Weakest link

Where do you start if you want to pierce a corporation’s cybersecurity protections?  The CEO.

“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11.  Although nothing confidential was leaked, the CEOs bought into phishing emails.

Hard to blame the Chief Information Security Officer.  One assumes there’s a policy in place, but can you write a policy to protect against this?  Who else in the corporation isn’t following the existing policy?  How do you fix? Two-factor authentication for every email to/from a senior exec?  Encryption?

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security

What will you (or they) need twenty years from now?

How do you forecast what information the company will need twenty years from now, long after your retirement?

“First Job of Dismantling Nuclear Plants: Find a Russian Speaker,” The Wall Street Journal, June 12, 2017 A1.  Dismantling engineers encounter problems when trying to decontaminate and tear down an old nuclear facility.  The engineering drawings are not necessarily accurate as-built diagrams, and a lot of the language is Russian.

An organization needs a lot of information.  One area is “What information will we need when it’s time to dismantle this great thing we just built?”  Is this information governance, records management, or knowledge management?  Does it matter?  Who owns this problem?  This same problem  came up in my prior life when looking at the information requirements to shut down and dismantle a North Sea oil platform – a lot of that information needs to be captured at the front end and during the life of the facility, and maintained until the facility is removed.

Leave a comment

Filed under Accuracy, Collect, Controls, Governance, Internal controls, Knowledge Management, Management, Oversight, Use

The Day that Information Governance Died, the Sequel

Last July, after the July 5 new conference, I wrote about the consequences of James Comey’s decision not to prosecute, https://infogovnuggets.com/2016/07/12/sounds-of-silence/.  I view that as The Day Information Governance Died.

This week, we had the sequel.

If you create a document in the normal course of your duties for your employer, about a conversation held in the course of your employer’s business, using the employer’s computer, then that document is the property of your employer.  It’s “proprietary.”  You can’t take that document with you when you’re fired and then give it to others.  Even if it doesn’t contain privileged information.  Or your purported recollections of a conversation in your official capacity with the President, subject to executive privilege.

But Mr. Comey seems to be above (or maybe beside) the Law, generally.  And he is (until the ethics people get a hold of this) a lawyer.

“The ‘Close Friend’ Behind Memo Leak,” The Wall Street Journal, June 9, 2017 A4.   Comey leaks a memo he wrote while a government employee to a friend, in order to leak it to the press.

And we wonder why we have a hard time getting traction on information governance.

Leave a comment

Filed under Controls, Duty, Employees, Information, Internal controls, Lawyers, Ownership, Privilege, Third parties

Surgical precision

How do you deal with claims of sexual harassment?  Have two law firms conduct investigations and fire 20 people.  But will that be the end or the middle?

“Uber Fires Over 20 In Wake Of Probe,” The Wall Street Journal, June 7, 2017 B1.  Over two hundred claims investigated and no action taken in 100 of them.

Were there supervisors who participated or condoned or who failed to notice or respond?  Were there reporting practices and policies in place?  If harassment was “accepted” in the Uber culture, who’s to blame?  HR?  The Board?  Management?  How long had this been going on?  How much will the shareholders have to pay?

A summary of one of the law firm reports is due out soon.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Internal controls, Management, Oversight, Oversight

We have a Winner

What do you do when you discover who violated the law by leaking a classified document?  You arrest them.

“Contractor Charged in Leak,” The Wall Street Journal, June 6, 2017 A4.  Reality Winner, an employee of a contractor for the NSA, was arrested and charged for leaking a classified document to the news media.  A criminal offense.

Interesting story of how the government found out.  A news agency provided a copy of the document and requested the government to confirm its accuracy.  The government could tell from looking at the copy that it had been folded, and concluded someone printed it out and sneaked it out.  IT logs showed six people had printed it out.  The computer of one of them showed email contact with a news agency.  When questioned, Ms. Winner fessed up.

Common themes:  the NSA needs to watch the employees of its contractors carefully; IT has a record, somewhere; criminals get arrested; a newspaper can inadvertently disclose confidential sources.

 

Leave a comment

Filed under Access, Controls, Corporation, Duty, Employees, Governance, Government, Information, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Vendors

Rank has its privileges

One might suppose accountability and responsibility apply to CEOs.  Then, again ….

“Gymnastics Boss Paid Severance,” The Wall Street Journal, June 3, 2017 A9.  The CEO, who was nominally in charge when the team doctor for the women’s gymnastics team allegedly abused female gymnasts, gets a $1 million severance package.

One wonders what the Board would have paid him if they fired him for cause.  The gymnastics federation reportedly sat on the results of an internal investigation of the sexual abuse allegations for five weeks.  The CEO said the federation didn’t have an obligation to report sexual abuse by its coaches to law enforcement.  Didn’t the ex-president of Penn State just get sentenced to jail for similar acts or omissions?

One of the Board’s fundamental jobs is to hire the CEO; another is oversight.  Everyone has a duty to report violations of law.  It would appear either the Board or the CEO or the Federation wasn’t doing its or his job.  Maybe the Board gets severance, too.  What do the shareholders get?

The bill.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, To report

What questions should a director ask?

Directors are a fundamental part of corporate governance, standing between ownership (the shareholders) and management. and owing fiduciary duties of care and loyalty to the shareholders.  It’s not an honorary role.

But what if they are willfully or negligently blind when major problems arise, and don’t even know enough to ask management about them?

“Theranos Directors Missed Red Flags,” The Wall Street Journal, May 31, 2017 B1. Retired Admiral Gary Roughead and former Secretary of State George Shultz apparently failed to ask key questions, or any questions at all.  Hard to claim protection of the business judgment rule when you don’t make a judgment.

I thought all I had to do was show up and cash the checks.  You mean I needed to understand what the business did?  I have no background in this business.  What do you mean the insurance may not cover me?

Leave a comment

Filed under Board, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight