Category Archives: Security

Information from unusual places

What if you get information from an unexpected source?  What’s that worth?

“Stanford’s Aid Whistleblower,” The Wall Street Journal, February 1, 2018 B5.  A second-year MBA student does a study of scholarship decisions and blows the whistle on his own school.  Based on information found on a shared drive.

The information is there.  Are you aware what it says?  What’s it worth to have that analysis before someone else does it?  Is this something that Stanford wished wasn’t found, eight years later, on a shared drive?

Is this post about the value of information or the value of managing who gets access to what?  Or something else?

Advertisements

Leave a comment

Filed under Access, Controls, Duty, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Protect assets, Security, Value

What’s information worth?

“Cryptocurrency Exchange to Pay Back Customers,” The Wall Street Journal, January 29, 2018 B4.  Company to pay customers back $426 million after hack of cryptocurrency.

What is cryptocurrency except information that people agree has a certain value?  If that information is hacked, isn’t it the same as a theft of a client account?

No Christmas bonus for you, I guess.

Leave a comment

Filed under Board, Controls, Corporation, Definition, Duty, Governance, Information, Internal controls, Protect assets, Protect information assets, Security, Value

Early warning system

You discover a product flaw.  One of the first things on your crises management list of things to do is notify your biggest (or best) customers.

“Intel Told China of Flaw Before U.S.,” The Wall Street Journal, January 29, 2018 A1.  Intel tells its Chinese customers of a security flaw in Intel chips before telling the US government.  Flaws discovered in June 2017.  Not disclosed to the market until after a website in the UK reports on them in January 2018.

Who thought waiting to tell the US government was a good idea?  Where are they now and what are they doing (and for whom)?

Getting information early increases the value of that information to you.  Six months?  What happened in the meantime?  What did the Board know?  Did they approve the communications plan?

Leave a comment

Filed under Board, Communications, Corporation, Directors, Duty, Duty of Care, Governance, Inform market, Information, Oversight, Security, To report, Value

Willie Sutton?

Willie Sutton (a famous bank robber) was reportedly asked, “Why do you rob banks?” He reportedly said, “Because that’s where the money is.” https://www.snopes.com/quotes/sutton.asp

“Hackers Plunder Crypto Exchange,” The Wall Street Journal, January 27, 2018 B5. More than $500 million in credits hacked from the Coincheck site in Japan.  One assumes virtual banks are easier to rob than brick and mortar banks.

This is a concrete example of the cost of a cyber breach.  But it also follows on from an earlier post (Law School Exam Question) equating cash money and information, in terms of value.

If businesses (including the Board of Directors) treated information assets as cash, and managing, protecting, and controlling the organization’s information as currency, would that be “information governance”?  Why do they handle information assets differently?  Why should the Board and the officers get a pass on this?  The shareholders certainly don’t.

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Ownership, Protect, Protect assets, Protect information assets, Security, Third parties, Value

Process safety

“Hack of Saudi Plant Targeted Safety System,” The Wall Street Journal, January 19, 2018 B4. Cyberattack focused not on the theft of information, but on a critical emergency safety shut-off system.

So, this is more about information security than it is about information governance.  Or is it?  This is the type of attack that keeps the information security folks awake at night.  A big deal in the oil patch.

Who’s responsible?  The vendor of the equipment (and software) that was hacked?  Or the owner of the plant that had the equipment on-line?

Do your company have information that is critical to the safety of your operations?  Who’s responsible for protecting that from outside attack?

 

Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Interconnections, Internal controls, IT, Security, Vendors

Catching up

I’ve taken a bit of a break; one of the readers of this blog asked if I’d stopped writing it.  Not that there aren’t issues on governance, information, or (and) compliance that come up daily.

Is this blog of value?  Is it worth your time?  Let me know.  How can I improve this?  Let me know by posting a comment.

Some recent stories:

  1. “Subaru Probes if Fuel Data Was Fake,” The Wall Street Journal, December 21, 2017 B1.  Company investigating whether workers fudged the numbers on fuel economy.  Another black eye for the Japanese quality objectives.  Is there/was there a culture problem?  Or did management apply too much pressure?
  2. “Wells Fargo Earns New Ire From Bank’s Overseers,” The Wall Street Journal, January 6, 2018 B10.  Bank regulators marked Wells Fargo down because of its management, and as a result the bank will pay higher insurance and be subjected to higher regulatory scrutiny.  2017 wasn’t a good year for the bank.
  3. “Court to Review SEC Judges,” The Wall Street Journal, January 13, 2018 B10.  The Court accepted an appeal that will look at whether SEC’s judges are unconstitutional, having been selected by the HR Department.  Do government agencies need to comply with the US Constitution?  Can one be “governed” by someone who wasn’t properly appointed or supervised?  Is the common law writ of quo warranto still effective?
  4. “Parents’ Dilemma: When to Give the Children Smartphones,” The Wall Street Journal, January 13, 2018 A1.  Giving your child a smartphone also gives them access to a whole bunch of stuff you might wish they didn’t have so much access to.  Are you properly governing how much information your kids can see?  Do you also provide them a handgun (without bullets, of course)?  (The article talks about teaching your children to use cocaine, but in a balanced way). Not all information accessible by smartphone is of equal value, and different parties in the transaction value different information differently.

Leave a comment

Filed under Access, Accuracy, Compliance, Controls, Corporation, Culture, Data quality, Directors, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Security, Third parties, Value

Breach at PayPal

“PayPal Discloses Breach At Its TIO Unit,” The Wall Street Journal, December 2, 2017 B11.  Upwards of 1.6 million users affected at newly acquired company that has kiosks in retail stores.

When you acquire a company, make sure their cybersecurity is up to snuff.  From Day One.

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Supervision