Security Fundamentals for Delivery Leads

This short training on information security requires your full attention. It will help you better understand the critical areas of security that you should know: Secure Development, Cloud Security, Infrastructure Security, Access Management, and Disaster Recovery.  

At the end of the training, download the job aid with actions that you can use with your teams to identify and fix any security gaps.

Technology Delivery Leadership is requiring all Delivery Leads to complete this training.

(Please note: Accenture’s Cloud Platform (ACP) referenced in this course has been renamed Cloud Manager and Optimizer (CMO). Visit the Cloud Manager and Optimizer site for more information.)

Welcome to Security Fundamentals for Delivery Leads: David Golding (Global Lead for Technology Delivery)

Hi everyone,

I know you’ve got a lot on your plate, but this short course on information security requires your full attention.

On average, five Accenture clients are mentioned in the news every week for some kind of cyber-incident. The threat environment is intense and shows no signs of easing. In fact, we’ve had to deal with some disappointing security incidents and audit issues on some of our Technology contracts recently.

As you all know well, client relationships can take years to build, but only moments to lose.  As a Delivery Lead, security is one of your primary accountabilities, along with of course budget, schedule, and quality.  Our delivery teams always need to act securely, so our clients feel secure and actually are secure… and they don’t become tomorrow’s headlines.

I want you to stop and think for a moment and ask yourself some questions:

• What specific steps do you take to confirm your solutions are developed securely?
• Does your team understand their direct responsibilities for securing cloud environments?
•  If you are responsible for infrastructure, when was the last time you reviewed if there were any aging and unpatched vulnerabilities?
• Is your solution adequately protected by Multi-Factor Authentication?
• Are you confident that your disaster recovery plan and back-ups are sufficient to recover from a ransomware attack?

If you don’t know the answers to these basic questions, you clearly have some work to do. While I don’t expect all of you to have deep security expertise. You need to be familiar enough with these key security processes to ask yourself the right questions, and to judge for yourself whether the right things are being done or if corrective action is necessary. If you do not know what to do, please reach out to your CDP account manager.

This short course will help you better understand the critical areas of security that need your attention: Secure Development, Cloud Security, Infrastructure Security, Access Management, and Disaster Recovery.  And you’ll leave the course with a set of actions that you can use with your teams to identify any gaps that need to be addressed.

I know you are busy. But taking less than an hour out of your busy day to become comfortable and confident with these security fundamentals is well worth the potential cost in terms of both margin and client relationships if you don’t make security a priority.

I will check back with you at the end of this training. In the meantime, close your Outlook, set your Teams to do not disturb, and enjoy the content, enjoy.

Module 1: Secure Development

Introduction:

Our clients expect Accenture to develop quality applications on time and on budget. In today’s environment, clients have a new expectation that is equally important - Security. Let’s see what happens when one Accenture team puts security on the back burner.

What happened:

An Accenture development team was working on a health-related application. Just before go-live, the application was scanned for known vulnerabilities, and several security problems were identified. To avoid negative impacts to the project schedule, the development team moved the application to production without addressing these vulnerabilities. They intended to fix them after the go-live. Unfortunately, before the vulnerabilities could be remediated, they were exploited by an attacker. In this attack, the threat actor gained access to end user health data, which resulted in contractual, regulatory, and reputational repercussions.

Key takeaways:

Make sure your projects start secure and stay secure. Plan ahead by understanding secure development requirements and including them in your project plan. Application security scanning must happen early enough before go-live to provide time for remediation. Unless your client provides a formal risk acceptance or liability waiver, all vulnerabilities must be remediated prior to go-live.

Take action:

Be confident your team is developing solutions securely by taking the following steps:

1. Include secure development requirements in project plans with adequate lead times.
2. Confirm that all developers complete the secure development training. If GitHub will be used, this includes training on the secure use of GitHub. Developers must also use the Client Data Protection (or CDP) secure coding checklists.
3. Ensure developers use the do-it-yourself-assessment, or DIYA application security scans.
4. Confirm that DevOps arrangements are using the Accenture DevOps Platform, or ADOP, for automated scans and software composition.
5. Assess application enhancements for risk and apply secure development requirements, as appropriate.

If you can’t comply with these requirements or other CDP secure development controls, contact your CDP account manager for assistance.

Question 1:

How can you ensure your Accenture project team is well-trained on secure development? Select all that apply.

a: They have undergone secure development training.

b: They have completed the secure use of GitHub training.

c: They are using the CDP secure coding checklists.

d: They are using the do-it-yourself-assessment (DIYA) application security scans.

Correct! / Partially Correct / Incorrect

It is critical that your team is well-prepared on secure development. This will help ensure the solution is developed securely from the start.

Delivery Lead Actions: 1) Confirm that all developers complete the secure development training. If GitHub will be used, this includes the secure use of GitHub training. Developers must also use the CDP secure coding checklists. 2) Make sure developers use the DIYA application security scans to identify potential application vulnerabilities early in the development lifecycle.

Question 2:

If the timeline is tight and SLAs are in jeopardy, it is OK to move an application to production and remediate vulnerabilities after go-live without obtaining appropriate agreement from your client.

a: True

b: False

Correct! / Incorrect

Unless you have client approval in writing, with appropriate risk acceptance, applications should not be migrated to production unless all security vulnerabilities have been addressed. Additionally, CDP secure development controls, along with any other controls, should never be marked as compliant if they are not effectively in place.

Delivery Lead Action: Plan ahead – allow time for application assessment scanning and remediation prior to pushing code to production.

Module 2: Cloud Security  

Introduction:

Securing cloud environments can be complex. While Accenture’s Cloud Platform, also known as ACP, provides some important security capabilities, delivery teams are accountable for securing their cloud environments. Let’s see what happens when one team does not understand their accountabilities.

What happened:

A Delivery Lead assigned cloud environment set-up and ownership to a junior, inexperienced team member. While eager to do the work, the junior employee had never configured a cloud environment before and was not trained in cloud security. Unfortunately, the junior team member did not provision the new cloud environment via ACP and did not apply the required cloud security standards. When the team set up an improperly configured storage bucket, the regular ACP configuration scanning that would have picked up this issue was not in place and the issue was overlooked. This storage bucket was accessible to the public and was eventually compromised with ransomware.

Key takeaways:

Not following the proper security standards and processes may save time in the short-term but can often lead to significant long-term costs, including harm to client relationships and the Accenture brand.  Attackers use industrialized processes to scan for insecure or misconfigured cloud environments.  Make sure that all cloud control owners have the right experience and training to implement controls that are necessary to avoid data theft and ransomware attacks.

Take action:

Be confident your team is properly securing cloud environments by taking the following steps:

1. Only delegate cloud control ownership responsibilities to team members who have the proper experience and training to implement their assigned controls effectively.
2. Make sure your team understands that they are directly responsible for securing cloud environments beyond the underlying capabilities supplied by cloud providers and ACP. Project team security responsibilities include, but are not limited to, secure configuration, Multi-Factor Authentication (MFA), implementation, patching, and access management.
3. Confirm with your cloud control owner that all cloud environments comply with Policy 56 and are secured according to Accenture’s cloud security standards.
4. Whenever possible, use ACP’s Cloud Security Posture Management, or CSPM, service to scan for configuration gaps, and either Accenture Security’s Managed Security Services, commonly referred to as MSS, or Information Security’s Security Operations Center to scan for unpatched vulnerabilities.
5. Regularly review the most recent copies of configuration and vulnerability reports. Hackers don’t work according to our reporting schedules. Confirm your team is actively addressing gaps in your cloud environments as soon as possible.
6. If client requirements prevent compliance with Accenture standards in any ACP environment, work with the CDP team to determine if a client risk acceptance or liability waiver is required.  Gaps in client provisioned environments should be treated as gaps in client owned infrastructure.

Question 1:

When you manage cloud services for a client from a cloud provider that is integrated with Accenture’s Cloud Platform (ACP), the Accenture delivery team is not responsible for securing the cloud environment.

a: True

b: False

Correct! / Incorrect

The Accenture delivery team (not ACP and not the cloud provider) is accountable for the security of cloud environments and must always comply with the required controls. Make sure you understand your team’s accountabilities vs. ACP’s accountabilities vs. cloud provider’s accountabilities.

Delivery Lead Action: Understand the controls that your team is required to implement on top of any capabilities supplied by ACP and cloud providers.

Question 2:

If Accenture is responsible for managing a cloud environment, which of the following is true? Select all that apply.

a: The team must configure the environment so it complies with Policy 56 and Accenture’s cloud security standards.

b: The team should only address configuration and vulnerability gaps older than 30 days.

c: The cloud environment is secured because the cloud provider supplies all required security controls and processes.

D:  If the solution includes cloud services, the Delivery Lead must confirm that the cloud services are included in the scope description when the contract is mobilized in the CDP plan.  

e: When assigning cloud security controls within the CDP plan, the assigned control owner must have the appropriate experience and training.

Correct! / Partially Correct / Incorrect

With cloud environments, the delivery team is responsible for many of the same security processes that they would be responsible for if they were using traditional infrastructure.

Delivery Lead Actions: Confirm that your cloud environments have been hardened (i.e., secured) appropriately.  If client requirements prevent compliance with Accenture standards in any ACP environment, work with the CDP team to determine if a client risk acceptance or liability waiver is required.

Module 3: Infrastructure Security   

Introduction:

When clients hire us to manage their infrastructure, they expect us to do it securely.  If clients have constraints that prevent Accenture from fully securing environments that we are responsible for, the right documentation should be put in place to protect Accenture. Let’s look at an example that demonstrates why this is so important.

What happened:

An Accenture project team was supporting a portfolio that contained many end-of-life systems and applications, as well as other components that had unpatched vulnerabilities resulting from client constraints. The Delivery Lead discussed the current threat environment with the client and the risks associated with the end-of-life and unpatched vulnerabilities. The client agreed to implement fixes and upgrades over a two-year period. In the interim, the client provided Accenture with a liability release for the associated risks. Two months later, a ransomware attack exploited a vulnerability in one of the end-of-life systems. This paralyzed the client’s production environment, causing significant manufacturing disruptions. Fortunately, as a result of the liability release, the client agreed that Accenture had no liability for the ransomware attack.

Key takeaways:

In this case, the Delivery Lead took all the right steps to make their client aware of the risks associated with their decisions and to protect Accenture. Had the Delivery Lead not been proactive and taken the swift action, it would have been much more difficult to establish accountability and liability for the ransomware incident. For more information on how to address client driven risk, reach out to your CDP account manager.

Take action:

Here are the things your team needs to get right to manage infrastructure securely.

1. Maintain an accurate and complete asset inventory that is integrated with the infrastructure change control process.
2. Confirm whether Accenture is contractually responsible for patching, and if so, ensure that a clear, documented, and signed off patching schedule is in place.
3. In most environments, you will need to have automated scanning in place to maintain an effective patching process.
4. Make sure the team has a closed loop process in place to scan all assets in the asset inventory, identify vulnerabilities, patch assets according to the patching schedule, and confirm successful implementation.  Rescan to confirm that patches are successfully applied.
5. Use the signed off patching schedule as the maximum allowable time to remediate; act quickly if possible.
6. Provide regular reports with open vulnerabilities, patching progress, and patching plans to the client.
7. Confirm that documentation clearly identifies whether Accenture’s or the client’s configuration standards should be followed. All infrastructure components, including firewalls, need to be properly configured according to those standards.
8. Make sure there is a closed loop process in place to monitor and correct infrastructure configuration issues, ideally using an automated configuration scanning tool. Rescan to confirm configuration issues are fixed.
9. For infrastructure outside of ACP or an Accenture managed data center, use MSS for vulnerability and configuration scanning whenever possible.
10. Follow CDP processes to protect Accenture against client driven risk, such as end-of-life components, weak, ‘red flag’ standards, or failure to provide adequate patch windows.

Question 1:

What are the elements of an effective patching process? Select all that apply.

a: A complete asset inventory that is integrated with the change control process so that it is kept up to date.

b: The patching schedule is clearly documented.

c: The patching schedule is formally agreed to with the client.

d: A closed loop process is in place where the results of vulnerability scans are regularly reviewed and actioned, and assets are rescanned to confirm that the patches are applied correctly.

Correct! / Partially Correct / Incorrect

These are all elements of an effective patching process.

Delivery Lead Action: Make sure your patching process is effective. In a good process, vulnerabilities are remediated before the schedule requires it. Patching jobs can sometimes fail, so always confirm that patches are applied successfully.

Question 2:

You inherit a contract from a competitor with numerous vulnerabilities and end-of-life devices. What is the best way to proceed? Select all that apply.

a: Review the asset inventory to identify any end-of-life devices.

b: Confirm that the client is aware of all end-of-life devices and the associated risks.

c: Agree with the client on a patching schedule and burn down plan to remediate the inherited vulnerabilities.

d: Review the contract to confirm Accenture is explicitly relieved of liability for pre-existing vulnerabilities, including end-of-life devices.  

Correct! / Partially Correct / Incorrect

Accenture should not be liable for client decisions that lead to security incidents.

Delivery Lead Action: Do not be afraid of having conversations about client driven security risk with your clients. Both Accenture and our clients want to avoid security incidents. Obtain an agreement to address any client driven gaps. If the contract is not clear, work with CDP and the legal team to obtain a liability release until all components are upgraded and patched, and for any outstanding items the client chooses not to address.

Module 4: Access Management   

Introduction:

It is critical that we configure our solutions and delivery processes so that only authorized individuals can access Accenture and client environments. Let’s look at what can happen when a solution is not protected with MFA.  MFA, or Multi-Factor Authentication, is one of the most critical methods to securely manage access and it protects our environments from attackers trying to use compromised credentials.

What happened:

The Accenture project team was implementing a new SalesForce instance for their client. This tool contained information about the client’s customers. To access the application, the project team had to log on to a VPN using individual credentials. Because there were two different elements in play, the VPN and the individual credentials, the project team believed this satisfied the MFA requirement. Unfortunately, this solution did not provide sufficient protection to the tool because there was no mechanism in place to confirm the identity of each individual via a code or token known only to that individual. Without MFA in place, an attacker was able to use compromised credentials to access the new application. Once the attacker was in the tool, not only did they obtain confidential data, but also used the same compromised credentials to deploy ransomware across other client systems.

Key takeaways:

Always check with the appropriate control owners that there is zero misunderstanding when it comes to MFA implementation. MFA is a crucial method of protecting credentials against hackers and should be used whenever accessing Accenture or client environments and systems. In fact, regulators expect MFA to be in place and increase penalties when it is missing.

Take action:

Implementing MFA is critical to protect against inappropriate access. In addition to MFA, there are other steps your team needs to take to securely manage access. Here are the key things to do:

1. Confirm that MFA is in place for all Accenture hosted platforms, environments, and applications for developers, administrators, and other support personnel.
2. If clients need access to Accenture hosted platforms and environments, confirm they are using Accenture-issued MFA.
3. Confirm that Accenture multi-client platforms require MFA for end users.
4. Access by Accenture personnel to client systems and environments should be protected by client issued MFA.
5. If clients won’t provide MFA to protect our access to client environments or if they don’t agree to require end user MFA for applications we develop for them, obtain a risk waiver and liability release.

In addition to MFA,

6. Document, retain, and regularly review all user access by the Accenture team as specified by your contract or CDP control requirements. Clients should be notified of Accenture role changes that require different access levels and roll offs within 24 hours.
7. Only request access rights that are the minimum necessary for each role.
8. Make sure that each team member has individual credentials. Team members should not share credentials. Generic credentials should be avoided, and default credentials must be changed.
9. Administrator and application IDs require special attention and focus, as they are higher value targets for hackers. Consider stricter password requirements, more frequent password changes, and a Privileged Access Management solution.
10. Confirm that only authorized individuals have access to application and system logs and protect access to logs with MFA.

Question 1:

If an application has VPN and credential controls, then it does not need Multi-Factor Authentication (MFA).

a. True

b. False

Correct! / Incorrect

VPNs and individual credentials do not satisfy the MFA requirement because they do not require a second authentication mechanism linked to a specific individual. The additional evidence to confirm an individual’s identity is a crucial component against hackers.

Delivery Lead Action: Advise clients who do not wish to provide MFA of the associated risk. If clients will not provide MFA to protect our access to their environments or do not agree to require end user MFA for applications that we develop for them, obtain a risk waiver or liability release.

Question 2:

When an Accenture team member rolls off a client project, their access should be deprovisioned before the next monthly reporting cycle.

a. True

b. False

Correct! / Incorrect

All user access by the Accenture team must be documented, retained, and reviewed regularly as specified by your contract or CDP control requirements. Clients should be notified of Accenture role changes that require different access levels and roll offs within 24 hours.

Delivery Lead Action: Ask whoever manages your access list if they regularly verify that we have requested the client to revoke access for people rolling off within 24 hours. Review your access control log to see if anyone who has rolled off is still on the list.

Module 5: Disaster Recovery

Introduction:

No one wants to find out their disaster recovery plan and back-up process isn’t effective. Let’s find out what can happen when disaster recovery plans and back-ups are not properly tested.

What happened:

A company experienced a ransomware infection that locked their entire production environment. The company knew they had a disaster recovery plan in place so rather than paying the ransom, they planned to use their back-ups to re-create their environment and restore their data. Unfortunately, it turned out that the recovery keys required to use the back-ups, were stored in the same production environment that was encrypted by the ransomware. Because the company had never tested this scenario in their disaster recovery planning, they had not realized the weakness in their disaster recovery plan. The company was unable to restore and recover their environment and was forced to pay the ransom.

Key takeaways:

In the past, disaster recovery plans focused on recovering from hardware or software failures. Today, a strong disaster recovery plan and current back-ups are often the last defense against ransomware.

Take action:

How confident are you in your disaster recovery plan?

1. Design disaster recovery plans to withstand ransomware attacks.
2. Ensure that disaster recovery plans protect against a complete loss of environments by confirming recovery keys and back-ups are secured in an alternate location outside of the production environment and are protected with MFA.
3. Test disaster recovery plans and back-ups every year, or more frequently as defined by your contract.
4. Don’t forget to conduct recovery testing on new environments and systems as they are stood-up and add them to the full disaster recovery plan.

Question 1:

To protect against a complete loss of environment access, you should (select all that apply):

a: Store any recovery keys and back-ups in an alternate location outside of production.

b: Secure any recovery keys and back-ups with MFA.

c: Test whether the disaster recovery plan can recover an environment that has been completely lost.

Correct! / Partially Correct / Incorrect

It is important that your disaster recovery plan protects against complete loss of environment and any recovery keys or back-ups are stored at an alternate location outside of the production environment. The environment should be protected with MFA.

Delivery Lead Action: Review your disaster recovery plan and back-up processes to confirm they address ransomware scenarios.  

Question 2:

To protect against a ransomware attack, testing the disaster recovery plan is the most important step.

a: True

b: False

Correct! / Incorrect

A documented disaster recovery plan is essential, but it must be regularly tested.

Delivery Lead Action: Test disaster recovery plans and back-ups to confirm they comply with contract terms and conditions. When testing, it is critical to test your ability to recover if you have lost complete access to the production environment.

Thank You and Take Action: David Golding (Global Lead for Technology Delivery)

Hi again,

You have completed this training and thank you, and the work begins now. Included at the end is a job aid—make sure you download it.  Within the next week, I expect you to use it with your team to make sure we are developing applications securely, hardening cloud environments and traditional infrastructure, protecting solutions against unauthorized access, and planning for the worst case scenario with robust back-ups and disaster recovery plans.  If you find gaps, work with your team to close them as quickly as possible.  

Let me leave you with some closing thoughts: Security is a game we can and must win, if we embed it in everything we do, every day.  Plan for security, build for security, and importantly run for security. That is what I expect from all of you, and that is what you need to do and expect from our teams.  Don’t just think of weak security as a cautionary tale.  Treat it as a major driver of long-term client satisfaction and trust.

Thank you all for your leadership in this very important area and for your commitment to secure client delivery. Thank you.

Security Fundamentals for Delivery Leads

Thank you for completing the training.

Download the job aid now and use it with your teams to identify any security gaps that need to be fixed. If you find gaps, work with your team to close them as quickly as possible.  

<button: Delivery Leads Job Aid>

Security is a game we can win if we embed it in everything we do, every day.  Plan for security, build for security, and run for security.

Select FINISH when you are ready to exit the course. You may also RESTART to view the content again.