Category Archives: Vendors

Who exactly are your partners?

“U.S. Probes Microsoft on Bribery,” The Wall Street Journal, August 24, 2018 B1.  DOJ probes sales of software licenses to middlemen for ultimate sales to smaller governments.

Did the middlemen in, say, Hungary, share their discounted purchase price with government officials by way of bribes?  Even if they did, is Microsoft liable?  Unless the middlemen were Microsoft sales agents (who didn’t take title to the software licenses), or Microsoft knew of the scheme, hard to see FCPA liability for Microsoft.  Were the middlemen business partners of Microsoft, or just intermediate purchasers?

The ethics of the people with whom you do business can come back to bite you.  Your policies may apply by contract to consultants and third parties that you engage, but do they apply to the people to whom you sell/license your product?

 

 

 

Advertisements

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Oversight, Policy, Third parties, Vendors

Finally, we have a winner

At least somebody goes to jail for leaking top secret information about Russian hacking of elections.  In less than a year and a half.

“Former Intelligence Contractor Gets Five Years in Prison for Leak,” The Wall Street Journal, August 24, 2018 A2. Reality Winner, a contract worker at the NSA, gets sentenced for leaking a secret report on election hacking by the Russians from the NSA to a news outlet.

The rules do need to be enforced from time to time, or they are more like guidelines.  And contractors seem to be a weak link.

Did anyone else in the chain of command get punished?  If she were in Washington, DC, rather than Augusta, Ga., would she have faced the same fate?

See also https://infogovnuggets.com/2017/06/06/we-have-a-winner/.

 

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Duty, Employees, Governance, Internal controls, Oversight, Protect assets, Third parties, Vendors

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

CEOs in the news

“Ex-CEO at Oil Driller Settles SEC Inquiry On Undisclosed Loans,” The Wall Street Journal, July 17, 2018.  CEO had taken more than $10 million in loans from vendors in return for awarding contracts.

He used the money to cover margin calls and to maintain an extravagant lifestyle.  Also caught up in the scandal was a former portfolio manager who got a seat on the company’s board.

CEOs get hammered, too, for conflicts and poor ethics.

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Investor relations, Oversight, Policy, Third parties, Vendors

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

What business are you in?

“Google Bans AI in Weapons,” The Wall Street Journal, June 8, 2018 B4. Google prohibits the use of certain of its artificial information technology in weapons systems.

Do you restrict how others can use your information?  How do you enforce that?  I thought Google was in the information business.

Leave a comment

Filed under Access, Controls, Duty, Governance, Information, Internal controls, Ownership, Policy, Third parties, Vendors

Equifax Hack went deeper

This is old news.  This post never made it out of “Drafts.”  But worthy of note.

The hack at Equifax that may have affected 145.5 million people went deeper than Equifax originally reported.

“Equifax:Hack Went Deeper,” The Wall Street Journal, February 10, 2018 B10.  In addition to names, addresses, driver’s license numbers, and Social Security Numbers, the hack may have reached tax id numbers, email addresses, and additional driver’s license information.

It’s comforting (?) to know that your personal email address isn’t considered either (a) yours or (b) “sensitive,” at least in the US.

Have any of the Equifax directors been sued by their shareholders?  The CEO retired.  The shareholders are paying for all this.

See, also, the post from February 11 about the spat between Equifax and Senator Warren about whether the hack reached passport numbers. https://infogovnuggets.com/2018/02/11/believable-denials/

Leave a comment

Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value, Vendors