2. CONFIDENTIAL
PRESENTATION
CONFIDENTIAL DATA IS SENSITIVE AND MUST NOT BE
SHARED OUTSIDE OF ACCENTURE (AND EXTERNAL
PARTIES WHERE THERE IS A NEED TO KNOW).
SEE ACCENTURE’S DATA CLASSIFICATION AND PROTECTION STANDARD.
5. PROTECTING
DATA IS WHAT
WE DO.
SECURITY
EVERYWHERE.
5
Copyright 2019 Accenture. All rights reserved.
One in three focused
breach attempts get
through, yet most
organizations are
“confident” in their
ability to protect the
enterprise.
2016 Accenture High
Performance Security
Research
6. The General Data Protection Regulation (GDPR) sets new global data protection and privacy requirements
for all companies collecting and processing personal data on European Union (EU) residents.
• Applies to any organization that collects or processes in-
scope data
• Location of organizations is irrelevant for compliance
• Harmonizes data privacy laws across Europe
• Protects, strengthens, and empowers data privacy rights
of individuals for the processing of personal data
• Increased obligations for Accenture
• Fines up to 4% of global revenue
• Goes into effect on May 25th, 2019
How does GDPR affect Accenture?
• 1 in 3 Accenture accounts have access to EU
personal data that is regulated by GDPR. Many of
these are not based in the EU.
• Accenture is addressing the new requirements across all
geographies as a consistent, global standard
What’s new with GDPR?
Data Controllers vs. Data Processors
Accenture is typically considered a Data
Processor and the client as the Data
Controller.
A Data Controller is the
entity that determines
the purposes of
processing activities.
A Data Processor is an entity
contracted by the controller to
process personal data on behalf of
the controller.
GDPR FOR CLIENT DATA PROTECTION
OVERVIEW
Copyright 2019 Accenture. All rights reserved.
7. CATEGORIESANDEXAMPLESOFPERSONALDATA
7
• Identity: identification number, identification data, date of birth, gender, age, images, telephone
number, email address
• Personal life: life habits, family composition/situation
• Economic and financial data: income financial/fiscal situation, bank account number, credit card
data, credit reports, credit scores and fraud alerts
• Connection related data: IP address, MAC address, logs
• Localization data: movements, GPS, GSM, WIFI, Bluetooth data
• Personal/Government Identifiers: National Identifier, Social Security Number, Social Insurance
Number, Driver's License Number, Passport Number
• Data related to race or ethnicity
• Data related to political views/opinions
• Data related to religion or beliefs
• Data related to trade union membership
• Genetic or Health related data
• Biometric data: personal data resulting from specific technical processing relating to the physical,
physiological or behavioral characteristics of a natural person, which allow or confirm the unique
identification of that natural person, such as facial images, iris scans, finger prints or other data.
• Data related to an individual’s sexual life and sexual preferences
• Personal data relating to criminal convictions and offences
UNDER GDPR
8. 8
GDPR
THEGENERALDATAPROTECTIONREGULATION (GDPR)
Significant change to the EU’s data privacy that affects people and data you may work with.
New CDP Controls help to mitigate for risks in compliance with the GDPR.
DOES YOUR PROJECT HAVE ACCESS TO
EUROPEAN UNION PERSONAL DATA?
Copyright 2019 Accenture. All rights reserved.
CLIENT INSTRUCTIONS
Limit the collection and use of personal data to only
those purposes for which Accenture was specifically
contracted.
ASSISTANCE WITH REQUESTS FROM
INDIVIDUALS
Obtain client requirements and implement processes
(including within application design where in scope) to
enable individual consumer's the ability to view,
correct, restrict, transmit or delete their collected data.
PRIVACY NOTICES
When collecting personal data directly from individuals
on a client’s behalf, solicit client instructions regarding
the giving of appropriate privacy notices.
Click
&
Learn
MORE
INFO
TIP: Goes to
webpages &
job aids
DATA TRANSFERS
Evaluate origination of data subjects and movement
of that data to confirm regulatory compliance to any
data transfer restrictions directly applicable to
Accenture or otherwise required by client.
9. WHAT YOU
MUST LEARN
TO MINIMIZE
RISK.
9
Copyright 2019 Accenture. All rights reserved.
Who To Talk To If You Have Questions
What Type Of Risks Are Being
Controlled For On Your Project
Our CDP Structure and What Data
Classification Means
What To Do With A Security Concern
10. 10
ACCENTURE’S CDP PROGRAM*
THE STRUCTURE YOU ARE PART OF SUPPORTING
Copyright 2019 Accenture. All rights reserved.
ASSESS RISK IDENTIFY GAPS &
DEVELOP ACTION
PLANS
DEPLOY PROGRAM
& CLOSE GAPS
MONITOR
COMPLIANCE &
REASSESS
RISK ANALYSIS
We calculate a quantitative Risk
Score for every contract. Scores
are used to help identify areas of
heightened risk and advance
consistent application of controls
sets.
GAP ANALYSIS
Client contractual requirements,
relevant regulatory requirements,
Accenture policies and CDP
control standards are used to help
identify gaps. Actions and
solutions are determined and
planned.
CDP PLAN IMPLEMENTED
A formalized CDP plan is
completed by the engagement
team and approved by a team of
data protection subject matter
experts. Applicable CDP controls
and action plans are validated as
fully implemented.
MONITORING & AUDITING
Accenture’s Risk and Compliance
team conducts periodic
Compliance Reviews and
evaluates the engagements CDP
Plan for overall compliance.
*The program is ISO2700 Certified. See appendix.
11. 11
CDP APPLIES CONTROLS TO MITIGATE RISK
BASED ON DATA ACCESSED & WORK DELIVERED
Copyright 2019 Accenture. All rights reserved.
Accountability
Administrator Access
Approved Devices & Tools
Change Management
Database Backup
Data Disposal
Delivery Locations
Encryption & Storage of Data
Environment-Specific Controls
Firefighter ID
Firewall & IDS / IPS
General Infrastructure & Hosting / Cloud
Least Privileged Access
Legal / Contractual & Business Continuity
Logging & Monitoring
Movement of People between Engagements
Password Management
Patching
Physical Security
Reuse of Work Product
Secure Application Development
Security Incident Reporting
Subcontractors
Training
Transmission of Data
User Access Management
MORE
INFO
13. 13
CDP PROGRAM AT BANCO BRADESCO
We currently provide development and/or consulting work to many client relationships (CRs),
under Banco Bradesco masterclient:
• Banco Bradesco
• Bradesco Seguros
• Bradesco Saude
• Bradesco Vida e Previdencia
• Losango
• Cielo
• Elo
• Alelo
The clients we support are the ones above, and if their data were to be lost or breached it would
mean: lost business, loss of trust, reputational risks, and so on.
ALWAYS A PRIORITY; NOT OPTIONAL
Copyright 2019 Accenture. All rights reserved.
14. 14
CDP IS EVERYONE’S RESPONSIBILITY
These are your account CDP subject matter experts.
Talk to them if you have questions.
QUALIFIED EXECUTIVES LEAD THE TEAM
Copyright 2019 Accenture. All rights reserved.
Your
Project
Lead
Control Owner
CAL / AMD
Giancarlo Greco
Photo
A-ISL
Andrea Ruas
Martins
Photo
Photo
Contract Manager
Bruna Barbieri
I work with the A-ISL and Delivery
Leads to make sure we meet our
contractual obligations.
Talk to me if you have
questions or ideas and
suggestions to be more secure.
On this account we have many Control
Owners, I’m one of them. Something
I’m responsible for is ensuring physical
walk-throughs are conducted monthly.
Click
&
Learn
Come to me when you have
questions on what our
contract says.
Delivery Lead
Daniella Santos
Photo
You can come to me, or one of the
other Delivery Leads, when you
have questions on your controls.
17. 17
SECURITY IS EVERYONE’S RESPONSIBILITY
PROTECTING DATA IS PART OF YOUR JOB
Copyright 2019 Accenture. All rights reserved.
The next slides go over risks CDP Controls mitigate for, and your
actions to take.
You don’t have to
know everything.
1. Ask questions
2. Get Answers
3. Take Action
Be a Security Superhero!
18. IF YOU SUSPECT, CALL ASOC
18
ASOC IS HELP
Copyright 2019 Accenture. All rights reserved.
Report any suspected security concern. Your quick action may prevent further loss or unauthorized
access of information, and they can help you talk with clients.
Accenture Security Operations Center
+1.202.728.0645
STORE THIS NUMBER IN YOUR PHONE NOW
India local number +91 80 4106 2762
Japan local number +81 45 330 7189
Philippines local number +63 (2) 620-2058
• None of our active contracts under Banco Bradesco masterclient require that the client needs to
be acknowledged in case of loss or theft of equipment. However, always look for your Contract
Manager to confirm that.
19. LEARN WHAT RISK IS BEING CONTROLLED FOR
PLAN YOUR ACTIONS TO HELP
Copyright 2019 Accenture. All rights reserved.
ACCOUNTABILITY
Learn who the Accountable
Managing Director (AMD) and
Account Information Security Lead
(AISL) are and how to contact with
questions.
LEGAL / CONTRACTUAL
Understand your requirements
related to data privacy,
information security, and
protecting client data. Every
client is different, and contracts
change. Find out the best way to
learn and know.
SUBCONTRACTORS
Understand how CDP applies to
subcontractors you and your team
work with. Talk to your AISL if you
have any questions.
USER ACCESS
MANAGEMENT & LEAST
PRIVILEGED ACCESS
Give people the minimum access
required to do their role and
remove it promptly when not
needed. For yourself, know what
data you have access to and
why, to understand your
responsibility for protecting it.
TRANSMISSION OF DATA
Understand the guidelines for
transmitting data, whether it is
electronic or physical. Never use
non-client email to transmit highly
confidential data outside of the
client environment.
Click
&
Learn
19
BUSINESS CONTINUITY
Understand what the plan is to
ensure security measures
continue in the event of a
business continuity event.
Incorporate prevention and
resilience into your plans.
20. FOLLOW YOUR CDP PLAN
ACCOUNT FOR YOUR ACTIONS
Copyright 2019 Accenture. All rights reserved.
CHANGE MANAGEMENT
Work with your AISL when a scope
of work changes and your team no
longer needs access to data, or
new work is awarded.
DELIVERY LOCATIONS
Know where and how to work.
This may affect remote work or if
you may work from home, or tools
and applications you can use.
You may be required to use a
client workstation.
APPROVED DEVICES &
TOOLS
Use only Accenture approved
devices to do work. Know what
your account policies are and
make sure those around you
follow them as well.
ROLL ON & ROLL OFF
Don’t grant access, or use pre-
read materials until Roll On
procedures, including CDP
Training, are complete. And
remove access to data, systems,
and applications when no longer
needed and as part of Roll-Off.
Click
&
Learn
20
REUSE OF WORK
PRODUCT
Before you reuse any work
product, know and follow what
the contract states. Obtain the
required approvals prior to
submitting for re-use. If you can
reuse materials, remove all client
data. Don’t just ‘find and replace’
- that doesn’t catch all data.
21. TAKE EXTRA STEPS TO DELIVER MORE
ENGAGE THE RIGHT SMES WHEN NEEDED
Copyright 2019 Accenture. All rights reserved.
PHYSICAL SECURITY
Ensure work space and assets
are secure to keep hard and e-
data safe – lock down PCs,
control access to work
environments, don’t leave
sensitive data on printers etc.
Don’t let others ‘tailgate’ or follow
you into workspace without
badging in.
TRAINING
CDP Training must be complete
before access to data or systems
is granted. Stay up to date on
CDP awareness, learning, and
training throughout your role. And
consider becoming an IS
Advocate to learn more steps you
can take to protect data.
Click
&
Learn
21
DISPOSAL OF WORK
PRODUCT
Securely delete, destroy, or return
client data. When disposing of
hard copies or e-data, follow
thorough, documented guidance.
ENCRYPTION AND
STORAGE OF DATA
Use approved devices with hard
disk encryption when working
with client data. Learn how to
encrypt data if allowed to store it
in repositories or transmit via the
internet, or mobile media.
22. BUILD DEFENSIVELY
PLAN OFFENSIVELY
Copyright 2019 Accenture. All rights reserved.
GENERAL
INFRASTRUCTURE &
HOSTING
There is a range of CDP
Controls related to this type of
work. For example, run
vulnerability scanning and / or
assessments on project related
devices (routers, switches,
servers, etc) and remediate
findings. Where contractually
out-of-scope for Accenture,
obtain vulnerability assessment
results from the client and
remediate findings.
SECURE APPLICATION
DEVELOPMENT
Create a Secure App Dev Plan
based on the guidance of the
relevant Accenture Delivery
Methods (ADM) and document it
within the Secure App Dev
controls. Answer a series of
questions prior to validating the
control for GDPR.
ENVIRONMENTAL CONTROLS
Secure data in the environments
you’re building, testing or working in.
Click
&
Learn
There’s more to know about all of these controls. Visit this page, scroll down, and go to the control
to learn. Then talk with your team lead or AISL to best understand actions you need to take.
22
PATCHING
Develop, document, and
implement a patching schedule
and timeframe that aligns with
your contract. Maintain an
inventory of all infrastructure in
scope.
23. HIGHER RISK CONTROLS
MITIGATE MORE RISK, CARRY MORE WEIGHT
Copyright 2019 Accenture. All rights reserved.
Of the controls you’ve learned, the below are higher risk controls because of the type of risk they
help guard against.
23
• CHANGE MANAGEMENT
• DATABASE BACKUP
• ENCRYPTION AND STORAGE OF DATA
• ENVIRONMENTAL
• FIRWALL AND IDS/IPS
• GENERAL INFRASTRUCTURE / HOSTING
• ROLL-ON / ROLL-OFF AND ACL
• PATCHING
• SECURE APPLICATION
DEVELOPMENT
• TRAINING
• LEGAL/CONTRACTUAL –
BUSINESS CONTINUITY
MANAGEMENT
24. NOW YOU KNOW THE CONTROLS WE PLACE
LETS BE CLEAR ON ACTIONS YOU TAKE
Copyright 2019 Accenture. All rights reserved.
DO THIS
1. Complete roll-on and client training before
performing any work
2. Remove any previous client data from your
machine
3. Create new, complex and unique passwords
for client systems different from ones you’ve
used previously
4. Lock your screen every time you step away
5. Complete IS Advocate Training within 2 days
of roll-on, and pay particular attention to the
interactive assets on Phishing
DON’T DO THIS
1. Reuse work product from your last project
2. Send Highly Confidential Information in
emails
3. Text client data
4. Share passwords or IDs
5. Access or store client data on Personal
devices
Click
&
Learn
24
25. SPECIFIC GUIDANCE ON HANDLING DATA
LETS BE CLEAR ON ACTIONS YOU TAKE
Copyright 2019 Accenture. All rights reserved. Confidential
DO THIS
1. Only use or permit the use of Confidential
Information to perform Services under the
SPP MSA.
2. Disclose Confidential Information only to
approved Subcontractors who have signed
a written confidentiality or nondisclosure
agreement.
3. Protect the client’s Confidential Information
with the same level of protection used to
protect Accenture’s Confidential
Information.
4. Destroy Confidential Information when it is
no longer needed or upon the client’s
request using Eraser.
DON’T DO THIS
1. Remove, alter, cover or distort any trademark, trade
name, copyright or other proprietary rights notices,
legends, symbols or labels appearing on or in any
Confidential Information of the client or any third
party.
2. Disclose Confidential Information to any third parties
(except for the client’s representatives/contractors
who have a need to know).
3. Leave laptops unlocked at any time.
4. Map local storage drives between their computing
system and resources contained within the client’s
remote server environments (e.g. Citrix).
Click
&
Learn
25
27. 27
PMO - HERE’S YOUR ‘DO’ LIST
Know how you’ll complete the necessary actions.
DISCUSS WITH YOUR TEAM
Copyright 2019 Accenture. All rights reserved.
Roll On – Roll Off
• Own and refresh roll on content regularly. Start the roll on process by sending forms and information to a person
joining the account. Process the forms upon return and confirm the steps are complete before client work is
started.
Subcontractors
• Confirm requirements outlined in Accenture Policy 1420 are followed for procurement of all subcontractors,
including the use of Contractor Exchange (Cx) where locally applicable.
User Access Management
• Update system administrator when you are aware of a person joining, leaving, or changing responsibilities on a
team.
28. 28
CDP LIFECYCLE CHECKLIST
KEY STEPS FOR SECURITY ROLES
Copyright 2019 Accenture. All rights reserved.
❑ Establish visible accountability for Information Security
❑ Identify, understand and own your risk
❑ Establish client dialog regarding gaps in client environment in a straightforward way – Protect Accenture
❑ Where gaps can’t be closed, seek a formal Information Security Exception
❑ Maintain a regularly updated inventory of client data to help identify areas of highest risk
❑ Regularly review and refresh the plan – scope of services, delivery locations, contractual and regulatory requirements
❑ Regularly communicate status and gaps; make part of overall account scorecard
❑ Maintain an active training, learning and awareness program
❑ Leverage technology and SME resources
❑ Trust but verify control implementation – check quality of evidence for operational effectiveness
❑ Look for patterns of non-compliance – contracts, locations, control owners, specific controls
❑ Report suspected incidents to ASOC immediately; don’t try to solve the problem yourself
❑ Pay special attention to the higher risk controls – they present the highest risk and degree of complexity
DURING
DELIVERY
❑ Delivery Lead mobilizes new contracts in CDP plan within 30 days of win to create new CDP controls
❑ Understand and incorporate contract and regulatory specific requirements
❑ Engagement implements new controls prior to accessing client data
❑ Complete request for Application Security Assessment well in advance
WHEN NEW
WORK BEGINS
❑ Don’t be afraid to talk to your client
❑ Treat security as a business issue, not a legal one
❑ Include required security controls in your solution plan
❑ Complete your CDP Risk Assessments by stage 2B
DURING SALES
Click
&
Learn
29. 29
CONTROL CREATION
CONTROLS ARE CREATED AT
THREE DIFFERENT LEVELS
COMPLIANCE SCORING
Copyright 2019 Accenture. All rights reserved.
Status Definition
Red
Action is required to assess or re-assess a
control. The action is past due by 14 days.
Yellow
Action is required to assess or re-assess a
control. The action is past due by one to 14
days.
Blue
Action is required to assess or re-assess a
control.
Green
Control is compliant and no further action is
required at this time.
Account
• Administrative Controls
• Controls are assigned to Account Information
Security Lead
• Applies to all contracts within the account
Location
Specific
• Controls that are common across a location
• Controls are assigned to Local control owner
• Applies to all contracts delivered from a specific
location
Service
Specific
• Controls that are specific for a service
• Controls are assigned to identified Service Control
Owners
• Applies to a specific service delivery within a
contract
CONTROLS ARE SCORED
BASED ON ACTIONS REQUIRED
The ability to meet and implement control requirements is used to calculate the
operational risk for an account. Impacts to the overall risk score is based on:
1. Type of control, because all controls are not of the same weight. Higher Risk controls, for example, are heavier and have more
impact because of the type of risk they are controlling for.
2. Age of control, reflecting how far past due or non-compliant they are.
30. 30
KNOW THAT CONTROLS MITIGATE RISK
UNDERSTAND WHICH APPLY & WHY
Copyright 2019 Accenture. All rights reserved.
Below are services which create specific controls
• AP / AR Processing
• App Dev, maintenance, and / or production support
• Testing
• Training or User Support
• Billing
• Call Center
• Cloud
• Consulting and / or Data Analysis
• Conversion
• Credit and Collections
• HR Services
• Infrastructure Management and / or Hosting
• Payment and / or Payroll Processing
• Procurement / Procure-to-Pay
• Staging and/or Data Migration
• User Acceptance Testing
31. 31
ACCOUNTABILITY
• Leadership with the right skillset and experience fill CDP
Roles.
• They have overall accountability for implementing and
maintaining a compliant CDP Plan.
• They set Priorities in Performance Achievement and are
required to be CDP Certified.
• They work with people assigned to be Control Owners.
The next slide gives more detail on them.
Aside from these specific CDP roles, anyone can become an
IS Advocate. You can set a Priority in Performance
Achievement and reflect your effort as you attain each level.
CDP ROLES TO MANAGE RISK
Copyright 2019 Accenture. All rights reserved.
Client Account Lead (CAL) / Accountable
Managing Director (AMD) has overall
accountability for implementation and
compliance with the CDP Plan.
Account Information Security Lead (A-ISL )
drives implementation of CDP Plan and
manages ongoing compliance.
IS Advocates show initiative by learning more about CDP
so they can work with more secure practices & behaviors.
Control Owners are responsible for carefully
evaluating minimum standards of controls
and project compliance.
Click
&
Learn
Delivery Lead works to keep the CDP Plan
aligned with the contract.
Contract Manager helps create and
implement contract level CDP requirements.
32. 32
CONTROL OWNER RESPONSIBILITY
• Confirm compliance with all controls assigned to you on or before the
date they are due. Due dates correlate to monitoring for the risk, i.e.
monthly, quarterly, semi-annual, or annual.
• Ensure controls you own are properly implemented and managed for all
resources in scope. You may own controls for one contract or more than
one contract.
• When you confirm compliance, or fail to, it impacts the entire account’s
compliance score. Your role is to assure secure practices are being
followed to protect client and Accenture data.
• If you cannot validate a control due to reasons not in your control (i.e.
client not agreeing to implement) then follow the Security Exception
process while looping in your AISL and CDP Account Manager.
REVIEW & ASK QUESTIONS
Copyright 2019 Accenture. All rights reserved.
TRAINING COURSE YOU SHOULD TAKE:
CDP Effective Implementation and Ongoing Compliance
Course #: A12691
33. 33
CHANGE MANAGEMENT & MOVEMENT OF PEOPLE
LIVING DOCUMENTS
• The AISL maintains the CDP Plan, CDP Risk
Assessment, and Inventory of Client Data
• Work with your AISL when changes occur,
such as your team no longer needs access to
data, scope changes, or a new task order is
awarded.
• Keep your Client Data Inventory and
Application Inventory current
• Conduct Risk Screenings / Assessments for
new opportunities
• Mobilize new contracts as they are won and
ready for implementation
START RIGHT & END RIGHT
• Everyone follows Roll-On and Roll-Off
procedures
• Complete checklists to start your role right
• Take training to help you understand the type
of data you’ll be working with and how to get,
and remove, access to that data.
KEEP THE CDP PLAN CURRENT
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
34. In Banco Bradesco masterclient, none of the current contracts we have in
place allows Accenture to have access to client personal data. Be aware
and vigilant!
LGPD (Lei Geral de Proteção de Dados) will be an active data protection
law in Brazil in 2020.
34
LEGAL & CONTRACTUAL
EVERYONE MUST
UNDERSTAND
REQUIREMENTS
RELATED TO DATA
PRIVACY,
INFORMATION
SECURITY, AND
PROTECTING
CLIENT DATA.
COMPLY WITH DATA PRIVACY LAWS & REGULATIONS
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
35. 35
LEGAL & CONTRACTUAL FOR GDPR
EU DATA PRIVACY LAWS & REGULATIONS
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
CLIENT INSTRUCTIONS
Limit the collection and use of
personal data to what the
contract states. Work with the
client to obtain written
confirmation that personal data
is:
• Adequate for the purpose
for which it is needed
• Relevant to the purposes
for which it is needed
• Not excessive to those
purposes
LAWFUL BASIS
Document the lawful basis for
processing of personal
information, in writing from the
client. At least one of these
must apply:
• Data subject has provided
consent
• Necessary for performance
of the contract
• Necessary for compliance
with legal obligation
• Necessary in order to
protect vital interest of the
data subject or another
• Necessary in public interest
• Necessary for legitimate
interest of controller unless
outweighed by risk to the
individual
ASSISTANCE WITH
REQUESTS FROM
INDIVIDUALS
Obtain client requirements and
implement processes to enable
individual consumer’s the ability
to view, correct, restrict,
transmit or delete their data.
• This includes direct and
online interaction
PRIVACY NOTICES
When collecting personal data
directly from individuals on a
clients behalf, get the client to
give instructions regarding the
giving of privacy notices.
• Follow instructions on what
the notification must include
DATA TRANSFERS
Understand where data
originates, and how it can be
moved, to comply with
restrictions that apply to
Accenture or are required by
the client.
• Confirm the appropriate
data transfer agreement is
in place and we are
compliant with those
requirements
Click
&
Learn
36. 36
SUBCONTRACTORS
WORK WITH YOUR AISL BEFORE ENGAGING SUBCONTRACTORS. TOGETHER, MAKE SURE
OF THE FOLLOWING:
• Appropriate contractual terms related to security are in place.
• Appropriate non-disclosure and confidentiality agreements are in place.
• Assess all subcontracting entities* against CDP Controls.
• Individual subcontractors must follow day-to-day team processes.
• Subcontractors must complete client training or CDP-specific project training, as required.
myLearning training is not required.
• Requirements outlined in Accenture policy 1420 are followed for procurement of all subcontractors,
including use of the Contractor Exchange (Cx) where locally applicable.
CONFIRM THEIR CDP COMPLIANCE
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
*Defined as subcontracted operations where an entity manages and delivers part of the work
37. 37
DELIVERY LOCATIONS
SEEK LEGAL, CLIENT, AND ACCENTURE APPROVAL IN WRITING FOR EACH TYPE OF DELIVERY
LOCATION (INCLUDING CLIENT SITE, ACCENTURE OFFICE, REMOTE) AS WELL AS DELIVERY
GEOGRAPHY (CITY, COUNTRY) WHERE YOUR PEOPLE WILL PERFORM WORK.
Click on More Info!
KNOW WHERE & HOW YOU CAN WORK
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
38. 38
PHYSICAL SECURITY
KEEP HARD & E-DATA SAFE
Copyright 2019 Accenture. All rights reserved.
TAKE RESPONSIBILITY TO SECURE DEVICES AND DATA:
• When at your desk or wherever you work, lock your laptop with a cable.
• When leaving your desk lock your screen.
• When not in use, lock up hard copies and portable media (backup devices, CD/DVD, if approved
for use).
• Follow keycard access procedures to access office sites. Do not share keycards or let anyone
else in who has not scanned theirs.
MORE
INFO
39. 39
USER ACCESS MANAGEMENT
PROJECT FOCUS:
• Maintain a roster of current and historical
access to all Client Data.
• User-IDs and System-IDs may not be shared.
• Remove access promptly when no longer
needed, such as when roles or
responsibilities change, or upon roll-off.
• Application ID’s must be unique.
• Use 2-Factor Authentication if accessing a
client environment from outside (non-
client/non-Accenture locations)
INDIVIDUAL FOCUS:
• Know what data you have access to and why
you need access.
• Understand your responsibility for protecting
the data you can access.
• Escalate if you have access to data you don't
need for your role/job.
• Passwords must follow the Accenture
Minimum Standard.
ONLY ACCESS DATA WHEN YOU HAVE A NEED
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
40. 40
LEAST PRIVILEGED ACCESS
BEFORE GRANTING ACCESS, UNDERSTAND WHAT WORK THE DATA IS NEEDED FOR, HOW IT
WILL BE USED, AND WHEN ACCESS CAN BE REMOVED. AS NECESSARY, TALK TO THE AISL
FOR GUIDANCE.
• Observe the concept of least privileged access - provide access appropriate for
responsibilities and nothing more.
• Logically separate access between environments (e.g. dev/test/prod).
• Apply the concept of segregation of duties – no individual person should have access to
perform tasks that could create a security conflict of interest (e.g. developer/reviewer;
developer/tester).
ONLY GRANT ACCESS BASED ON A BUSINESS NEED
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
41. 41
PASSWORD MANAGEMENT
PASSWORDS ARE THE FIRST LINE OF DEFENSE TO PROTECT ACCENTURE AND CLIENT DATA.
ALWAYS USE COMPLEX, NON-OBVIOUS PASSWORDS.
• Always communicate a password to a user in a secure manner, separate from a User ID.
• Never use the same password for client, Accenture, or personal-use systems (e.g. Social media).
• Reconcile password parameters against the Accenture Minimum Standard. If variances are
identified, escalate to CDP for a security exception.
GRANT ACCESS ONLY TO DATA REQUIRED TO
COMPLETE AN ASSIGNED TASK
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
42. 42
ADMINISTRATOR ACCESS
PROVIDE NOTIFICATION, IN WRITING, TO THE CDP PROGRAM IF SOMEONE IS ASSIGNED TO
A SYSTEM ADMINISTRATOR ROLE.
• Maintain log of all System Administrators as part of CDP Access Control Log.
• Enable logging on all operating systems, databases, applications, security and network devices
where highly confidential data resides. Keep the log for a minimum of 6 months or as required
contractually, or legally, whichever is longer.
KNOW WHO HAS ACCESS & WHY
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
43. 43
FIREFIGHTER ID
DOCUMENT A BUSINESS NEED AND GAIN APPROVAL FROM THE CDP CORE TEAM PRIOR
TO ENABLING A FIREFIGHTER ID.
• Establish a formal procedure for checking out Firefighter ID to be activated for each use.
• Log all activity while the Firefighter ID is active.
• Change the Firefighter ID passwords after every use.
EMERGENCY ACCESS
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
44. 44
APPROVED DEVICES & TOOLS
DON’T USE:
• Personal devices, shared or
public devices to access highly
confidential and / or restricted
client data
DON’T POST TO OR USE
3RD PARTY:
• Servers for client confidential
data including IDs, PWs, IP
address and confidential
personal or business data
• Storage sites such as Dropbox,
Basecamp, etc. unless
approved by Accenture and the
client
• Web based tools unless
approved by Accenture or your
client, confirmed as
appropriately licensed, and
have undergone a security
assessment
TO ACCESS CLIENT DATA
OR CLIENT NETWORKS:
• We follow Accenture and Client
policies for use of Accenture
provided, personally-owned,
and any other shared or public
devices that may be used to
access client data.
ACCENTURE & CLIENT APPROVED ONLY
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
45. 45
ENCRYPTION & STORAGE OF DATA
REQUIRED:
• Hard disk encryption on all workstations
(Accenture, client, rental, subcontractor,
other).
• Encrypted mobile devices to temporarily store
files containing client data if approved by
Accenture and the Client.
• Accenture OneDrive for Business for backup
for Accenture workstations.
ENCRYPT:
• Transmission of client data via the internet per
the minimum standard.
• Transmission of or storage of client data via
mobile media per the minimum standard.
• Files containing highly confidential client data
'at rest' outside of application environments
(e.g. document repositories such as
SharePoint, file share) at the file level per the
minimum standard.
• Backup media to the minimum standard; 256
bit AES Encryption.
CLIENT & ACCENTURE DATA MUST BE PROTECTED
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
46. 46
TRANSMISSION OF DATA
FOLLOW ACCENTURE AND CLIENT POLICIES AND PROCEDURES EVERY TIME DATA IS
MOVED.
• Third party transport of hard copy or mobile media containing client data, for which Accenture is
responsible, must use a professional grade courier.
• Use of any non-client email account (including Accenture or Personal) is prohibited for transmission
of highly confidential data. Use links to secured file share, or SFTP, or keep within client email
domain.
• OneDrive for Businesscan be used to store, but NOT SHARE client data.
• Log the chain of custody anytime hard or e-data containing highly confidential or restricted client
data is transported.
• Do not discuss sensitive matters via text/SMS/IM or in open/public spaces.
SECURELY MOVE HARD & E-DATA
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
47. 47
TRAINING
EVERYONE MUST COMPLETE CDP TRAINING SPECIFIC TO THEIR ROLE &
RESPONSIBILITIES.
• Complete project-specific CDP training before you access client data.
• Review awareness materials to learn engagement-specific CDP concepts, and look for refreshers
on Global content as well.
• Track training completion.
LEARNING WHAT YOU NEED & WHEN YOU NEED IT
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
48. 48
DATA DISPOSAL
ELECTRONIC STORAGE:
• Configure copy machines that
may be used for highly
confidential or restricted data to
securely delete after each use.
• Define a process by which
client data will be retained or
removed from the Accenture
environment prior to the end of
the engagement. Specify
duration, cleansing, and
method of purging.
E-DATA:
Securely delete/destroy electronic
files or objects containing highly
confidential or restricted data,
including physical media,
using Eraser or approved
equivalent after data is no longer
needed.
HARD COPIES:
Physically destroy hard copies
containing client data via crosscut
shredder or deposit in secure
shred bin.
SECURELY DELETE, DESTROY
, OR RETURN
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
49. 49
REUSE OF WORK PRODUCTS
PLAN FOR THIS:
• Designate a single point of
control for sharing or removing
engagement files or information
outside of the client team or
client environment (outbound
work products).
Requests for information
(internal or client) must be
routed to appropriate process.
• Maintain a log of outbound
documents.
AND THIS:
• Confirm removal of other client
data from files and work
products before bringing into
client environment.
• Scrub all client data from
deliverables before transferring
outside engagement
environment.
• Enter the name for a point of
contact to receive direction or
ask questions about what can
or cannot be reused
DO THIS:
• Identify client intellectual
property or trade secret rules
and use these to develop an
engagement procedure for the
reuse of engagement work
products (scan, sanitize client
data, approve, log, etc).
This includes (but is not limited
to) requests from others,
individual reuse, and
contributions to the Knowledge
Exchange (KX).
KNOW & FOLLOW WHAT THE CONTRACT STATES
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
50. SECURITY INCIDENT REPORTING
50
IF YOU SUSPECT
, CALL ASOC. THEY WILL HELP
.
Copyright 2019 Accenture. All rights reserved.
• Report any suspected security concern, which may or has resulted in the loss or unauthorized
acquisition of information relating to any person, or any other confidential information, or any
request for law enforcement notification, to the Accenture Security Operations Center.
• ASOC can help you talk with clients.
Accenture Security Operations Center
+1.202.728.0645
STORE THIS NUMBER IN YOUR PHONE NOW
India local number +91 80 4106 2762
Japan local number +81 45 330 7189
Philippines local number +63 (2) 620-2058
MORE
INFO
None of our active contracts under Banco Bradesco masterclient require that
the client needs to be acknowledged in case of loss or theft of equipment.
However, always look for your Contract Manager to confirm that.
51. SECURITY INCIDENT REPORTING
51
IF AN INCIDENT COULD INVOLVE EUROPEAN PI
Copyright 2019 Accenture. All rights reserved.
• The client must be notified within 24 hours
• Regulators must be notified within 72 hours
52. 52
ENVIRONMENT SPECIFIC CONTROLS
REVIEW MORE INFO FOR TOPICS SUCH AS BELOW, AND ADD ENGAGEMENT LEVEL
PROCEDURES TO STRUCTURE A DISCUSSION WITH YOUR TEAMS:
• De-identifying personal data in non-production
• Conducting all activities in approved “clean room” environments
• Maintaining copies/extracts of production data on client’s access-controlled servers at all times
• Block offloading of data from local workstations
SECURE DATA IN ENVIRONMENTS
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
53. 53
SECURE APPLICATION DEVELOPMENT
ASK QUESTIONS OF SUBJECT MATTER EXPERTS IF DELIVERING THIS SERVICE:
Create a Secure App Dev Plan based on the guidance of the relevant Accenture Delivery Methods
(ADM) and document it within the Secure App Dev Addendum.
Secure Coding Controls confirm requirements for:
- Java - C/C++ - ABAP - .Net - Web Application
- General Application Security - Data Protection by Design
For applications that have access to highly confidential client customer data or restricted client
business data, prior to significant code changes being moved to production by Accenture, client,
and/or third party, ensure:
MAKE A PLAN & FOLLOW IT
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
A scan has been
conducted
1
Findings are
remediated
2
Where findings are not
remediated,
appropriate client sign
off has been obtained
and documented
3
54. 54
GENERAL INFRASTRUCTURE / HOSTING
REVIEW MORE INFO, AND DISCUSS WITH YOUR TEAMS ALONG WITH RELEVANT
ENGAGEMENT LEVEL PROCEDURES ABOUT:
• Change Management
• Systems & System acceptance procedures
• Disaster recovery procedures
• Disposal & re-use of equipment and media
• Synchronizing applications with common/universal time sources
• Reconciliation of user accounts before moving into production
• Remote access, account lock-outs, & session termination timing
• Environments for systems that access highly confidential or restricted data
• Segregate client systems containing sensitive data (i.e. dedicated zone/ environment)
• Patching & vulnerability scanning
• Contractual requirements
• Configuring devices
ESTABLISH, MAINTAIN, & REVISIT YOUR PLANS
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
• Encryption
• Antivirus
• Managing Client Email
55. 55
FIREWALL & IDS / IPS
ESTABLISH PROCESSES TO MINIMIZE VULNERABILITY.
• Only enable ports that are needed to provide defined services
• Maintain a log of access and use of Firewalls
• Use a formal approval process for all new eternal connections, based on business need
• Test the effectiveness of your firewall
MONITORING FOR INCIDENTS & TAKING ACTION
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
56. 56
LOGGING & MONITORING
MAINTAIN SUCCESSFUL OR FAILED USER LOGS, LOG OF ACCESS AND USE OF NETWORK
RESOURCES, AND SECURITY EVENT LOGS:
• Review MORE INFO
TRACK WHO HAS ACCESS & FOR HOW LONG
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
57. 57
PATCHING
DEVELOP, DOCUMENT AND IMPLEMENT A PATCHING SCHEDULE IN ACCORDANCE WITH
YOUR TERMS AND CONDITIONS OF YOUR CONTRACT, AND SEEK WRITTEN CLIENT SIGN
OFF OF SCHEDULES.
Maintain an inventory of all infrastructure in scope:
• Server/database name
• Asset owner
• Criticality
• Environment (dev/test/prod)
SET & FOLLOW YOUR PATCHING SCHEDULE
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
58. 58
DATABASE BACKUP
Establish and maintain system backup and
restore procedures that confirm the
implementation of security controls such as
encryption and secure tape handling.
• Encrypt database backups to the minimum
standard.
• Involve the client to keep them informed and
gain consent.
• Implement physical access control and utilize
high security fireproof cabinets.
• Test backups.
• Run backup restoration drills at least
annually.
Prior to taking ownership of backup media,
document and inventory to validate location,
labeling, quantities, and security. Obtain
client sign off / acknowledgement.
• Properly label and register them in a backup
media inventory.
BACKUP & RESTORE SHOULD SUPPORT SECURITY
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
60. 60
NOW YOU KNOW MORE
Review the next slides for more things
you can do to continue to learn.
WHAT ARE YOU GOING TO DO ABOUT IT?
Copyright 2019 Accenture. All rights reserved.
You should better understand what
type of risks are being controlled for
on your project
You should now know who to talk to if
you have questions
We’ve given information on our CDP
structure and what Data
Classification means
We told you what to do with A
security concern
61. 61
BE THE CHANGE
Become an Information Security Advocate!
IS Advocates are significantly less likely to experience a security
incident compared to the general Accenture population.
• Lead by example and complete brief learning activities or
check your IS Advocate status.
• More than 100,000 people have become IS Advocates and
the IS Advocate program is mandatory for high-risk client
teams across Accenture.
• Follow the IS Advocate Program Circle to connect with others
learning about information security!
DECREASE RISK FOR YOUR ACCOUNT
Copyright 2019 Accenture. All rights reserved.
62. 62
SKILL UP
Become CDP Certified.
CDP Leads improve their overall CDP
effectiveness and compliance for themselves
and their accounts.
• Build the foundation for your role by
completing ~4 hours of training and passing
an exam.
• Join the more than 3500 CDP certified people
across Accenture.
• Maintain your skills by following the CDP
Community of Practice, and attending at least
one call per year. Calls held quarterly.
SEEK KNOWLEDGE AND STAND OUT
Copyright 2019 Accenture. All rights reserved.
MORE
INFO
63. 63
KNOW RESOURCES
Bookmark and regularly visit the CDP
Webpages
Guidance, tools and resources, and program
updates.
USE RESOURCES
Copyright 2019 Accenture. All rights reserved.
Use content in the IS Toolkit to increase
knowledge on your account
Resources and information, including
learning activities.
Subscribe to the CDP Newsletter
• Use the ‘CDP True Story’ on team
meeting agendas to spur discussion.
• Test your teammates on their
knowledge.
• Create your own account-tailored CDP
Newsletter using this content to start.
• Share your account success with the
CDP Team to bring leading practices
forward for others.
64. 64
INDUSTRY STANDARDS
For your awareness:
Accenture has received ISO/IEC 27001:2013
certification from BSI that recognizes:
“The information security management
system for the protection by the Client Data
Protection (CDP) programme of all client
data handled by Accenture global
organisations, in accordance with the
Accenture ISMS Statement of Applicability
version 5.9 dated 6th October 2016, and
covering all the local operating entities listed
therein.”
Copyright 2019 Accenture. All rights reserved.
Our certificate
is attached: