Accenture’s Information Security group, charged with protecting the information of Accenture, its clients, its business partners and employees, worked through the learning curve of how the cyber security rating companies conduct their measurements. As a result, Information Security methodically matured and evolved an engineered process that put in place several regimes to identify, close and prevent security issues or potential issues on Accenture’s network.
Key regimes include:
Establishing a system to track IP address ownership
Large companies like Accenture own hundreds of thousands of public domains and IP addresses. Tracking who within the company owns which is no simple matter. In response, Information Security set up a team that focuses on identifying owners of every public domain, sub-domain and IP address registered with Accenture’s name. Information Security industrialized this process, leading the team to monitor for new use or registration on a daily basis, confirming ownership is assigned appropriately.
While Accenture already performs regular external vulnerability scanning, Information Security developed a custom solution for detecting additional items that are part of the cyber security risk rating companies’ scope. The solution targeted specific application security findings that Accenture could tailor to its security standards. While some tools exist on the market none of them quite fit the need Accenture had.
Raising visibility within the business
The reporting scorecards measuring cyber security performance generated by the security rating providers are shared with the chief operating officers of Accenture’s businesses on a weekly basis. This reporting enables Information Security to provide relevant remediation actions directly to Accenture teams by integrating the report findings into Accenture’s standard security compliance program.