This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value
Vendors with whom you deal can (and do) capture lots of information about you. They use that information. Hopefully to improve customer service. Can they disclose what they know to others? What if your traveling companions don’t know it’s your birthday because you don’t want them to know?
“What the Airline Knows About The Guy in Seat 12A,” The Wall Street Journal, June 20, 2018 A11. What information on you do airlines collect and how do they use it?
If the information is correct and used positively, that’s one thing. What if it’s wrong, or used negatively? What if it leaks? What if it’s sold?
Filed under Access, Accuracy, Collect, Controls, Corporation, Duty, Duty of Care, Governance, Information, Management, Oversight, Ownership, Privacy, Protect, Use
This may appear to be more a straight compliance piece than an information governance piece, but consider that the officers and directors didn’t know or didn’t report things that they should have known about. Truth or consequences?
“Wells Fargo Reaches Settlement In Lawsuit,” The Wall Street Journal, May 5, 2018 B10. Tentative settlement in suit alleging certain “current and former officers and directors of the bank had made false statements” affecting the stock price between 2014 and 2016.
The final paragraph of the article says,
The bank said Friday that it “denies the claims and allegations in the action and entered into the agreement in principle to avoid the cost and disruption of further litigation.”
One pauses to wonder if the current shareholders agree, it being their $480 million being spent to resolve the lawsuit, not the $480 million of said certain current and former officers and directors. This is on top of the $1 billion fine paid last month. Hopefully, the current and former shareholders will get some of the $480 million, less legal fees.
Telling fibs in connection with a company’s stock price can be real expensive for some one. Not knowing about abusive sales practices is about the same as lying. And how can you deny something yet still pay $480 million? Who are they trying to fool this time? At least now they can post nice ads on TV, claiming a re-invention. Has the culture problem been fixed?
Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect, Supervision, To report, Value
Willie Sutton (a famous bank robber) was reportedly asked, “Why do you rob banks?” He reportedly said, “Because that’s where the money is.” https://www.snopes.com/quotes/sutton.asp
“Hackers Plunder Crypto Exchange,” The Wall Street Journal, January 27, 2018 B5. More than $500 million in credits hacked from the Coincheck site in Japan. One assumes virtual banks are easier to rob than brick and mortar banks.
This is a concrete example of the cost of a cyber breach. But it also follows on from an earlier post (Law School Exam Question) equating cash money and information, in terms of value.
If businesses (including the Board of Directors) treated information assets as cash, and managing, protecting, and controlling the organization’s information as currency, would that be “information governance”? Why do they handle information assets differently? Why should the Board and the officers get a pass on this? The shareholders certainly don’t.
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Ownership, Protect, Protect assets, Protect information assets, Security, Third parties, Value
“Firm Settles Russia Probe,” The Wall Street Journal, December 12, 2017 A5. Company working on US defense projects had Russian employees who lacked appropriate security clearances (and who stored some material on servers in Russia).
No fine reported; company to institute new security protocols and thereby resolve criminal complaint.
One would have thought someone would have gotten more than their hands slapped over this one.
Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Governance, Government, Internal controls, Management, Oversight, Protect