Beruflich Dokumente
Kultur Dokumente
Table of Contents
1 Summary ................................................................................................................................. 2
2 Access Control ......................................................................................................................... 2
2.0 Scope ......................................................................................................................................... 2
2.1 Access Authorizations ............................................................................................................... 2
2.2 Database access ........................................................................................................................ 2
2.3 Allocation of user accounts ....................................................................................................... 2
2.4 Unique accounts ....................................................................................................................... 2
2.5 No group, shared, or generic accounts ..................................................................................... 3
2.6 Administrative accounts ........................................................................................................... 3
2.7 Need to know ............................................................................................................................ 3
2.8 Role re-evaluation ..................................................................................................................... 3
2.9 Role review process .................................................................................................................. 3
2.10 Inactive accounts ...................................................................................................................... 4
2.11 Account Termination ................................................................................................................ 4
2.12 Allocation of password.............................................................................................................. 4
2.13 Password changes and resets ................................................................................................... 4
2.14 New or replacement password ................................................................................................. 4
2.15 Initial passwords ....................................................................................................................... 4
2.16 Initial passwords communications channel .............................................................................. 5
2.17 Password compromise .............................................................................................................. 5
2.18 Password first-use ..................................................................................................................... 5
2.19 Password duration .................................................................................................................... 5
2.20 Password attempts and lockout ............................................................................................... 5
2.21 Password history ....................................................................................................................... 6
2.22 Inactive sessions........................................................................................................................ 6
2.23 Password complexity and length .............................................................................................. 6
2.24 Encryption ................................................................................................................................. 6
2.25 Non-adidas accounts ................................................................................................................. 6
2.26 Remember Password ................................................................................................................ 7
2.27 Two-factor authentication ........................................................................................................ 7
2.28 Remote service access .............................................................................................................. 7
3 Further Information ................................................................................................................. 8
3.1 Change History .......................................................................................................................... 8
4 References............................................................................................................................... 8
1 Summary
This policy is to address the requirements for access control to information systems. It is
focused on the prevention of unauthorised access and the need for authorised access in
accordance with the requirements of the business.
2 Access Control
2.0 Scope
This document applies to all IT-systems and individuals granted access to IT-resources.
IT-systems include all communication network components, business application systems
and any computing system provided to users for the purpose of achieving the tasks in
their assigned roles.
Rationale
Authentication ensures that the individual is who he or she claims to be to ensure only
legitimate access to adidas-Group GIT information system.
Rationale
Without user authentication the potential for unauthorized or malicious access increases.
Also, database access should be granted through programmatic methods only (for
example, through stored procedures).
Rationale
The adidas-Group IT information systems often contain non-public information that
requires protection. Access to the systems must be controlled based on the ‘need to
know’.
Rationale
In order to speed up issue resolution, it is necessary to know which users performed what
action. Reusing usernames could lead to conflicts with the roles of the previous user.
Rationale
Generic accounts are known and can be easily misused by malicious users. Group or
shared accounts make it difficult to determine who performed an action.
Rationale
Accounts with increased privileges, such as the “administrator” or “root” account, have
the potential to greatly impact the security or operational functionality of a system. A
separate account prevents the user from accidentally using administrative rights.
Rationale
Without a mechanism to restrict access based on user’s business responsibilities, users
may unknowingly be granted access to data they are not authorised to view.
Rationale
It is important to check whether the existing account and role management process is
working properly and to correct any findings.
Rationale
When changes occur in the organisation or individual responsibilities accounts may
accumulate more access rights then required. Notifications of role changes must be done
promptly and initiate an update.
Rationale
Existence of inactive accounts allows an unauthorized user exploit the unused account to
potentially access non-public data.
Rationale
User accounts that are not needed anymore must be promptly terminated because they
can be easily misused.
Rationale
Passwords help ensure that people do not access systems or applications unless they
have been authorized to do so. Strong passwords prevent malicious access.
Rationale
Delegating password resets to another person could result into that person knowing
another account and passwords which they could use to gain access to systems of another
user.
Rationale
Many malicious individuals use "social engineering” (e.g. calling a help desk and acting as
a legitimate user) to have a password changed so they can utilize a user account.
Rationale
If the same password is used for every new user set up, an internal user, former
employee, or malicious individual may know or easily discover this password, and use it to
gain access to accounts.
Rationale
This is to ensure that passwords are sent only to right person.
Rationale
If passwords are shared the account could be used by others in the user’s absence,
resulting in unauthorized account access and/or account misuse. Timely notifications will
ensure that a proper response can be initiated to revoke the password and to ensure the
systems security.
Rationale
If the same password is used multiple times, a malicious individual may know or easily
discover this password, and use it to gain access to accounts.
Rationale
The longer passwords are used the more they are at risk of being disclosed or discovered.
Rationale
If an account is locked out due to someone continually trying to guess a password,
controls to delay reactivation of these locked accounts stops the malicious individual from
continually guessing the password.
Rationale
If passwords are reused the more they are at risk of being disclosed or discovered.
Rationale
When users walk away from an open machine with access to critical network or non-
public data, that machine may be used by others in the user’s absence, resulting in
unauthorized account access and/or account misuse.
Rationale
If passwords are short a malicious individual could easily compromise weak accounts and
gain access to systems under the guise of a valid user account.
2.24 Encryption
All passwords must be encrypted using strong cryptography during transmission and
storage on all systems.
Rationale
A malicious individual can easily intercept unencrypted password during transmission or
directly access the user IDs and unencrypted passwords in files where they are stored,
and use this stolen data to gain unauthorized access.
Rationale
Personal accounts may be less protected and easily compromised by and malicious
person that could use the information to gain access to adidas Group systems.
Rationale
In case this feature has been chosen and a virus infects the system, the virus will look for
saved password files within the application.
Rationale
Two-factor authentication provides improved security for higher-risk accesses, such as
those originating from outside the adidas-Group network.
Rationale
Allowing vendors (i.e. POS vendors) access into a system for support increases the
chances of unauthorized access. Therefore it is necessary to approve it and ensure that
the time period is as small as possible.
3 Further Information
3.1 Change History
Description of changes to previous versions / releases in table form:
1.3.0 06.07.2016 Change of the rule “2.20. Password attempts and lockout”
and “2.21. Password history”
1.2.0 30.12.2015 Change of the rule “2.23. Password complexity and length”
to allow more consumer-friendly passwords.
4 References
N/A.
Approval