Category Archives: IT

Ownership

Appliances we use often capture data about how we use them.  Who owns that data, where is it stored, and what is it used for (and by whom)?

“What Your Car Knows About You,” The Wall Street Journal, August 18, 2018 B4. Large of amounts of data being collected from on-board devices, and used by car makers and others.

Will this lead to more targeted advertising?  May be worth $750 billion by 2030.  How much of that will the car owners get?

Sure, currently you have to opt in to this service.  You will read (and understand) the terms and conditions, won’t you?  And this will all be stored securely, with your privacy protected, won’t it?  Not that anyone could use your location or your driving habits against you.

Advertisements

Leave a comment

Filed under Access, Accuracy, Analytics, Controls, Information, Ownership, Privacy, Security, Technology, Value

Penalties

A key element of either Compliance or Governance (or both) is penalizing violations.  Otherwise, the rule is on paper only, and isn’t real.

“U.S. Steps Up Grid Defense,” The Wall Street Journal, August 6, 2018 A1. Government devising new penalties for foreign (and domestic) agents who hack into critical infrastructure.

Sounds good.  But might we be better off with a few more ounces of prevention (education, technology controls, testing, etc.)?  The “internal” controls.  By the time you’re penalizing folks, you’ve been hacked.

Leave a comment

Filed under Access, Compliance (General), Controls, Duty, Governance, Government, Interconnections, Internal controls, IT, Security, Technology, Third parties

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

If it’s not free

How much is it worth to you to have access to the Internet on a plane trip?  Apparently, less than they are charging for it.

“Airline Wi-Fi Isn’t Connecting to Profits,” The Wall Street Journal, July 26, 2018 B1.  Is it because the service is too slow, or too expensive?

I adjusted years ago to the lack of quality Internet service while in the air.  I actually like the peace.

But if an airline chose to compete by including this in the ticket price, would it drive traffic?  How many people actually pay for this out of their own pockets, rather than charging it off to their employers?  Do employers notice or care?  What’s your policy?

Is this Governance or Information?  Both?

 

 

Leave a comment

Filed under Access, Controls, Information, Interconnections, Internal controls, IT, Value

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

Protecting key information

“Hacker Allegedly Tried to Sell Drone Data,” The Wall Street Journal, July 12, 2018 A3.  Hacker tries to sell maintenance documents for a drone, documents stolen from a Air Force officer’s computer.

How well does the government protect sensitive information?  Apparently, the hack exploited the failure to properly configure a router.

What happened to the Air Force officer, who apparently failed to adequately protect classified information?  The IT guy who configured the router?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, IT, Policy, Protect assets, Security

Privacy breaches

“SEC Takes Close Look At Facebook Data Lapse,” The Wall Street Journal, July 13, 2018 B1. SEC looks at whether Facebook responded appropriately after learning that user data was being used inappropriately.

Is keeping investors apprised of violations of contracts or policies part of your crisis response process?  Even when it wasn’t “your” data that was breached?  Would you have caught this in time to avoid an SEC inquiry?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, Investor relations, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, To report