Category Archives: Protect assets

The dog that didn’t bark

In a departure from normal practice, I comment upon an event unreported, as far as I can tell, in The Wall Street Journal.  For me, some things transcend politics.

Maybe I missed it.  Or maybe The Wall Street Journal didn’t see fit to print the leaked transcripts of President Trump’s post-inauguration phone calls with the leaders of Mexico and Australia.

What does it say that this story, blaring over the TV newswires, wasn’t printed?  Does it say something about some organizations placing the Nation’s security above their own circulation numbers?  Is that a control you can rely on?  Apparently not from everyone.

Even if the paper had or did print something on this, what does the leak of those transcripts say about information governance?  First, does the White House have adequate controls and culture in place?  Clearly not.  Maybe General Kelly can help with that.

But what about the person who signed an oath and nonetheless decided to leak these classified transcripts to the press, thinking little or nothing about the impact on future calls between world leaders?  What’s their understanding of duty?  Placing the Nation’s needs above those of party or self?

Hang ’em high.

Leave a comment

Filed under Access, Compliance, Controls, Culture, Duty, Employees, Governance, Government, Internal controls, Protect assets, Third parties

Going to the movies

Sony was not alone.  HBO gets hacked, too, and Netflix.  Is nothing sacred?

“Hackers Stole HBO Programming,” The Wall Street Journal, August 1, 2017 B2.  Game of Thrones may be coming sooner than planned.    Hacker also got personal information on at least one executive.

How well is your information protected?  What’s that protection worth?

Leave a comment

Filed under Access, Controls, Governance, Information, Internal controls, IT, Management, Protect, Protect assets, Protect information assets, Security, Value

Cyberattacks, revisited

It’s Groundhog Day.  Or becoming a dog-bites-man story.

“Cyberattack’s Fallout Fuels Scramble,” The Wall Street Journal, June 29, 2017 B3. A ransomware attack through Microsoft Windows hits Maersk, Merck, WPP, and Rosneft, among others.  Surgeries disrupted at a Pennsylvania hospital.  “Hospital Operator In Pennsylvania Works to Recover,” The Wall Street Journal, June 29, 2017 B3.

Does this become so routine we forget people are supposed to take steps to prevent it?  Do cyberattacks make the board agenda, without the tie to the greater information governance questions?  Is that progress?  Does industry not see the bigger risk?

 

Leave a comment

Filed under Access, Controls, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value

Criminal charges for a CEO

Corporations get charged with criminal conduct from time to time.  But seldom does the CEO at the time also get charged.

“Barclays Hit With Fraud Charges,” The Wall Street Journal, June 21, 2017 B1.  Charges of fraud and illegal payments filed against the bank and its former CEO (and a few other executives) in the UK.

As usual, the shareholders get the bill for any fines (and any diminution in share value).  Curiously absent were any charges against the directors of the Bank’s Board at the time.  But maybe the failure of the Board to detect this level of criminal activity will result in civil suits against the directors for negligent supervision.

Maybe Shearman & Stirling can write another report. (See Wells Fargo posts, supra).  Willie Sutton wasn’t the only crook who knew where the money is/was.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Protect assets, Risk assessment, Supervision

Snitches get stitches

Apparently, keeping the identities of confidential informants secret poses some challenges.  Are there information governance lessons to be learned?

“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years.  One source of information: online court records that provide clues as to who cooperated with the prosecutors.  Some inmates may be posting their sentencing files to establish their bona fides.

Hard to classify this in this blog.  Does this pertain to

  • the value of accurate and complete information
  • the risk in making information widely available
  • the government’s duty to protect informants
  • the government’s duty to have a transparent criminal justice system
  • a defendant’s right to confront his/her accusers
  • the need for security and the difficulty in providing it
  • the proactive value of disclosure
  • the fact that information can be misused
  • the difficulty in creating effective controls
  • other?

 

Leave a comment

Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value

Duty of Directors

One of my common themes is the duty of directors.  They get paid a lot of money to act as fiduciaries for the company’s shareholders.

“Warren Keeps Pressure on Wells,” The Wall Street Journal, June 20, 2017 B10.  Senator Elizabeth Warren (D. Mass.) is leaning on the Federal Reserve (arguably an independent body) to remove 12 directors who served on Wells Fargo’s Board when the account- cramming scandal was going on.  Other problems have emerged at Wells Fargo since then.

The shareholders didn’t/couldn’t vote them out in April, and so far (as I know) the directors haven’t been held personally liable for negligent oversight.  So it’s nice that someone is still pursuing the people in charge at the time that (some of the) bad things were happening.

Some executives got fired or their bonuses were docked.  The shareholders lost a bundle in fines and penalties paid by the company.  It would be nice if the directors were held responsible and accountable — not just to penalize them, but to put other directors on notice of what they are getting paid to do, and for whom.

Would be nice to have a poster child for the director’s duty.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment, Supervision

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors