Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New 'Whistleblower' Portal Lets User Report Incidents Anonymously

GRC Vendor LockPath offers whistleblower portal to let users anonymously report complaints, security violations

A new Web-based portal could offer employees and other users an anonymous method of reporting complaints or security violations in their enterprises without fear of reprisal.

LockPath, a maker of governance, risk, and compliance (GRC) technology, on Monday rolled out the Anonymous Incident Portal, a cloud-based service that lets users submit complaints, violations, or other concerns without giving away their identities.

The new portal was unveiled in conjunction with LockPath's release of Keylight 3.5, LockPath's new hybrid cloud GRC offering, which helps companies automate the security and compliance assessment of suppliers and business partners.

"The Anonymous Incident Portal is a way for employees to let someone know if they see something," says Chris Caldwell, CEO of LockPath. "It could be a physical security violation, or an IT security violation, a violation of a financial process, or any number of incidents. The key is that there is a secure and anonymous way to do it."

Some companies have anonymous "whistleblower hotlines," and the state of New York is considering a law that would help reward and protect whistleblowers, Caldwell observes.

While organizations may not be happy to have employees blow the whistle on potential violations, having them submit their complaints on a secure portal is better than having them dump information to WikiLeaks or give documents to the media, as Edward Snowden did to the NSA, LockPath states. The AIP also gives employees a way to flag incidents to their companies before reporting them to the Securities Exchange Commission (SEC) or other regulatory and law enforcement organizations.

"Employees often struggle with deciding when to report an incident and when to remain quiet given potential repercussions like harassment by the business, a career-limiting move, or termination," adds Caldwell. "AIP eliminates this fear by providing an anonymous and secure portal to express concerns, which can ultimately create an improved working environment for employees and ensure that a company's reputation is in its own hands, rather than in the hands of someone else."

LockPath's new Keylight 3.5 offering also includes Vendor Manager Hybrid, a new capability that allows third parties to submit audit-related questionnaires through a Web-based portal, bypassing the assessing organization's corporate network.

The new offering is designed to help companies ensure compliance among vendors and business partners, as well as internally, Caldwell says.

"LockPath has always helped customers manage relationships with third parties to ensure compliance," Caldwell states. "From law firms to financial institutions to health-care providers, organizations must regularly work with other vendors to complete due diligence in order to meet industry standards and regulations. This new offering lets organizations keep control of their sensitive data within the enterprise, while maintaining effective interactions with outside entities."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.