The document contains questions about a system's technical and security practices, including questions about data storage, change management processes, non-production environments, user access management, logging and monitoring, encryption, backups, and disaster recovery testing. The system relies on vendors for storage and processing, has non-production environments, and stores consumer data. It has formalized processes for changes, user provisioning and removal, and backups.
The document contains questions about a system's technical and security practices, including questions about data storage, change management processes, non-production environments, user access management, logging and monitoring, encryption, backups, and disaster recovery testing. The system relies on vendors for storage and processing, has non-production environments, and stores consumer data. It has formalized processes for changes, user provisioning and removal, and backups.
The document contains questions about a system's technical and security practices, including questions about data storage, change management processes, non-production environments, user access management, logging and monitoring, encryption, backups, and disaster recovery testing. The system relies on vendors for storage and processing, has non-production environments, and stores consumer data. It has formalized processes for changes, user provisioning and removal, and backups.
The document contains questions about a system's technical and security practices, including questions about data storage, change management processes, non-production environments, user access management, logging and monitoring, encryption, backups, and disaster recovery testing. The system relies on vendors for storage and processing, has non-production environments, and stores consumer data. It has formalized processes for changes, user provisioning and removal, and backups.
ICC 1 - Does your system rely on any vendors for storage/processing Nike data? CM 1 - Do you follow the Nike Global Technology Change Control process for changes to your system? (https://nike ent box co CM 1 a - What types of changes are most common for your system? (Select all that apply) CM 1 a - What types of changes are most common for your system? (Select all that apply) CM 1 a - What types of changes are most common for your system? (Select all that apply) CM 2 e - Is consumer data stored/processed in your system? CM 4 - Does a non-production environment exist for this system? CM 4 a - What type(s) of enviornment(s)? (Select all that apply) CM 4 b - Is there a need for your organization to create new non-production environments on a regular or periodic basis? CM 4 c - Is there a formalized process for creating a non-production environment? CM 4 d - Please provide an explanation of the process for all of the non-production environments identified CM 4 e - Do non-production environments use of copy of production data? CM 4 g - Do the non-production environments contain Personally Identifiable Information (PII)? CM 5 - Is there a formalized process for testing of changes? CM 5 a - Please provide an explanation of the process to include the types of tests performed (UAT, unit, integration, perform CM 5 b - Are security tests created and executed (penetration test, code scans, etc )? CM 6 - Are Nike Integration Pipelines (QMA & BMX) being used to move changes to production? CM 6 a - What integration pipelines are being used for your system? (Select all that apply) CM 6 b - Please provide an explanation as to how changes are moved to production, and how approvals are documented for t SOD 1 - Do those with access to the develop environments also have access to promote changes and/or create or edit produc SOD 1 a - Is there a monitoring process in place to ensure production code changes have been approved & authorized? SOD 1 b - Please provide an explanation of the monitoring process SOD 2 - Do those with privileged access to create/edit user accounts also approve the creation/editing of user access? SOD 2 a - Is there a formalized process for reviewing user authorization SOD violations? IAM 1 - Where do your store of identities reside? IAM 2 - Have non-ETW contractors been granted access to your system (either as an end user or in a support capacity)? IAM 3 - Does your system integrate with OKTA? IAM 4 - Does your system permit you to define password parameters? IAM 5 - Is there a formalized process for adding new/transfer users to your system? IAM 5 a - Please provide an explanation of the process IAM 5 b - Is there any difference in how a FTE's and ETW's would request access to your system? IAM 5 c - What are the differences? IAM 5 d - Is there a difference in how access is provisioned between the application and the application database? IAM 5 e - What are the differences? IAM 5 f - Do you provision direct access to your database? IAM 5 i - If applicable, how does a vendor request access? Who approves the access and where is that documented? IAM 6 - Is there a formalized process for terminating/removing users to your system (application and database)? IAM 6 a - Please provide an explanation of the process IAM 6 b - Is there any difference in how a FTE, ETW, or Vendor would have their access removed? IAM 6 c - How soon after receiving a termination notification are user accounts disabled of deleted? IAM 6 d - Is the termination process manual or automated? IAM 6 e - If it is automated/combination, what system of record is providing the termination data? IAM 7 - What roles/users are defined as privileged users for your system? IAM 7 a - Is there a formalized process for adding and removing privileged access to your system? IAM 7 b - Please provide an explanation of the process IAM 7 c - What centralized system is used for documenting privileged access requests, approvals, and removals? IAM 7 d - Please provide an explanation as to how you ensure that privileged access is restricted to only those who require it IAM 7 e - How do you monitor privileged access to your system (ex Periodic access reviews)? IAM 8 - Is there a formalized process for performing a periodic access review of your system (application and database)? IAM 8 a - Please provide an explanation of the process IAM 8 b - How is the access control list created, and how do you validate that the list is complete and accurate? IAM 8 c - Who is responsible for performing the review of user access (user manager, role owner) to determine whether the c IAM 8 d - What is the frequency of the review? IAM 8 e - Where are the results of the review retained, and how are the results communicated? IAM 8 f - How soon after the completion of the review are the identified access changes made? IAM 8 g - How do you validate that the requested modifications are completed? SEC 1 - Does your organization regularly engage the CIS Application Security Consulting (ASC) team for recommendations on h SEC 1 a - Did you document the recommendations made? SEC 1 c - Is there a process in place that monitors application configurations to verify they meet security standards? SEC 1 d - Does your system use generic accounts? SEC 1 e - Is a system/tool used to manage their use? SEC 1 f - What system are you using? SEC 1 g - Does this system/tool also allow for the management of the account passwords? SEC 2 - Does your system have the capability to log security events per Nike guidance? SEC 2 a - Is security logging enabled? SEC 2 b - Does it meet Nike Information Security Program (NISP) ASLM-34 requirements (https://nisp nike com/aslm/aslm-34) SEC 2 d - Are your logs being directed to Devo or Splunk? SEC 2 e - Who has the access to view edit application logs? SEC 3 - Has encryption been implemented to aid in securing data in your system? SEC 3 a - Does the encryption implemented meet Nike Information Security Program DP-07 Use of Encryption (https://nisp nik SEC 3 c - Is there a formalized process for managing cryptographic keys? SEC 3 d - Please provide an explanation of the process SEC 3 e - Is critical data (including PII data) encrypted at rest? If so, what protocol and/or algorithm is utilized? SEC 3 f - Is data encrypted in transit between end user and system? If so, what protocol and/or algorithm is utilized? SEC 3 g - Is data encrypted in transit between systems (system to system)? If so, what protocol and/or algorithm is utilized? SEC 4 - Is there a formalized process for storing system files and source code for your system? SEC 4 a - Please provide an explanation of the process SEC 4 b - Where are production libraries/source code stored, and who has access to it? SEC 4 c - Does your system undergo security source code reviews? SEC 4 d - If any critical or high risk source code vulnerabilities were identified, have they been remediated? SEC 5 - Is there a formalized process for patching your system? SEC 5 a - Please provide an explanation of the process SEC 5 b - Are patches tested prior to promotion to production? SEC 5 c - How long does it take for patches to be implemented after being released by vendors? SEC 6 - Are you aware of a penetration test being performed on your system? SEC 6 a - Were any critical or high risk vulnerabilities were identified, have they all been remediated? SEC 6 b - Are vulnerability scans being performed on your system? SEC 6 c - Are the Nike approved vulnerability management agents (Crowdstrike & Rapid7) installed in your cloud environment SEC 6 d - Have you requested a vulnerabilities findings report from the CIS Vulnerability Management team within the past ye SEC 6 e - Were critical vulnerabilities remediated within 7 days? SEC 6 f - Were high/major rated vulnerabilities remediated within 30 days? OIT 1 - What is the highest level of Nike data your system processes/stores based on the Nike Data Classification (http://nisp n OIT 1 a - Please list the Nike data elements your system processes/stores OIT 1 b - Have you implemented all the Minimum Security Standards (http://nisp nike com/dc/#security-standards) based on OIT 1 c - Does your system process/store personally identifiable information (PII) of Nike consumers or employees? OIT 2 - Is your system hosted in a cloud environment (Nike or Vendor)? OIT 2 a - Is it a Nike or Vendor cloud environment? OIT 2 b - What cloud group does it belong (Waffle, Commons, Commerce, etc)? OIT 2 c - Do you receive DivvyCloud reports? OIT 2 d - Are you fixing the findings identified in those reports? OIT 2 e - Do you run your builds "as-code" or from the console? OIT 2 f - What Vendor cloud environment are you using (AWS, Azure, Google Cloud, etc )? OIT 3 - Is there a formalized process for monitoring backups and testing recoverability for your system? OIT 3 a - Please provide an explanation of the process(es) OIT 3 b - How frequently is your system backed-up? OIT 3 c - What type of backup are you employing (Full, Incremental, etc )? OIT 4 - Are backups replicated to another site? OIT 4 a - What is the location of backup replicated to the other site? OIT 5 - Is there a formalized Technical Recovery Plan (TRP) for your system? OIT 5 a - Please provide a brief summary of the plan OIT 5 b - How frequently is the plan reviewed, and who is responsible for approving the review and/or updates? OIT 6 - Was the Technical Recovery Plan tested within the last year? OIT 6 - Were the results of the tests retained? If so, where are they retained? OIT 6 b - If any issues/failures occurred during testing, have those issues/failures been resolved? QuestionType AnswerChoices comment radiogroup Yes|No|N/A radiogroup Yes|No checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy checkbox Normal|Emergency|Informational|Routine|Continuous Delivery|Pilot / Wave|Dark Deploy radiogroup Yes|No radiogroup Yes|No|N/A checkbox Test|Development|Quality Assurance|Other radiogroup Yes|No|N/A radiogroup Yes|No comment radiogroup Yes|No radiogroup Yes|No radiogroup Yes|No|N/A comment radiogroup Yes|No|N/A radiogroup Yes|No|N/A checkbox BMX Pipeline|Custom Pipeline|Other comment radiogroup Yes|No|N/A radiogroup Yes|No comment radiogroup Yes|No|N/A radiogroup Yes|No radiogroup Internal to the application|Active Directory / SailPoint / ID Locker|Other radiogroup Yes|No|N/A radiogroup Yes|No|N/A radiogroup Yes|No|N/A radiogroup Yes|No|N/A comment radiogroup Yes|No comment radiogroup Yes|No comment radiogroup Yes|No|N/A comment radiogroup Yes|No|N/A comment radiogroup Yes|No comment radiogroup Manual|Automated|Combination comment comment radiogroup Yes|No|N/A comment comment comment comment radiogroup Yes|No|N/A comment comment comment comment comment comment comment radiogroup Yes|No|N/A radiogroup Yes|No radiogroup Yes|No radiogroup Yes|No|N/A radiogroup Yes|No comment radiogroup Yes|No radiogroup Yes|No radiogroup Yes|No radiogroup Yes|No comment comment radiogroup Yes|No|N/A radiogroup Yes|No radiogroup Yes|No comment comment comment comment radiogroup Yes|No|N/A comment comment radiogroup Yes|No|N/A radiogroup Yes|No|N/A radiogroup Yes|No|N/A comment radiogroup Yes|No comment radiogroup Yes|No|N/A comment radiogroup Yes|No|N/A radiogroup Yes|No|Don't Know|N/A radiogroup Yes|No radiogroup Yes|No|N/A radiogroup Yes|No|N/A radiogroup Highly Confidential|Restricted Use|Public comment radiogroup Yes|No radiogroup Yes|No radiogroup Yes|No|N/A radiogroup Nike|Vendor comment radiogroup Yes|No radiogroup Yes|No comment text radiogroup Yes|No|N/A comment comment comment radiogroup Yes|No comment radiogroup Yes|No|N/A comment comment radiogroup Yes|No comment radiogroup Yes|No|N/A Answer IRM Question