“Wells Fargo Technology Under Scrutiny,” The Wall Street Journal, November 8, 2018 B11. Questions being raised about the technology the bank uses for cybersecurity and risk management.
Do you have the right technology to effectuate the controls you have placed around information? Will your regulators agree? If you are already on the regulator’s radar screen, will your controls measure up?
Filed under Controls, Corporation, Duty, Governance, Internal controls, IT, Oversight, Protect, Protect assets, Risk assessment, Security, Technology
How do you protect information in the event of an Event? Is this part of your business continuity plan? You do have a business continuity plan, right? Do you have a process to safeguard information you will need to resume operation?
“Second Black Box Eludes Search Teams,” The Wall Street Journal, November 3, 2018 A6. Divers are still searching for the cockpit voice recorder following the crash of Lion Air flight 610 in Indonesia.
Planes carry two “black boxes,” one a flight data recorder (which captures a lot of equipment operating data) and the other a cockpit voice recorder (which captures conversation in the cockpit). The information on these two boxes (which are actually neon orange) is used to determine the cause of a crash.
What information does your company generate that you would need to run your business following an “Event,” such as a computer crash or a hurricane, or whatever? Is that part of your normal operating policies and procedures? If you can’t get to that information, can you restart or run your business?
Is this an Information point (protecting information) , or a Governance point (having processes and procedures to protect mission-critical information), or a Compliance with policies and procedures?
Filed under Access, Business Case, Collection, Controls, Corporation, Duty, Governance, Information, Internal controls, Oversight, Protect, Protect assets, Risk, Use, Value
Have you ever misused your company credit card? How about used a company asset for your personal business?
“Gulfport CEO Exits Following Review,” The Wall Street Journal, November 2, 2018 B2. CEO resigns after investigation into his use of his company credit card (he had paid the charges back, eventually, without interest) and the company plane.
On departure, he gets $400,000 and 6 months of health care coverage. I don’t know whether that’s better than nothing.
The ground troops learn from their “betters.” Seeing the CEO get canned for policy violations firms up the perception of the seriousness with which the company treats violations of policy or procedure. More so than a ground troop getting canned.
Does your company publicize these stories?
“U.S. Charges Agents Of China Hacked Aviation Firms,” The Wall Street Journal, November 1, 2018 B4. Agents of the Chinese government indicted for trying to steal airline industry technology.
This is getting to be rather routine. One part of this is the value of Information, and the importance of information security. One part of this is Compliance, of course, as the US government is trying to protect the US information assets (although the company at issue probably had some responsibility for this as well, as well as their board of directors). And, of course, Governance, as the US government is prosecuting.
We all know the business case for cyber-security.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties
“Facebook Draws U.K. Fine Over Sharing Data,” The Wall Street Journal, October 26, 2018 B4. Facebook fined half a million Pounds ($645,000) for allowing Cambridge Analytica for letting them see and use user data. This is separate and apart from any fines the EU may impose.
Part of the problem is that Facebook didn’t do enough (i.e., anything) after it found out about Cambridge Analytica having accessed the data.
So, some points to consider:
- Whose information was it?
- Whose (and how many) rules (EU, UK, US, other) apply to (i.e., govern) a data breach?
- Why didn’t FB do anything after learning of the problem? Did it not have a process for handling a vendor that accessed data inappropriately? Doesn’t Governance require you to have such a process? Does Compliance entail requiring your vendors to follow a process, and penalizing them when they don’t?
- The fine here won’t go to the UK residents whose privacy was invaded. Is this a fine or a tax? It certainly isn’t damages.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Privacy, Protect assets, Security, Third parties, Vendors
“Treasury Employee Is Accused of Leaks,” The Wall Street Journal, October 18, 2018 A4. Employee arrested for allegedly disclosing confidential banking information about Paul Manafort, among others, to a reporter at BuzzFeed.
Leaking your employer’s information is hazardous to your health and freedom. But it’s good to know the government takes compliance seriously.
Filed under Compliance, Compliance (General), Controls, Duty, Duty of Care, Employees, Governance, Government, Internal controls, Oversight, Policy, Protect assets
“On Hunt for Disinformation,” The Wall Street Journal, October 18, 2018 A3. Digital detective for the Vietnam Veterans of America tracks down fake Facebook pages used to scam veterans.
Is protecting your customers from fraud part of your offering? Are you concerned about someone else using your logo? Do you expect Facebook to care that much (hint: it doesn’t)?
Filed under Accuracy, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, IT, Oversight, Protect assets, Security, Third parties