You are here

zh-cn-min-sec-cont-annex

Primary tabs

Minimum Security Controls Annex

最低安全控制附件

The following minimum security requirements are intended to serve as guidelines for the level of protection Nike expects for any Contractor information technology system that Handles Nike Data. These security requirements are based on generally accepted information security practices and information protection governance practices.

以下最低安全要求旨在作为 Nike 期望处理 Nike 数据的任何承包商信息技术系统所具备的保护水平的指南。这些安全要求基于普遍接受的信息安全实践和信息保护治理实践。

These security requirements apply to (1) all Contractor systems and networks, including Contractor Resource systems and networks, that are integrated with Nike systems and networks or are used to Handle Nike Data; and (2) Nike Data in any form.  Contractor represents and warrants that it has completed Nike’s vendor risk assessment process and will maintain all safeguards and controls identified by Contractor in the assessment and take any further steps required in Annex C.

这些安全要求适用于 (1) Nike 系统和网络集成或用于处理 Nike 数据的所有承包商系统和网络,包括承包商资源系统和网络;(2) 任何形式的 Nike 数据。承包商声明并保证,其已完成 Nike 供应商风险评估流程,并将维护承包商在评估中确定的所有保障和控制措施,并采取附件 C 中要求的任何进一步步骤。

1.       Policy and Procedures

          政策和程序

1.1.     Contractor maintains an established lifecycle process for policy creation, maintenance, review, approval, and communication to relevant parties. These will include application and infrastructure development standards, security policy, data storage, incident management, and IT operations management.

           承包商维护一个既定的生命周期流程,用于政策创建、维护、审核、审批以及与相关方的沟通。这些将包括应用程序和基础设施开发标准、安全政策、数据存储、事件管理和 IT 运营管理。

1.2.     Contractor will implement and maintain policies and procedures for the definition and maintenance of baseline security configurations that are documented, approved, reviewed on an annual basis, and communicated to relevant Contractor Personnel.

           承包商将实施和维护用于定义和维护基线安全配置的政策和程序,这些政策和程序应每年记录、审批和审查,并传达给相关承包商人员。

1.3.     Contractor will implement and maintain an enterprise information security management system (“ISMS”) and security policy that defines: (a) segregated information security (“IS”) roles and responsibilities, (b) the role and importance of IS, (c) objectives of the policy, (d) employee and third-party security responsibilities, and (e) regulatory requirements including privacy and data security.  Contractor will ensure that such policy has been approved by the appropriate level of senior management and been communicated to relevant Contractor Personnel.

           承包商将实施和维护企业信息安全管理系统 (“ISMS”) 和安全政策,用于定义:(a) 分离的信息安全 (“IS”) 角色和责任,(b) IS 的角色和重要性,(c) 政策的目标,(d) 员工和第三方安全责任,以及 (e) 监管要求,包括隐私和数据安全。承包商应确保此类政策已得到相应级别高级管理人员的批准,并且已传达给相关承包商人员。

1.4.     Contractor will implement and maintain procedures for the generation, distribution, and storage of encryption keys that include: generation of strong keys, distribution using secure methods, secure storage of keys, periodically rotating keys (cryptoperiods), managing end of life, and retiring or replacing keys if suspected of compromise.

           承包商将实施和维护用于生成、分发和存储加密密钥的程序,包括:生成强密钥、使用安全方法进行分发、安全存储密钥、定期轮换密钥(密码周期)、管理生命周期结束以及收回或替换密钥(如果怀疑密钥泄露)。

2.       Asset Management.  Contractor will implement and maintain policies and procedures around asset identification, classification, and management (from procurement to disposal) that are documented, implemented, and communicated to Contractor Personnel.

          资产管理。承包商将实施和维护关于资产识别、分类和管理(从采购到报废)的政策和程序,这些政策和程序应加以记录、实施,并向承包商人员传达。

3.       Business Continuity and Disaster Recovery

          业务连续性和灾难恢复

3.1.     Contractor will implement and maintain policies and procedures for business continuity and disaster recovery that are documented, approved, reviewed on an annual basis, and communicated to Contractor Personnel.

           承包商将实施和维护针对业务连续性和灾难恢复的政策和程序,这些政策和程序应每年记录、审批、审核,并传达给承包商人员。

3.2.     Contractor will ensure that critical systems are identified and documented, and procedures are in place to maintain operations in case of an adverse event.

           承包商将确保关键系统得到识别和记录,并制定程序,以便在发生不利事件时维持运营。

3.3.     Contractor will implement and maintain: (a) backups that are automated and follow a predetermined and approved schedule; (b) alerts that are generated in case of backup job errors and are dispositioned in a timely manner; and (c) backup processes that are tested periodically to obtain assurance in the ability to recover in the event of system failure or data corruption.

           承包商将实施和维护:(a) 自动备份,并遵循事先确定的和批准的时间表;(b) 在出现备份工作错误时发出的警报,并及时解除警报;以及 (c) 定期接受测试的备份流程,以确保能够在系统故障或数据损坏时恢复。

4.       Change Management

          变更管理

4.1.     Contractor will implement and maintain an overarching change management policy that is documented, approved, reviewed on an annual basis, and communicated to Contractor Personnel. For every layer of the system (application, database, operating system, virtualization technologies, and microservices), the policy will define change types, approval requirements, and testing requirements.

           承包商将实施并维护一项全面的变更管理政策,该政策应每年记录、审批、审核,并传达给承包商人员。对于系统的每一层(应用程序、数据库、操作系统、虚拟化技术和微服务),政策将定义变更类型、审批要求和测试要求。

4.2.     Contractor will apply system/application changes that follow an established change control process for review, approval, and testing before the changes are made to the production system.

           在对生产系统进行变更之前,承包商应按照既定的变更控制流程对系统/应用程序的变更进行审核、审批和测试。

4.3.     Contractor will apply emergency changes that are requested, approved, and implemented, and evidence is maintained in alignment with, the change management policy.

           承包商将根据变更管理政策应用已申请、批准和实施的紧急变更,并保存证据。

5.       Human Resource Security

          人力资源安全

5.1.     Contractor shall perform appropriate background screening, including criminal background checks, on all Contractor Personnel (to the extent permitted by applicable law) prior to allowing any Contractor Personnel to Handle Nike Data or access Nike computer networks, information systems, databases, secure applications, or non-public areas of a Nike facility.  Contractor shall ensure that no Contractor Personnel who has been convicted of a felony or certain repeated misdemeanors involving violence or harassment will provide services in non-public areas of a Nike facility.

           在允许任何承包商人员处理 Nike 数据或访问 Nike 计算机网络、信息系统、数据库、安全应用程序或 Nike 设施的非公共区域之前,承包商应当对所有承包商人员进行适当的背景调查,包括犯罪背景调查(在适用法律允许的范围内)。承包商应确保任何被判犯有重罪或屡次涉及暴力或骚扰的轻罪的承包商人员不会在 Nike 设施的非公共区域内提供服务。

5.2.     Contractor will ensure that all Contractor Personnel successfully complete adequate and appropriate privacy and information security training prior to Handling Nike Data and Contractor Resources are required to regularly provide adequate and appropriate privacy and information security training to their personnel.

           承包商将确保所有承包商人员在处理 Nike 数据之前成功完成充分和适当的隐私和信息安全培训,并且承包商资源需要定期向其人员提供充分和适当的隐私和信息安全培训。

5.3.     All Contractor Personnel shall be required to keep Nike Data confidential and adhere to Contractor’s information security policies and procedures. Contractor shall provide (a) managerial oversight to require adherence to Contractor’s information security policies and procedures, and (b) a disciplinary process (including termination) for violations of Contractor’s information security policies and procedures.

           所有承包商人员都需要对 Nike 的数据保密,并遵守承包商的信息安全政策和程序。承包商应提供 (a) 管理监督,要求遵守承包商的信息安全政策和程序,以及 (b) 违反承包商的信息安全政策和程序的纪律程序(包括解雇)。

6.       Information Security

          信息安全

6.1.     Contractor will ensure the security of its network, application (including databases), infrastructure, and platform.

           承包商将确保其网络、应用程序(包括数据库)、基础设施和平台的安全。

6.2.     Contractor will ensure that at the application level, conflicting activities are segregated and reviewed periodically, including:

           承包商将确保在应用程序层面隔离并定期审查相互冲突的活动,包括:

6.2.1.        Contractor conducts development in a development environment separate from the production environment,

                 承包商在独立于生产环境的开发环境中进行开发工作,

6.2.2.        Application administration is separate from access rights administration,

                 应用程序管理与访问权限管理分开,

6.2.3.        Database administration (and any other form of direct data update privilege) is separate from application administration, from security administration, and from Contractor Personnel providing development services, and

                 数据库管理(以及任何其他形式的直接数据更新特权)与应用程序管理、安全管理以及提供开发服务的承包商人员分开,以及

6.2.4.        The Contractor Personnel that approves access rights is separate from the person granting the access rights in the Contractor system.

                 在承包商系统中,负责审批访问权限的承包商人员与负责授予访问权限的人员分开。

6.3.     Contractor will perform comprehensive risk assessments on an annual basis for critical systems and networks, including application, database, database management system, operating system, supporting systems and related networks. Contractor will adjust processes or configurations in accordance with findings and Contractor will revisit findings periodically.

           承包商将每年对关键系统和网络(包括应用程序、数据库、数据库管理系统、操作系统、支持系统和相关网络)进行全面的风险评估。承包商将根据评估发现调整流程或配置,并将定期回顾评估发现。

6.4.     Contractor will implement and maintain policies and procedures to assure that data is secured as appropriate to its level of sensitivity.

           承包商将实施和维护政策和程序,以确保数据获得适合其敏感程度的保护。

6.5.     Contractor will store system files and source code in a secure location with limited access.

           承包商将把系统文件和源代码存储在一个提供有限访问权限的安全地点。

6.6.     Contractor will ensure that application-, database-, and operating system-level information technology access requests are reviewed and approved by appropriate Contractor management.

           承包商将确保由适当的承包商管理层对应用程序、数据库和操作系统级别的信息技术访问请求进行审查和批准。

6.7.     Contractor will ensure that when the status (terminated, transferred) of specific Contractor Personnel or a Contractor Resource has been changed, the system alerts Contractor management so that appropriate action can be taken.

           承包商将确保,当特定承包商人员或承包商资源的状态(已解雇、已转岗)发生变化时,系统向承包商管理层发出提醒,以便采取适当行动。

6.8.     Contractor will ensure that when any Contractor Personnel’s or Contractor Resource’s job responsibilities no longer require access to the system (application, database, and operating system levels) their access is timely removed.

           承包商应确保,当任何承包商人员或承包商资源的工作职责不再需要系统(应用程序、数据库和操作系统级别)访问权限时,及时移除其访问权限。

6.9.     Contractor will perform entitlement reviews utilizing a complete and accurate population of accounts regularly for both user accounts and system accounts.

           承包商将使用完整而准确的帐户群,定期对用户帐户和系统帐户进行权利审查。

6.10.  Contractor will implement and maintain perimeter security controls, and where applicable federated security controls, that meet industry standards for secure configuration consistent with the system architecture provided and/or used (including cloud storage or infrastructure) by Contractor.

           承包商将实施并维护外围安全控制措施,以及适用的联合安全控制措施,这些控制措施符合行业标准,针对与承包商提供和/或使用的系统架构(包括云存储或基础设施)保持一致的安全配置。

6.11.  Contractor will implement and maintain best practices for the security of cloud resources, Software as a Service and web applications, consistent with industry standards and cloud provider recommendations.  Without limiting the generality of Contractor’s security obligations, If Nike provides minimum configuration management requirements for such resources, Contractor shall abide by such requirement.

          承包商将实施并维护关于云资源、软件即服务和 web 应用程序安全的、符合行业标准和云供应商建议的最佳实践。在不限制承包商安全义务的普遍性的前提下,如果 Nike 为此类资源提供了最低配置管理要求,则承包商应遵守该要求。

6.12.  Contractor performs or outsources regular assessments of perimeter controls (e.g., social engineering, ethical hacking) consistent with the system architecture provided and/or used by Contractor including penetration testing on an annual basis and quarterly vulnerability scans.

          承包商执行或外包对与承包商提供和/或使用的系统架构相一致的外围控制的定期评估(例如,社交工程、道德黑客),包括年度渗透测试和季度漏洞扫描。

6.13.  Contractor performs regular assessments and monitoring of system configurations including operating systems, databases, network devices and perimeter control systems (e.g. firewalls).

          承包商定期评估和监控系统配置,包括操作系统、数据库、网络设备和外围控制系统(如防火墙)。

6.14.  Contractor will maintain antivirus and/or anti-malware software that is installed and up to date.

          承包商将维护已安装防病毒和/或反恶意软件,并保持更新。

6.15.  Contractor information technology security administration monitors and logs security activity at the operating system, application and database levels. Identified security violations are reported to Contractor senior management.

          承包商信息技术安全管理部门负责监视和记录操作系统、应用程序和数据库级别的安全活动。识别的安全违规行为将报告给承包商的高级管理层。

6.16.  Contractor (or its Contractor Resource(s)) will implement and maintain physical and environmental security controls in buildings and data centers that Handle Nike Data, including the appropriate electronic systems to control access, security monitoring, and heat/smoke detection.

          承包商(或其承包商资源)将在处理 Nike 数据的建筑物和数据中心实施和维护物理和环境安全控制,包括用于控制访问、安全监控和热/烟检测的适当电子系统。

6.17.  Contractor will ensure the physical security of its facilities where paper files, servers, computing equipment, and backup systems are maintained.

           承包商将确保其维护纸质文件、服务器、计算设备和备份系统的设施的物理安全。

6.18.  Contractor will protect against the loss or theft of a personal computer, laptop, desktop, or any other storage device, including mobile devices.

          承包商将保护个人电脑、笔记本电脑、桌面电脑或任何其他存储设备(包括移动设备)免遭丢失或被盗。

6.19.  Contractor will safeguard and Handle Nike Data in accordance with Applicable Rules.

          承包商将按照适用规则保护和处理 Nike 数据。

6.20.  Contractor, where technically feasible and determined by business requirements, will implement and maintain role based access control that assigns privileges to Contractor Personnel based on job classification and function, and restricts access based on that person’s need to know.

          承包商将在技术上可行并由业务要求决定的情况下,实施和维护基于角色的访问控制,根据工作类别和职能向承包商人员分配特权,并根据其是否需要知道信息来限制访问权限。

6.21.  Contractor managed user, privileged, and service accounts will ensure that only Contractor Personnel are provided access to Nike Data and Contractor system components Handling Nike Data and are protected by best practices for password protection including: (i) minimum password lengths, (ii) lockout after invalid login attempts and idle session, (iii) lockout duration minimums, (iv) password re-use, and (v)  password complexity.

          承包商管理的用户、特权和服务帐户将确保只有承包商人员能够访问 Nike 数据以及用于处理 Nike 数据的承包商系统组件,并受到密码保护最佳实践的保护,包括:(i) 密码的最小长度,(ii) 无效登录尝试和空闲会话后的锁定,(iii) 最短锁定持续时间,(iv) 密码重用,和 (v) 密码复杂性。

6.22.  Contractor will not utilize shared, generic or system generated IDs to provide privileged access or administer any system components.

          承包商不会使用共享、通用或系统生成的 ID 提供特权访问或管理任何系统组件。

6.23.  Contractor will not share passwords with anyone outside of the designated owner of the system ID or account.

          承包商不会与系统 ID 或帐户的指定所有者以外的任何人共享密码。

6.24.  Contractor will require its IT support services to use appropriate steps to safeguard against social engineering to gain access to any Contractor Personnel’s account including identity verification for password resets or access troubleshooting.

          承包商将要求其 IT 支持服务使用适当的措施防范社交工程获得任何承包商人员帐户的访问权限,包括密码重置时的身份验证或对于访问权限的故障排除。

6.25.  Contractor will protect remote connections by documenting allowed methods of remote access to Nike Data, establishing usage restrictions, monitoring for unauthorized remote access, using cryptography to protect the confidentiality and integrity of remote access sessions, and automatically disconnecting remote access sessions after a period of inactivity.

          承包商将通过记录允许的远程访问Nike 数据的方法、建立使用限制、监控未经授权的远程访问、使用加密技术保护远程访问会话的保密性和完整性以及在一段时间不活动后自动断开远程访问会话,保护远程连接。

6.26.  Contractor, when using encryption, will use strong cryptography and security protocols based on National Institute of Standards and Technology (“NIST”) standards for encryption. Cryptographic keys access shall be restricted to the fewest number of custodians necessary and securely stored in the fewest possible locations and forms. Cryptographic keys will be encrypted using a key-encrypting key that is stored separately from the data encrypting key and keys will be rotated in accordance with NIST best practices for cryptoperiods.

          加密标准的强加密技术和安全协议。加密密钥的访问权限应限定在必要的最少数量的保管人,并将其安全地存储在尽可能少的位置和形式中。加密密钥将使用与数据加密密钥分开存储的密钥加密密钥进行加密,并且密钥将按照 NIST 的最佳加密周期实践进行轮换。

6.27.  Contractor shall ensure that all Nike Data is protected by industry-standard encryption or higher while at rest and in transit.  Unless required in order to provide the Services, Contractor will not unlock, reverse engineer, or otherwise expose hashed, encrypted, or anonymized Nike Data.

          承包商应确保所有 Nike 数据在静止和传输过程中获得行业标准加密或更高级别的保护。除非为了提供服务所必须,否则承包商不会解锁、逆向工程或以其他方式公开经过散列、加密或匿名化处理的 Nike 数据。

6.28.  Contractor will implement and maintain best practices for security logging on appropriate systems, devices and processes, including monitoring for suspicious and unauthorized activity, separation and protection of logs, and time-based correlation. Contractor will implement and maintain a process for timely review and installation of security software patches and updates for systems, devices, and applications.

          承包商将实施和维护关于在适当的系统、设备和流程上记录安全日志的最佳实践,包括监视可疑和未经授权的活动、日志的分离和保护以及基于时间的相关性。承包商将实施和维护一个流程,用于及时检查和安装系统、设备和应用程序的安全软件补丁和更新。

6.29.  Contractor will implement and maintain a process for timely remediation of vulnerabilities identified in the course of business and vulnerability management activities.

          承包商将实施和维护一个流程,以便及时修复在业务和漏洞管理活动过程中识别的漏洞。

6.30.  Contractor will safeguard Nike Data during transmission across open networks, including by using strong cryptography and security protocols to safeguard Nike Data during transmission over open, public networks, and industry best practices to implement strong encryption for authentication and transmission over wireless networks of Nike Data or connected to sensitive networks.

          承包商将在开放网络传输数据过程中保护 Nike 数据,包括通过使用强加密技术和安全协议保护 Nike 数据在开放、公共网络上的传输,以及使用实现强加密的行业最佳实践,以在无线网络上验证和传输 Nike 数据或连接到敏感网络。

6.31.  Contractor shall implement and maintain policies and safeguards regarding the security of any devices on which Nike Data is stored or Handled, including laptops, mobile phones and storage media. Contractor shall not store Nike Data on any laptop, tablet, flash drive, mobile phone, or other such mobile device unless Contractor has obtained Nike’s written consent and the device is protected by industry-standard encryption.

          承包商应实施和维护关于 Nike 数据存储或处理设备(包括笔记本电脑、移动电话和存储媒体)安全的政策和保障措施。承包商不得将 Nike 数据存储在任何笔记本电脑、平板电脑、闪存驱动器、移动电话或其他此类移动设备上,除非承包商已获得 Nike 的书面同意,且该设备受行业标准加密保护。

6.32.  Contractor will implement and maintain authentication and access control mechanisms within media, applications, operating systems, and equipment including logging of all access and exfiltration, and retention of such access control logs for a period of no less than twelve months.

          承包商将在介质、应用程序、操作系统和设备中实施和维护身份验证和访问控制机制,包括记录所有访问和过滤,并将此类访问控制日志保存不少于 12 个月。

6.33.  Contractor will implement and maintain intrusion prevention and detection systems using network-based intrusion prevention and detection mechanisms.

          承包商将使用基于网络的入侵预防和检测机制来实施和维护入侵预防和检测系统。

6.34.  Contractor will ensure strict physical or logical segregation of Nike Data from non-Nike Data so that both types of information are not commingled on any one system.

          承包商将确保 Nike 数据与非 Nike 数据的严格的物理或逻辑隔离,以便这两种类型的信息不会在任何一个系统上混合。

7.       Project Management

          项目管理

7.1.     Contractor will implement and maintain a systems development lifecycle that includes secure software development, has been approved by management, and has been communicated to Contractor Personnel.

           承包商将实施和维护系统开发生命周期,其中包括安全软件开发,已得到管理层批准,并已传达给承包商人员。

7.2.     Contractor shall utilize secure development practices in the design, development, maintenance, enhancement and decommissioning of (a) its own products and services, and (b) any services and deliverables for Nike. Such secure development practices will be consistent with industry standards such as the OWASP Top Ten, ISO 27002 and secure coding guidance provided by organizations such as the CERT Division of the Software Engineering Institute. Without limiting the generality of the foregoing, such secure development practices include: (1) segregation of security roles and responsibilities; (2) segregation of development, test and production environments; (3) security testing in test environments prior to deployment to production environments; (4) prohibitions on the use of sensitive data and Nike Data in test environments; (5) developing a secure development policy; (6) developing a secure development methodology and language-specific secure coding guidelines; (7) implementing change formal control processes that include security testing and verification; (8) secure development training for developers; and (9) considering the sensitivity of data or systems.

           承包商应在 (a) 其自身的产品和服务,以及 (b) Nike 的任何服务和交付物的设计、开发、维护、改进和退役中采用安全开发实践。此类安全开发实践应与 OWASP Top TenISO 27002 等行业标准以及软件工程研究所 CERT 部门等组织提供的安全编码指南保持一致。在不限制前述规定的普遍性的前提下,此类安全开发实践包括:(1) 安全角色和责任的分离;(2) 开发、测试和生产环境的分离;(3) 在部署到生产环境之前,在测试环境中进行安全测试;(4) 禁止在测试环境中使用敏感数据和 Nike 数据;(5) 制定安全开发政策;(6) 制定安全开发方法和特定语言的安全编码指南;(7) 实施包括安全测试和验证在内的变更正式控制程序;(8) 对开发者进行安全开发培训;以及 (9) 考虑数据或系统的敏感性。

7.3.     Contractor will implement and maintain appropriate quality assurance, user acceptance testing, and secure application code reviews.

           承包商将实施并维护适当的质量保证、用户验收测试和安全的应用程序代码审查。

8.       Incident Response

          事件响应

8.1.     Contractor will implement and maintain established incident response policies and procedures that cover detection, containment, recovery, escalation, and notification processes.

           承包商将实施和维护既定的事件响应政策和程序,包括检测、抑制、恢复、升级和通知流程。

8.2.     Contractor periodically tests incident response activities, including with pertinent Contractor Resources (e.g., cloud providers).

           承包商定期测试事件响应活动,包括使用相关的承包商资源(例如,云提供商)。

9.       Contractor Management

          承包商管理

9.1.     Contractor will perform reasonable diligence on the security practices of Contractor Resources prior to engagement and maintain contracts with Contractor Resources that include provisions governing the responsibility of the subcontractor to protect and secure Nike Data in accordance with this Agreement and Applicable Rules.

           承包商应在聘用前对承包商资源的安全实践进行合理的调查,并维护与承包商资源的合同,其中包括规定分包商根据本协议和适用规则保护Nike 数据安全的责任的条款。

9.2.     In the event Contractor utilizes a third-party cloud provider to provide the Services, such third-party cloud provider will be deemed a Contractor Resource.  Contractor acknowledges and agrees that the utilization of third-party cloud providers implies a shared security responsibility between Contractor and the third-party cloud provider. Contractor shall meet or exceed all security best practices recommended by the cloud provider, and apply the above minimum requirements to the Nike Data stored in that cloud environment.

           如果承包商使用第三方云提供商提供服务,则该第三方云提供商将被视为承包商资源。承包商认可并同意,使用第三方云提供商意味着承包商和第三方云提供商之间有共同的安全责任。承包商应达到或超过云提供商推荐的所有安全最佳实践,并将上述最低要求应用于存储在该云环境中的 Nike 数据。

 

Agreement Type: 
Locales: 
UxIDs: 

User login