Is your organization addressing the risk of a Wikileaks-style problem?
Boardmember.com just published an interesting piece on this topic (the theft or leaking of confidential information which is then published) by two partners with McDermott Will & Emery LLP. They suggest ten questions board members should ask:
- What kinds of sensitive data do we use in our business?
- Do we have an effective privacy and data security program in place?
- Who is in charge of privacy and data security at our company?
- What is the state of our internal reporting system? (How employees and others report suspected violations)
- How do we incentivize internal reporting?
- Who runs our whistleblower compliance program?
- What hiring practices do we use to protect against bad actors?
- Are we prepared with a litigation strategy?
- Do we have a media plan in place to control the impact of a leak?
- Have we performed a risk assessment to analyze our areas of greatest exposure?
This is a good set of questions. However, I would change the order and a few of the questions. These are my ten questions:
- Has the risk of theft or leaking of confidential information been included as a risk in the enterprise-wide risk management program?
- Is the risk level updated on a sufficiently frequent basis, considering the emergence of new threats, changes in how confidential information is managed, etc?
- Has an owner of the risk been identified?
- Are effective processes and controls (including security) in place to manage the risk within organizational tolerances? Is there an appropriate combination of controls to prevent leakage and controls to detect leakage so damage can be minimized?
- Have all individuals in possession of, or with access to, confidential information been informed of the need to protect it? Is the topic sufficiently covered in corporate policies and procedures, and are all involved required to confirm their understanding of the policies at an appropriate frequency?
- Is confidential information appropriately identified and classified so that it can be protected?
- Is the adequacy of the controls and security monitored and assessed on a regular basis?
- Is the organization prepared to respond appropriately, on a timely basis, should confidential information be leaked? This includes but is not limited to a media plan
- Does the organization monitor for leakage of confidential information?
- At a detailed level, is the risk considered in planning IT and physical security measures?
I am not persuaded that a Wikileaks-style problem needs a separate program to manage the risk and ensure appropriate controls and security. I believe it can and should be handled within the enterprise-wide risk management program, and included in privacy/security programs within IT.
What do you think?