Monthly Archives: December 2014

What’s it worth?

What are accurate customer accounts and accurate trading records worth?  Watch this space.

“Sentencing for Madoff Staff,” Wall Street Journal, December 8, 2014 C4.  Sentencing of employees of Bernie Madoff who were convicted for their part in the swindle.

I guess the value of information depends upon where you sit.

Leave a comment

Filed under Business Case, Controls, Requirements, Risk, Value

Benford’s Law

“Benford’s Law expects 30.1% of numbers in a list of financial transactions to begin with a ‘1.’”  Go figure.  I would have thought it would be 10%, were the sample large enough.

To Find Fraud, Just Do the Math,” Wall Street Journal, December 6, 2014 A2. When more-than-the-expected number of fours came up in a review of refunds paid, investigators looked deeper and found the outliers were committing fraud.  Benford’s Law led the way.  Interesting piece.

Security is a part of information governance.  Security includes those steps you take to make sure your employees aren’t stealing.  One of those steps is running the appropriate analytics.  Looking at the numbers differently may lead to different conclusions.

Leave a comment

Filed under Analytics, Business Case, Collection, Controls, Information, Internal controls, Oversight, Oversight, Protect assets, Risk, Use, Value

More lessons from Sony

What happens when you keep too much sensitive information longer than you really need it?

“Sony Cyberattack Hits Hollywood Stars, Too,” Wall Street Journal, December 5, 2014 B1. Recent hack got multiple copies of social security numbers, some from former employees.

Leaving aside how long you really need to keep that information, how many copies do you really need and do you adequately secure all those copies?  Maybe Europe’s approach isn’t that bad.

Leave a comment

Filed under Board, Business Case, Collect, Controls, Duty of Care, Governance, HR, Interconnections, Internal controls, IT, Management, Oversight, Oversight, Privacy, Protect, Protect assets, Protect information assets, Risk, Security, Third parties

Is what you get paid proprietary information?

One of the threads in the story of the recent Sony system hack is that the compensation of several senior executives was disclosed.

“Data Breach Sets Off Upheaval At Sony,” Wall Street Journal, December 4, 2014 B1.  Hackers, perhaps from North Korea, hacked the Sony system and released a bunch of information and five movies.  Compensation data on 17 employees being paid more than $1 million a year.

I can see how the company may want to keep what it pays its employees confidential, but is that really company information?  In the aggregate, maybe; but for an individual employee?If a prospective new employer asks you what you’re being paid at your current job, is it acceptable for you to respond, “Sorry, that’s company confidential”?  Employers get nervous at the prospect of employees sharing salary information with one another; don’t know what the NLRB says about that.  Whose information is it?  What controls can you/should you have in place?  How do you deal with breaches?

Leave a comment

Filed under Controls, Definition, HR, Information, Internal controls, Ownership, Privacy


Two nuggets today.

We’re used to stores and banks offering customers credit monitoring and ID-theft protection following a hacking event.  Now, Sony offering such protections to its own employees after the Sony system hack.  “After Hack, Sony Offers Monitoring to Workers,” Wall Street Journal, December 3, 2014 B3.  Is that part of your breach response plan?

Meetings and email as time wasters, of up to 20 hours a week.  Culprits include people who  invite too many people to meetings or cc too many people on emails. “Stop Wasting Everyone’s Time,” Wall Street Journal, December 3, 2014 D1.  Hiring consultants to identify and quantify the time wasters. Seven rules, reminiscent of The Hamster Revolution (to get less email, send less email).


Leave a comment

Filed under Analytics, Business Case, Collect, Communications, Controls, Culture, Governance, HR, Information, Internal controls, Management, Oversight, Oversight, Privacy, Protect, Risk, Use, Value

Sutton’s Law

Willie Sutton, a prolific bank robber, is reported to have responded to the question, “Why do you rob banks?” by saying “Because that’s where the money is.”

“Hackers Targeted Merger Discussions,” Wall Street Journal, December 2, 2014 B1.  Evidence from FireEye that hackers are targeting CFOs, advisory firms, and others (lawyers?) involved in acquisitions, in the hope of gaining an edge for investments.  Targets predominantly health care and pharmaceuticals.

Where’s the money or currency equivalent in your business? What information does your business have that would be most valuable to someone else?  Who is the most likely inside source of that information?  How protected and security-aware are they?

Leave a comment

Filed under Board, Business Case, Controls, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value

Is this an information delivery business?

Google’s Glass device is that wearable gadget that was all the rage for personal use.  But might it actually be more useful to business?

“Google-Glass Deal Thrusts Intel Deeper Into Wearables,” Wall Street Journal, December 1, 2014 B1.  Looking at the possible commercial use by employees who work with their hands but need access to up-to-date information.  Like “health care, construction and manufacturing ….”

Who else needs access to real-time information while leaving their hands free?

Leave a comment

Filed under Data quality, Information, Operations, Use, Value

Learning to identify risk

The first step, it is thought, to performing a risk assessment is to identify the risks.  Then you institute measures to control them, and to mitigate the impact if your controls don’t work.

Bank examiners have recognized that there’s an important preliminary step: learning how to recognize this risks in the wild.

“Examiners Head for Cybersecurity School,” Wall Street Journal, December 1, 2014 C3. Regulators recognized the need for additional skills to deal with cybersecurity risks.

Is the same thing true of information governance?  Is it time for new skill sets?  Should the directors and senior managers get “dipped” in information governance and information-related risks?

Leave a comment

Filed under Board, Business Case, Compliance, Compliance, Duty of Care, Governance, Management, Oversight, Risk