Responsibility

From MgmtWiki
Revision as of 12:07, 28 June 2023 by Tom (talk | contribs) (References)

Jump to: navigation, search

Full Title or Definitions

The state or fact of being accountable or to blame for something.

The opportunity or ability to act independently and make decisions without authorization.

Context

In Identity and Access Management Responsibility is a topic of major concern. Who, exactly, should be responsible for acts taken to identify the person who has Authorization to act?

  1. Issuer of an Identity Credential
  2. Holder of an Identity Credential
  3. Verifier of an Identity Credential

In computer software and hardware deployment who should be responsible for failures of the the deployment?

  1. The manufacturer
  2. The installer
  3. The Owner

Source

The root of all enterprise responsibility comes from the committee given that responsibility by law, typically it will be a board of directors or similar group charged with that function. One critical function for that board or committee is to approve a risk assessment and assign one or two individuals to report to the board on the results of that assessment on a regular basis. While that responsibility was often give the the CEO, recent practice to to assign a specific other individual to give an independent report to the board. We consider two such individuals in the page.

It is, of course. likely that other titles have been created in other organizations. The important thing is for that indiviual to be able to report up to the board.

Chief Information Security Officer

SolarWinds in November 2022 disclosed it had received a Wells Notice in connection with the cyberattack. The investigation related to potential violations of securities laws related to cybersecurity disclosures and public statements. The Securities and Exchange Commission in June 2023 notified the chief financial officer and CISO of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, the company disclosed in a regulatory filing with the agency. Potential SEC measures against the executives include barring them from engaging in the same actions in the future, imposing civil penalties or barring them from serving as officers or directors of public companies, according to the filing.

Inspector General

Authorization

Deployed Systems

Updating software

A debate has been raging (in 2023) about whether the owner should be responsible for updates. An argument has been made the the manufacturer should bear full responsibility for failures and would then be incentivized to make the software better. For an extreme example see Code of Hammurabi. But "if there were unlimited liability by the manufacture there would very few of them in business. ... For a selling party to assume liability for a defect found in a product, in the U.S. Uniform Commercial Code the product has to be considered "tangible"—and the UCC says software is still considered to be "a general intangible."[1] In an odd way, this actually makes sense. Engineering disciplines only exist in tangible areas, such as civil, chemical, mechanical, and electrical engineering where tables of materials strengths and properties can be created and regulations can be created around acceptable safety margins based on intended use. No such tables exist for software, and none have shown a sign of emerging over the past 20 years."[2]

References

  1. Drug and Device Law. New Decision Directly Addresses the "Is Software a Product" Question. (May 2, 2022); https://bit.ly/3JrKZnE
  2. Steve Lipner +1, Updates, Threats, and Risk Management (2023-05) CACM 66 No. 5 p. 21-23
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Responsibility&oldid=18018"