Responsibility

From MgmtWiki
Jump to: navigation, search

Full Title or Definitions

The state or fact of being accountable or to blame for something.

The opportunity or ability to act independently and make decisions without authorization.

Context

In Identity and Access Management Responsibility is a topic of major concern. Who, exactly, should be responsible for acts taken to identify the person who acquires Authorization to act?

  1. Issuer of an Identity Credential
  2. Holder of an Identity Credential
  3. Verifier of an Identity Credential

In computer software and hardware deployment who should be responsible for failures of the the deployment?

  1. The manufacturer
  2. The installer
  3. The Owner

Source

The root of all enterprise responsibility comes from the committee given that responsibility by law, typically it will be a board of directors or similar group charged with that function. One critical function for that board or committee is to approve a risk assessment and assign one or two individuals to report to the board on the results of that assessment on a regular basis. While that responsibility was often give the the CEO, recent practice to to assign a specific other individual to give an independent report to the board. We consider two such individuals in the page. It is, of course. likely that other titles have been created in other organizations. The important thing is for that individual to be able to report up to the board.

Chief Information Security Officer

SolarWinds in November 2022 disclosed it had received a Wells Notice in connection with the cyberattack. The investigation related to potential violations of securities laws related to cybersecurity disclosures and public statements. The Securities and Exchange Commission in June 2023 notified the chief financial officer and CISO of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, the company disclosed in a regulatory filing with the agency. Potential SEC measures against the executives include barring them from engaging in the same actions in the future, imposing civil penalties or barring them from serving as officers or directors of public companies, according to the filing.[1]

Inspector General

In the United States, other than in the military departments, the first Office of Inspector General was established by act of Congress in 1976 in the Department of Health and Human Services to eliminate waste, fraud, and abuse in Medicare, Medicaid, and more than 100 other departmental programs[2]

Authorization

Deployed Systems

Updating software

A debate has been raging (in 2023) about whether the owner should be responsible for updates. An argument has been made the the manufacturer should bear full responsibility for failures and would then be incentivized to make the software better. For an extreme example see Code of Hammurabi. But "if there were unlimited liability by the manufacture there would very few of them in business. ... For a selling party to assume liability for a defect found in a product, in the U.S. Uniform Commercial Code the product has to be considered "tangible"—and the UCC says software is still considered to be "a general intangible."[3] In an odd way, this actually makes sense. Engineering disciplines only exist in tangible areas, such as civil, chemical, mechanical, and electrical engineering where tables of materials strengths and properties can be created and regulations can be created around acceptable safety margins based on intended use. No such tables exist for software, and none have shown a sign of emerging over the past 20 years."[4]

References

  1. David Jones, SEC notifies SolarWinds CISO and CFO of possible action in cyber investigation (2023-06-26) Cybersecurity https://www.cybersecuritydive.com/news/sec-solarwinds-ciso-cfo-orion/653864/
  2. HHS About the Office of Inspector General, https://oig.hhs.gov/about-oig/
  3. Drug and Device Law. New Decision Directly Addresses the "Is Software a Product" Question. (May 2, 2022); https://bit.ly/3JrKZnE
  4. Steve Lipner +1, Updates, Threats, and Risk Management (2023-05) CACM 66 No. 5 p. 21-23
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Responsibility&oldid=18990"