Monthly Archives: July 2018

July 31, 2018 · 1:13 pm

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

July 23, 2018 · 7:41 pm

Fraudster

“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3.  Investors alleged Theranos had defrauded them by making false statements about the company’s technology.

This joins the long (and growing) list of people suing for harm caused by this company.  Are the directors in the dock?  The CEO and former president are.

False statements are information, in a sense.  The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.

Who’s going to get the last drop of blood out of this stone?

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets

July 23, 2018 · 7:32 pm

Protecting key information

“Hacker Allegedly Tried to Sell Drone Data,” The Wall Street Journal, July 12, 2018 A3.  Hacker tries to sell maintenance documents for a drone, documents stolen from a Air Force officer’s computer.

How well does the government protect sensitive information?  Apparently, the hack exploited the failure to properly configure a router.

What happened to the Air Force officer, who apparently failed to adequately protect classified information?  The IT guy who configured the router?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, IT, Policy, Protect assets, Security

July 23, 2018 · 7:24 pm

Falsely shouting fire?

“FCC Proposes Revamp Of Online Documents,” The Wall Street Journal, July 12, 2018 A3.  Proposed revision to process for receiving public comments after fake comments filed in the net neutrality discussion.

How does the government restrict our ability to lie to the government where the payment of money or the issuance of a license is not at issue?  Is filing comments under someone else’s name not protected speech?  Or is it fraud?  Yes it’s false, but is it fraud, if all you’re trying to do is sway a regulator’s position?  Is this the same as falsely shouting fire in a crowded theater?

I’m not in favor of submitting comments under a false name or names.  But can the government protect this when people are attempting to petition their elected representatives?

I file this as a restriction on the ability of government to govern all behavior (therefore Governance) and under Information (does it matter that it’s fake?).  Maybe Compliance, seeing as the Constitution applies.

Leave a comment

Filed under Accuracy, Controls, Data quality, Definition, Duty, Governance, Government, Information, Third parties

July 23, 2018 · 7:13 pm

CEOs in the news

“Ex-CEO at Oil Driller Settles SEC Inquiry On Undisclosed Loans,” The Wall Street Journal, July 17, 2018.  CEO had taken more than $10 million in loans from vendors in return for awarding contracts.

He used the money to cover margin calls and to maintain an extravagant lifestyle.  Also caught up in the scandal was a former portfolio manager who got a seat on the company’s board.

CEOs get hammered, too, for conflicts and poor ethics.

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Investor relations, Oversight, Policy, Third parties, Vendors

July 23, 2018 · 7:05 pm

Loose Lips, Volume III

“Egypt Passes Media Law Targeting ‘Fake News,'” The Wall Street Journal, July 17, 2018 A18.  Traditional media and larger social media outlets now subject to penalties for spreading fake news, defaming, or inciting hatred.

Think how quiet the TV would be in the US if there was a similar law here.  Oh, wait.  We still have the First Amendment.

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Employees, Governance, Information

July 23, 2018 · 6:57 pm

Loose lips volume II

“Chips CEO Resigns Over Conduct,” The Wall Street Journal, July 18, 2018 B1.  CEO of Texas Instruments fired/forced-to-resign after two months for violating company’s Code of Conduct.  Probably no package, either.  No details on the nature of the violation.

It’s nice when a company enforces its policies against the CEO.  Sends a message to the worker bees.

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Policy

July 23, 2018 · 6:49 pm

Loose lips sink ships

“Paramount TV’s Head Fired Over Remarks,” The Wall Street Journal, July 20, 2018 B3. Amy Powell fired over remarks of a racial nature.  Probably got a cinder block parachute, although the article doesn’t say.

Good news is that someone reported the remarks to HR, as the policy probably required.

I’d file under

(a) Governance (maintaining the culture you want, by applying standards to the top of the shop as well),

(b) Compliance (enforcing your firm’s ethics)(and the policy worked when an employee followed it and reported the remarks), and

(c) Information (what you say in the course of your job is also “information” that is subject to company control.

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Employees, Governance, Information, Internal controls, Policy, To report

July 23, 2018 · 6:40 pm

Wells Fargo, revisited, again

“Wells Refunds Millions to Clients,” The Wall Street Journal, July 20, 2018 B1. Wells Fargo refunds insurance premiums to hundreds of thousands of customers who bought “add-on” services such as pet insurance, identity theft, home warranties, debt protection, and legal services.

This comes amidst an investigation by the CFPB as to whether the way these products were marketed was legal.

The last two years have been tough for Wells Fargo.  How deep did the cultural rot go?

File this one under (a) Governance and (b) Compliance.  And I guess under (c) Information, as well, if you do business with Wells Fargo.  Do the directors pay for this, too?

Leave a comment

Filed under Compliance, Compliance (General), Corporation, Culture, Directors, Duty, Governance, Information, Oversight, Risk assessment

July 23, 2018 · 6:12 pm

What business are you in?

“State Street Intensifies Its Shift Into Data,” The Wall Street Journal, July 21, 2018 B12.  Firm, formerly focused on holding securities belonging to others and doing some associated accounting services, buys Charles River Systems,  which performs a whole host of financial data services with its software.

What happens when you acquire a business that you are only basically familiar with?  This isn’t a vertical or horizontal acquisition.  What controls do you put in place?  Does it matter that the new business is almost 100% information-related?  What does your risk assessment look like?

This is one to watch.

Leave a comment

Filed under Controls