This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3. Investors alleged Theranos had defrauded them by making false statements about the company’s technology.
This joins the long (and growing) list of people suing for harm caused by this company. Are the directors in the dock? The CEO and former president are.
False statements are information, in a sense. The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.
Who’s going to get the last drop of blood out of this stone?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value
This is old news. This post never made it out of “Drafts.” But worthy of note.
The hack at Equifax that may have affected 145.5 million people went deeper than Equifax originally reported.
“Equifax:Hack Went Deeper,” The Wall Street Journal, February 10, 2018 B10. In addition to names, addresses, driver’s license numbers, and Social Security Numbers, the hack may have reached tax id numbers, email addresses, and additional driver’s license information.
It’s comforting (?) to know that your personal email address isn’t considered either (a) yours or (b) “sensitive,” at least in the US.
Have any of the Equifax directors been sued by their shareholders? The CEO retired. The shareholders are paying for all this.
See, also, the post from February 11 about the spat between Equifax and Senator Warren about whether the hack reached passport numbers. https://infogovnuggets.com/2018/02/11/believable-denials/
Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value, Vendors
And all on the same page.
- “U.S. Indicts VW’s Former CEO,” The Wall Street Journal, May 4, 2018 B1. Former CEO indicted in March for conspiracy and wire fraud following the emissions cheating scandal. Do CEOs go to jail?
- “Facebook Has Dual Standard On Privacy,” The Wall Street Journal, May 4, 2018 B1. If you’re in a special group in Facebook, you get an alert if someone accesses your profile; if you’re a muggle, or don’t work at Facebook, you don’t. Maybe this will change?
- “Theranos Hurt Big-Name Investors,” The Wall Street Journal, May 4, 2018 B1. Company said it had the technology to do a wide range of blood tests based on a few drops of blood. It didn’t, and a host of big-name investors lost a bundle. Is this a governance issue, an information issue, or a compliance issue? Don’t believe everything you hear; it’s costly. And don’t serve as a director without doing your own due diligence.
Filed under Access, Accuracy, Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Data quality, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Policy, Protect information assets, Supervision
A departure from the one-story-one-post approach.
- “Israel Targets Iran Accord,” The Wall Street Journal, May 1, 2018 A1. Israel releases Iranian documents about a nuclear weapons program found in an abandoned warehouse. At least two themes: (a) What does information mean? Did Iran lie during negotiations? (b) Do you destroy documents/information that are/is no longer useful to you? What does it say when you don’t?
- “‘Fake News’ Law Snares an Offender,” The Wall Street Journal, May 1, 2018 A16. A visitor to Malaysia convicted and sentenced for publishing “fake news” about how quickly/slowly emergency services responded to a shooting. Interesting that the first conviction under the new law was of a foreigner.
- “Banks Draw Bead on Guns,” The Wall Street Journal, May 1, 2018 B1. Banks and credit card companies discuss tracking your purchases of guns. What will they do with that information? Is there other information they can deduce from your purchases that someone would like to track? Would your health insurer/doctor like to track your food and alcohol purchases? Whose information is that, anyway?
- “Guilty Verdict in Autonomy Case,” The Wall Street Journal, May 1, B2. Former CFO of Autonomy convicted of fraud in connection with the sale of Autonomy to HP for $11 billion in 2011. This was not some lower-level accountant accused of misstating aspects of a tax-motivated deal. Instead, the fraud overstated Autonomy’s revenue and generally misstating financial results. The former CEO has also been sued in the UK for damages.
- “Facebook Shares the Shared,” The Wall Street Journal, May 1, 2018 B5. Now you can download any of 25 categories of the information that Facebook keeps on you. Your search history. When you liked or didn’t like something. Which and how many advertisers have your contact information. How many categories does Facebook have? We don’t know.
Filed under Access, Accuracy, Analytics, Communications, Compliance, Compliance (General), Controls, Corporation, Data quality, Definition, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Ownership, Privacy, Protect assets, Protect information assets, Technology, To report, Value