At least somebody goes to jail for leaking top secret information about Russian hacking of elections. In less than a year and a half.
“Former Intelligence Contractor Gets Five Years in Prison for Leak,” The Wall Street Journal, August 24, 2018 A2. Reality Winner, a contract worker at the NSA, gets sentenced for leaking a secret report on election hacking by the Russians from the NSA to a news outlet.
The rules do need to be enforced from time to time, or they are more like guidelines. And contractors seem to be a weak link.
Did anyone else in the chain of command get punished? If she were in Washington, DC, rather than Augusta, Ga., would she have faced the same fate?
See also https://infogovnuggets.com/2017/06/06/we-have-a-winner/.
Filed under Compliance, Compliance (General), Controls, Duty, Employees, Governance, Internal controls, Oversight, Protect assets, Third parties, Vendors
“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”
I can see what’s in it for Facebook, and maybe for the banks. But isn’t this your information? Shouldn’t you have some control what the banks do with it? Are you comfortable with the controls the banks and Facebook will place on this information? It might be convenient for you, but at what risk?
Do we remember Cambridge Analytica? Will Facebook try to do this in Europe?
To whom do you complain? Your elected representative? Your bank? The state or federal regulators?
Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?
This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Hacker Allegedly Tried to Sell Drone Data,” The Wall Street Journal, July 12, 2018 A3. Hacker tries to sell maintenance documents for a drone, documents stolen from a Air Force officer’s computer.
How well does the government protect sensitive information? Apparently, the hack exploited the failure to properly configure a router.
What happened to the Air Force officer, who apparently failed to adequately protect classified information? The IT guy who configured the router?
Filed under Access, Compliance, Compliance (General), Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, IT, Policy, Protect assets, Security
“SEC Takes Close Look At Facebook Data Lapse,” The Wall Street Journal, July 13, 2018 B1. SEC looks at whether Facebook responded appropriately after learning that user data was being used inappropriately.
Is keeping investors apprised of violations of contracts or policies part of your crisis response process? Even when it wasn’t “your” data that was breached? Would you have caught this in time to avoid an SEC inquiry?
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, Investor relations, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, To report
“Secret Formula, Intelligence Tests Fuel Buyout Firm,” The Wall Street Journal, July 10, 2018 A1. Private equity fund has a list of 110 best practices, against which software companies are measured for investment.
How does the fund keep those secret, after a page-one story in the WSJ? Is it enough to maintain the practices “on a company server that makes a record every time anyone downloads or prints them”?
But reusing ideas that have worked in the past makes sense.
“Former Equifax Manager Is Charged,” The Wall Street Journal, June 29, 2018 B3. To respond to the huge privacy breach at Equifax last year, the company set up a website to help some of those affected. The former software manager setting up that website bought some options, betting that Equifax’s stock would go down once the breach was discovered. He faces criminal and civil charges.
Who would have thought a software engineer needed insider trading education?
Filed under Access, Compliance, Compliance (General), Controls, Culture, Duty, Duty of Care, Employees, Governance, Internal controls, Legal, Oversight, Policy, Protect assets, Requirements