Question

Please provide a description of your system

ICC 1 - Does your system rely on any vendors for storage/processing Nike data?
CM 1 - Do you follow the Nike Global Technology Change Control process for changes to your system? (https://nike ent box co
CM 1 a - What types of changes are most common for your system? (Select all that apply)
CM 1 a - What types of changes are most common for your system? (Select all that apply)
CM 1 a - What types of changes are most common for your system? (Select all that apply)
CM 2 e - Is consumer data stored/processed in your system?
CM 4 - Does a non-production environment exist for this system?
CM 4 a - What type(s) of enviornment(s)? (Select all that apply)
CM 4 b - Is there a need for your organization to create new non-production environments on a regular or periodic basis?
CM 4 c - Is there a formalized process for creating a non-production environment?
CM 4 d - Please provide an explanation of the process for all of the non-production environments identified
CM 4 e - Do non-production environments use of copy of production data?
CM 4 g - Do the non-production environments contain Personally Identifiable Information (PII)?
CM 5 - Is there a formalized process for testing of changes?
CM 5 a - Please provide an explanation of the process to include the types of tests performed (UAT, unit, integration, perform
CM 5 b - Are security tests created and executed (penetration test, code scans, etc )?
CM 6 - Are Nike Integration Pipelines (QMA & BMX) being used to move changes to production?
CM 6 a - What integration pipelines are being used for your system? (Select all that apply)
CM 6 b - Please provide an explanation as to how changes are moved to production, and how approvals are documented for t
SOD 1 - Do those with access to the develop environments also have access to promote changes and/or create or edit produc
SOD 1 a - Is there a monitoring process in place to ensure production code changes have been approved & authorized?
SOD 1 b - Please provide an explanation of the monitoring process
SOD 2 - Do those with privileged access to create/edit user accounts also approve the creation/editing of user access?
SOD 2 a - Is there a formalized process for reviewing user authorization SOD violations?
IAM 1 - Where do your store of identities reside?
IAM 2 - Have non-ETW contractors been granted access to your system (either as an end user or in a support capacity)?
IAM 3 - Does your system integrate with OKTA?
IAM 4 - Does your system permit you to define password parameters?
IAM 5 - Is there a formalized process for adding new/transfer users to your system?
IAM 5 a - Please provide an explanation of the process
IAM 5 b - Is there any difference in how a FTE's and ETW's would request access to your system?
IAM 5 c - What are the differences?
IAM 5 d - Is there a difference in how access is provisioned between the application and the application database?
IAM 5 e - What are the differences?
IAM 5 f - Do you provision direct access to your database?
IAM 5 i - If applicable, how does a vendor request access? Who approves the access and where is that documented?
IAM 6 - Is there a formalized process for terminating/removing users to your system (application and database)?
IAM 6 a - Please provide an explanation of the process
IAM 6 b - Is there any difference in how a FTE, ETW, or Vendor would have their access removed?
IAM 6 c - How soon after receiving a termination notification are user accounts disabled of deleted?
IAM 6 d - Is the termination process manual or automated?
IAM 6 e - If it is automated/combination, what system of record is providing the termination data?
IAM 7 - What roles/users are defined as privileged users for your system?
IAM 7 a - Is there a formalized process for adding and removing privileged access to your system?
IAM 7 b - Please provide an explanation of the process
IAM 7 c - What centralized system is used for documenting privileged access requests, approvals, and removals?
IAM 7 d - Please provide an explanation as to how you ensure that privileged access is restricted to only those who require it
IAM 7 e - How do you monitor privileged access to your system (ex Periodic access reviews)?
IAM 8 - Is there a formalized process for performing a periodic access review of your system (application and database)?
IAM 8 a - Please provide an explanation of the process
IAM 8 b - How is the access control list created, and how do you validate that the list is complete and accurate?
IAM 8 c - Who is responsible for performing the review of user access (user manager, role owner) to determine whether the c
IAM 8 d - What is the frequency of the review?
IAM 8 e - Where are the results of the review retained, and how are the results communicated?
IAM 8 f - How soon after the completion of the review are the identified access changes made?
IAM 8 g - How do you validate that the requested modifications are completed?
SEC 1 - Does your organization regularly engage the CIS Application Security Consulting (ASC) team for recommendations on h
SEC 1 a - Did you document the recommendations made?
SEC 1 c - Is there a process in place that monitors application configurations to verify they meet security standards?
SEC 1 d - Does your system use generic accounts?
SEC 1 e - Is a system/tool used to manage their use?
SEC 1 f - What system are you using?
SEC 1 g - Does this system/tool also allow for the management of the account passwords?
SEC 2 - Does your system have the capability to log security events per Nike guidance?
SEC 2 a - Is security logging enabled?
SEC 2 b - Does it meet Nike Information Security Program (NISP) ASLM-34 requirements (https://nisp nike com/aslm/aslm-34)
SEC 2 d - Are your logs being directed to Devo or Splunk?
SEC 2 e - Who has the access to view edit application logs?
SEC 3 - Has encryption been implemented to aid in securing data in your system?
SEC 3 a - Does the encryption implemented meet Nike Information Security Program DP-07 Use of Encryption (https://nisp nik
SEC 3 c - Is there a formalized process for managing cryptographic keys?
SEC 3 d - Please provide an explanation of the process
SEC 3 e - Is critical data (including PII data) encrypted at rest? If so, what protocol and/or algorithm is utilized?
SEC 3 f - Is data encrypted in transit between end user and system? If so, what protocol and/or algorithm is utilized?
SEC 3 g - Is data encrypted in transit between systems (system to system)? If so, what protocol and/or algorithm is utilized?
SEC 4 - Is there a formalized process for storing system files and source code for your system?
SEC 4 a - Please provide an explanation of the process
SEC 4 b - Where are production libraries/source code stored, and who has access to it?
SEC 4 c - Does your system undergo security source code reviews?
SEC 4 d - If any critical or high risk source code vulnerabilities were identified, have they been remediated?
SEC 5 - Is there a formalized process for patching your system?
SEC 5 a - Please provide an explanation of the process
SEC 5 b - Are patches tested prior to promotion to production?
SEC 5 c - How long does it take for patches to be implemented after being released by vendors?
SEC 6 - Are you aware of a penetration test being performed on your system?
SEC 6 a - Were any critical or high risk vulnerabilities were identified, have they all been remediated?
SEC 6 b - Are vulnerability scans being performed on your system?
SEC 6 c - Are the Nike approved vulnerability management agents (Crowdstrike & Rapid7) installed in your cloud environment
SEC 6 d - Have you requested a vulnerabilities findings report from the CIS Vulnerability Management team within the past ye
SEC 6 e - Were critical vulnerabilities remediated within 7 days?
SEC 6 f - Were high/major rated vulnerabilities remediated within 30 days?
OIT 1 - What is the highest level of Nike data your system processes/stores based on the Nike Data Classification (http://nisp n
OIT 1 a - Please list the Nike data elements your system processes/stores
OIT 1 b - Have you implemented all the Minimum Security Standards (http://nisp nike com/dc/#security-standards) based on
OIT 1 c - Does your system process/store personally identifiable information (PII) of Nike consumers or employees?
OIT 2 - Is your system hosted in a cloud environment (Nike or Vendor)?
OIT 2 a - Is it a Nike or Vendor cloud environment?
OIT 2 b - What cloud group does it belong (Waffle, Commons, Commerce, etc)?
OIT 2 c - Do you receive DivvyCloud reports?
OIT 2 d - Are you fixing the findings identified in those reports?
OIT 2 e - Do you run your builds "as-code" or from the console?
OIT 2 f - What Vendor cloud environment are you using (AWS, Azure, Google Cloud, etc )?
OIT 3 - Is there a formalized process for monitoring backups and testing recoverability for your system?
OIT 3 a - Please provide an explanation of the process(es)
OIT 3 b - How frequently is your system backed-up?
OIT 3 c - What type of backup are you employing (Full, Incremental, etc )?
OIT 4 - Are backups replicated to another site?
OIT 4 a - What is the location of backup replicated to the other site?
OIT 5 - Is there a formalized Technical Recovery Plan (TRP) for your system?
OIT 5 a - Please provide a brief summary of the plan
OIT 5 b - How frequently is the plan reviewed, and who is responsible for approving the review and/or updates?
OIT 6 - Was the Technical Recovery Plan tested within the last year?
OIT 6 - Were the results of the tests retained? If so, where are they retained?
OIT 6 b - If any issues/failures occurred during testing, have those issues/failures been resolved?
QuestionType AnswerChoices
comment
radiogroup Yes|No|N/A
radiogroup Yes|No
checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy
checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy
checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy
radiogroup Yes|No
radiogroup Yes|No|N/A
checkbox Test|Development|Quality Assurance|Other
radiogroup Yes|No|N/A
radiogroup Yes|No
comment
radiogroup Yes|No
radiogroup Yes|No
radiogroup Yes|No|N/A
comment
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
checkbox BMX Pipeline|Custom Pipeline|Other
comment
radiogroup Yes|No|N/A
radiogroup Yes|No
comment
radiogroup Yes|No|N/A
radiogroup Yes|No
radiogroup Internal to the application|Active Directory / SailPoint / ID Locker|Other
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
comment
radiogroup Yes|No
comment
radiogroup Yes|No
comment
radiogroup Yes|No|N/A
comment
radiogroup Yes|No|N/A
comment
radiogroup Yes|No
comment
radiogroup Manual|Automated|Combination
comment
comment
radiogroup Yes|No|N/A
comment
comment
comment
comment
radiogroup Yes|No|N/A
comment
comment
comment
comment
comment
comment
comment
radiogroup Yes|No|N/A
radiogroup Yes|No
radiogroup Yes|No
radiogroup Yes|No|N/A
radiogroup Yes|No
comment
radiogroup Yes|No
radiogroup Yes|No
radiogroup Yes|No
radiogroup Yes|No
comment
comment
radiogroup Yes|No|N/A
radiogroup Yes|No
radiogroup Yes|No
comment
comment
comment
comment
radiogroup Yes|No|N/A
comment
comment
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
comment
radiogroup Yes|No
comment
radiogroup Yes|No|N/A
comment
radiogroup Yes|No|N/A
radiogroup Yes|No|Don't Know|N/A
radiogroup Yes|No
radiogroup Yes|No|N/A
radiogroup Yes|No|N/A
radiogroup Highly Confidential|Restricted Use|Public
comment
radiogroup Yes|No
radiogroup Yes|No
radiogroup Yes|No|N/A
radiogroup Nike|Vendor
comment
radiogroup Yes|No
radiogroup Yes|No
comment
text
radiogroup Yes|No|N/A
comment
comment
comment
radiogroup Yes|No
comment
radiogroup Yes|No|N/A
comment
comment
radiogroup Yes|No
comment
radiogroup Yes|No|N/A
 Answer IRM Question

l|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy

l|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy
l|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy

Directory / SailPoint / ID Locker|Other