“Firm Settles Russia Probe,” The Wall Street Journal, December 12, 2017 A5. Company working on US defense projects had Russian employees who lacked appropriate security clearances (and who stored some material on servers in Russia).
No fine reported; company to institute new security protocols and thereby resolve criminal complaint.
One would have thought someone would have gotten more than their hands slapped over this one.
Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Governance, Government, Internal controls, Management, Oversight, Protect
What do you do when a rogue employee decides to express his or her politics by messing with your product? Could that affect your brand?
No, this isn’t about the NFL.
“Twitter Tightens Security,” The Wall Street Journal, November 4, 2017 B3. Security lapse allows a departing and now former Twitter employee to shut down President Trump’s Twitter feed for eleven minutes.
Cybersecurity focuses not only on external hackers but also internal bad-deed doers. Sometimes, even well-designed security plans fail. But those third-party plans are protecting your information in their control.
Do you have special controls for special celebrity cases? Do you take extra steps for departing employees?
Not sure Twitter is a brand.
Filed under Access, Business Continuity, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Oversight, Protect, Protect assets, Security, Supervision
As if Facebook weren’t enough, the Russians allegedly go after the phones of NATO soldiers.
“Russia Targets NATO Soldiers in Phone Hack,” The Wall Street Journal, October 5, 2017 A1. Use of drones suggests a national actor.
Do you control what your employees have on their phones? Can you? How? What if it is your company’s proprietary data? Or overseas?
Filed under Access, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Oversight, Ownership, Protect, Protect assets, Security
“Key Filing Made in Battle Between Alphabet, Uber,” The Wall Street Journal, October 2, 2017 B3. Uber apparently knew that “a former Google engineer had confidential Google files before buying his self-driving-car startup.” 50,000 emails, among others.
Do you have processes in place to prevent this from happening when you hire a competitor’s former employee or buy their company? What about when one of your employees (or contractors) leaves?
Filed under Access, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Ownership, Protect, Protect assets, Third parties
Sony was not alone. HBO gets hacked, too, and Netflix. Is nothing sacred?
“Hackers Stole HBO Programming,” The Wall Street Journal, August 1, 2017 B2. Game of Thrones may be coming sooner than planned. Hacker also got personal information on at least one executive.
How well is your information protected? What’s that protection worth?
Filed under Access, Controls, Governance, Information, Internal controls, IT, Management, Protect, Protect assets, Protect information assets, Security, Value
Do you have contractors who analyze your data for you? Do they use cloud storage? Do you know? How secure it that? Is that prohibited by your service contract?
“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days. Most/some of the information exposed was publicly available information on voters. A lot of voters.
Well, at least the Russians (or the DNC) didn’t hack it. Or did they?
What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you? Do you care? It’s not like it’s money or anything.
Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors
Uber fired the executive at the heart of the dispute with Google over self-driving cars. The exec failed to meet a deadline to comply with a court order to turn over documents in a trade secret case over self-driving cars. “Uber Fires Executive At Center Of Suit,” The Wall Street Journal, May 31, 2017 A1.
Lesson? If you hire an employee from a competitor and he’s accused of stealing his former employer’s trade secrets, try your best to look good.
What’s your process for keeping new employees, especially from competitors, from damaging your business and your reputation by bringing in your competitor’s trade secrets? Did you follow it, or is it just there for show?
Filed under Communications, Compliance, Controls, Corporation, Duty, Employees, Governance, Information, Internal controls, Management, Managers, Oversight, Ownership, Policy, Protect, Third parties, Value
When talking about cybersecurity, the analogy is made to castle walls. Like most analogies, it’s true and it isn’t.
“Hackers Found Holes In Bank Network,”The Wall Street Journal, May 1, 2017 A1. Security at the SWIFT network buildings is really tight, as one would expect for a large company whose business is the electronic transfer of “money” across national boundaries. But apparently, some of the national banks using this service are not as diligent in managing their own security.
Providing, and denying, access to information are key parts of information governance. But how do you do that for third parties? And how do they do it for themselves?
Filed under Access, Controls, Governance, Interconnections, Internal controls, IT, Management, Operations, Protect, Protect assets, Security, Third parties, Use, Use
If you are in the information business (and who isn’t?), what if you can’t get to that information? Worse, what if your customers can’t get to information you store for them, or their customers can’t get to their web pages?
“Amazon Outage Hits Cloud Customers,” The Wall Street Journal, March 1, 2017 B4. Failure at a storage center just outside of Washington, D.C. lasted about 4 hours and affected Amazon Web Services. Uptime/downtime, and reliability.
What’s your plan if your main storage goes out? How does your business continue to operate?
Filed under Access, Business Case, Business Continuity, Controls, Governance, Interconnections, IT, Management, Operations, Protect, Protect assets, Risk, Third parties
Yes, the Oscars ceremony had its information mix-up, when Warren Beatty was given the wrong envelope. But who was (and “was” is probably the operative word) in charge of calculating and communicating the cost basis for stock?
“Morgan Stanley Gave Clients Wrong Data,” The Wall Street Journal, February 28, 2017 B9. Firm miscalculated the cost basis, and therefore the gain, on sales of stocks by the firm’s wealth-management clients for 5 years. Anticipated cost: $70 million.
How do you ensure that the right information is getting to the right place (person) at the right time? What controls do you have in place? Are those controls people, process, or technology? While it took PWC a few minutes to correct the error at the Oscars, it took Morgan Stanley five years. Who had the better process?
Filed under Accuracy, Collect, Communicate, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, Management, Managers, Oversight, Policy, Protect, Protect assets, Use