This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“SEC Charges Ex-CEO With Insider Trading,’ The Wall Street Journal, July 11, 2018 B12. Ex-CEO charged with giving his paramour inside information (and money) to buy stocks.
From a compliance perspective, it is good to see that the people at the top of the shop get charged, too. Helpful training reminder. If the CEO doesn’t obey the law, what can you expect of the other employees?
This blog often deals with Compliance, both compliance with law and compliance with company policy. But another aspect of Compliance is the corporation’s compliance with its own contracts.
“Professor Wins College-Freedom Case in Wisconsin,” The Wall Street Journal, July 7, 2018 A3. Private university penalizes professor for posting a factual post online, despite academic freedom protections he had in his contract; professor wins back pay and reinstatement.
So, does your compliance program cover your organization’s compliance with its own contracts? Does your compliance training mention that point? Is contract compliance more or less important than ethics? Or is it part of ethics? How strong are your processes around contract compliance?
I just ask the questions.
Filed under Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Internal controls, Management, Third parties
The suspect makes his fingerprints unreadable, and doesn’t have a wallet or other ID. Who is he?
“Controversial Facial System Identifies Suspect,” The Wall Street Journal, June 30, 2019 A3. Facial recognition used to identify the shooter at the Capital Gazette in Annapolis, where five died. A picture was run through the drivers license data base, and up popped his license photo.
Biometrics as information? Role of technology in information governance?
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value
Vendors with whom you deal can (and do) capture lots of information about you. They use that information. Hopefully to improve customer service. Can they disclose what they know to others? What if your traveling companions don’t know it’s your birthday because you don’t want them to know?
“What the Airline Knows About The Guy in Seat 12A,” The Wall Street Journal, June 20, 2018 A11. What information on you do airlines collect and how do they use it?
If the information is correct and used positively, that’s one thing. What if it’s wrong, or used negatively? What if it leaks? What if it’s sold?
Filed under Access, Accuracy, Collect, Controls, Corporation, Duty, Duty of Care, Governance, Information, Management, Oversight, Ownership, Privacy, Protect, Use