for violations of Contractor’s information security policies and procedures.

6.       Information Security

6.1.     Contractor will ensure the security of its network, application (including databases), infrastructure, and platform.

6.2.     Contractor will ensure that at the application level, conflicting activities are segregated and reviewed periodically, including:

6.2.1.        Contractor conducts development in a development environment separate from the production environment,

6.2.2.        Application administration is separate from access rights administration,

6.2.3.        Database administration (and any other form of direct data update privilege) is separate from application administration, from security administration, and from Contractor Personnel providing development services, and

6.2.4.        The Contractor Personnel that approves access rights is separate from the person granting the access rights in the Contractor system.

6.3.     Contractor will perform comprehensive risk assessments on an annual basis for critical systems and networks, including application, database, database management system, operating system, supporting systems and related networks. Contractor will adjust processes or configurations in accordance with findings and Contractor will revisit findings periodically.

6.4.     Contractor will implement and maintain policies and procedures to assure that data is secured as appropriate to its level of sensitivity.

6.5.     Contractor will store system files and source code in a secure location with limited access.

6.6.     Contractor will ensure that application-, database-, and operating system-level information technology access requests are reviewed and approved by appropriate Contractor management.

6.7.     Contractor will ensure that when the status (terminated, transferred) of specific Contractor Personnel or a Contractor Resource has been changed, the system alerts Contractor management so that appropriate action can be taken.

6.8.     Contractor will ensure that when any Contractor Personnel’s or Contractor Resource’s job responsibilities no longer require access to the system (application, database, and operating system levels) their access is timely removed.

6.9.     Contractor will perform entitlement reviews utilizing a complete and accurate population of accounts regularly for both user accounts and system accounts.

6.10.  Contractor will implement and maintain perimeter security controls, and where applicable federated security controls, that meet industry standards for secure configuration consistent with the system architecture provided and/or used (including cloud storage or infrastructure) by Contractor.

6.11.  Contractor will implement and maintain best practices for the security of cloud resources, Software as a Service and web applications, consistent with industry standards and cloud provider recommendations.  Without limiting the generality of Contractor’s security obligations, If Nike provides minimum configuration management requirements for such resources, Contractor shall abide by such requirement.

6.12.  Contractor performs or outsources regular assessments of perimeter controls (e.g., social engineering, ethical hacking) consistent with the system architecture provided and/or used by Contractor including penetration testing on an annual basis and quarterly vulnerability scans.

6.13.  Contractor performs regular assessments and monitoring of system configurations including operating systems, databases, network devices and perimeter control systems (e.g. firewalls).

6.14.  Contractor will maintain antivirus and/or anti-malware software that is installed and up to date.

6.15.  Contractor information technology security administration monitors and logs security activity at the operating system, application and database levels. Identified security violations are reported to Contractor senior management.

6.16.  Contractor (or its Contractor Resource(s)) will implement and maintain physical and environmental security controls in buildings and data centers that Handle Nike Data, including the appropriate electronic systems to control access, security monitoring, and heat/smoke detection.

6.17.  Contractor will ensure the physical security of its facilities where paper files, servers, computing equipment, and backup systems are maintained.

6.18.  Contractor will protect against the loss or theft of a personal computer, laptop, desktop, or any other storage device, including mobile devices

6.19.  Contractor will safeguard and Handle Nike Data in accordance with Applicable Rules.

6.20.  Contractor, where technically feasible and determined by business requirements, will implement and maintain role based access control that assigns privileges to Contractor Personnel based on job classification and function, and restricts access based on that person’s need to know.

6.21.  Contractor managed user, privileged, and service accounts will ensure that only Contractor Personnel are provided access to Nike Data and Contractor system components Handling Nike Data and are protected by best practices for password protection including: (i) minimum password lengths, (ii) lockout after invalid login attempts and idle session, (iii) lockout duration minimums, (iv) password re-use, and (v)  password complexity.

6.22.  Contractor will not utilize shared, generic or system generated IDs to provide privileged access or administer any system components.

6.23.  Contractor will not share passwords with anyone outside of the designated owner of the system ID or account.

6.24.  Contractor will require its IT support services to use appropriate steps to safeguard against social engineering to gain access to any Contractor Personnel’s account including identity verification for password resets or access troubleshooting.

6.25.  Contractor will protect remote connections by documenting allowed methods of remote access to Nike Data, establishing usage restrictions, monitoring for unauthorized remote access, using cryptography to protect the confidentiality and integrity of remote access sessions, and automatically disconnecting remote access sessions after a period of inactivity.

6.26.  Contractor, when using encryption, will use strong cryptography and security protocols based on National Institute of Standards and Technology (“NIST”) standards for encryption. Cryptographic keys access shall be restricted to the fewest number of custodians necessary and securely stored in the fewest possible locations and forms. Cryptographic keys will be encrypted using a key-encrypting key that is stored separately from the data encrypting key and keys will be rotated in accordance with NIST best practices for cryptoperiods.

6.27.  Contractor shall ensure that all Nike Data is protected by industry-standard encryption or higher while at rest and in transit.  Unless required in order to provide the Services, Contractor will not unlock, reverse engineer, or otherwise expose hashed, encrypted, or anonymized Nike Data

6.28.  Contractor will implement and maintain best practices for security logging on appropriate systems, devices and processes, including monitoring for suspicious and unauthorized activity, separation and protection of logs, and time-based correlation. Contractor will implement and maintain a process for timely review and installation of security software patches and updates for systems, devices, and applications.

6.29.  Contractor will implement and maintain a process for timely remediation of vulnerabilities identified in the course of business and vulnerability management activities.

6.30.  Contractor will safeguard Nike Data during transmission across open networks, including by using strong cryptography and security protocols to safeguard Nike Data during transmission over open, public networks, and industry best practices to implement strong encryption for authentication and transmission over wireless networks of Nike Data or connected to sensitive networks.

6.31.  Contractor shall implement and maintain policies and safeguards regarding the security of any devices on which Nike Data is stored or Handled, including laptops, mobile phones and storage media. Contractor shall not store Nike Data on any laptop, tablet, flash drive, mobile phone, or other such mobile device unless Contractor has obtained Nike’s written consent and the device is protected by industry-standard encryption.

6.32.  Contractor will implement and maintain authentication and access control mechanisms within media, applications, operating systems, and equipment including logging of all access and exfiltration, and retention of such access control logs for a period of no less than twelve months.

6.33.  Contractor will implement and maintain intrusion prevention and detection systems using network-based intrusion prevention and detection mechanisms.

6.34.  Contractor will ensure strict physical or logical segregation of Nike Data from non-Nike Data so that both types of information are not commingled on any one system.

7.       Project Management

7.1.     Contractor will implement and maintain a systems development lifecycle that includes secure software development, has been approved by management, and has been communicated to Contractor Personnel.

7.2.     Contractor shall utilize secure development practices in the design, development, maintenance, enhancement and decommissioning of (a) its own products and services, and (b) any services and deliverables for Nike. Such secure development practices will be consistent with industry standards such as the OWASP Top Ten, ISO 27002 and secure coding guidance provided by organizations such as the CERT Division of the Software Engineering Institute. Without limiting the generality of the foregoing, such secure development practices include: (1) segregation of security roles and responsibilities; (2) segregation of development, test and production environments; (3) security testing in test environments prior to deployment to production environments; (4) prohibitions on the use of sensitive data and Nike Data in test environments; (5) developing a secure development policy; (6) developing a secure development methodology and language-specific secure coding guidelines; (7) implementing change formal control processes that include security testing and verification; (8) secure development training for developers; and (9) considering the sensitivity of data or systems.

7.3.     Contractor will implement and maintain appropriate quality assurance, user acceptance testing, and secure application code reviews.

8.       Incident Response

8.1.     Contractor will implement and maintain established incident response policies and procedures that cover detection, containment, recovery, escalation, and notification processes.

8.2.     Contractor periodically tests incident response activities, including with pertinent Contractor Resources (e.g., cloud providers).

9.       Contractor Management.

9.1.     Contractor will perform reasonable diligence on the security practices of Contractor Resources prior to engagement and maintain contracts with Contractor Resources that include provisions governing the responsibility of the subcontractor to protect and secure Nike Data in accordance with this Agreement and Applicable Rules.

9.2.     In the event Contractor utilizes a third-party cloud provider to provide the Services, such third-party cloud provider will be deemed a Contractor Resource.  Contractor acknowledges and agrees that the utilization of third-party cloud providers implies a shared security responsibility between Contractor and the third-party cloud provider. Contractor shall meet or exceed all security best practices recommended by the cloud provider, and apply the above minimum requirements to the Nike Data stored in that cloud environment.

 

Agreement Type: 
Locales: 
UxIDs: 

User login