Entries Categorized as 'IT Governance'
by Jay Heiser | March 28, 2013 | Comments Off
We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]
Category: Cloud IT Governance risk management security Tags: risk assessment, risk management
by Jay Heiser | February 28, 2013 | Comments Off
Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text. This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]
Category: IT Governance Policy Tags:
by Jay Heiser | June 20, 2012 | Comments Off
It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]
Category: IT Governance Policy risk management Tags: law, lawyers, policy, regulatory compliance
by Jay Heiser | April 26, 2012 | Comments Off
When you buy SaaS, you get what is written on the box. Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get. Consumer-oriented agreements often amount [...]
Category: Cloud IT Governance Policy risk management security Vendor Contracts Tags: Cloud, contracts, lawyers, legalese, SaaS, SLA, SLAs
by Jay Heiser | April 18, 2012 | Comments Off
A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm. Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]
Category: IT Governance Policy Tags: employee morale, policy, sabotage
by Jay Heiser | December 23, 2011 | 2 Comments
Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.
Category: Cloud IT Governance risk management security Tags: passwords, policy
by Jay Heiser | December 14, 2011 | Comments Off
Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.
Category: IT Governance risk management security Tags: law, policy, security
by Jay Heiser | September 29, 2011 | 1 Comment
What good is a fresh password if it is sitting on top of stale security technology? The history of computer security suggests that attention to the code is at least as important as operational processes.
Category: Applications Cloud IT Governance risk management security Tags: history, history of security, security history, security testing
by Jay Heiser | July 5, 2011 | 1 Comment
I get a never-ending stream of questions that usually amounts to something like “What control tasks do I need to do to be sure that this SaaS service we are going to use will be adequately secure?” Unfortunately, at this point in time, SaaS providers offer relatively little support for enterprise control over anything. Assuming that the [...]
Category: Applications Cloud IAM IT Governance risk management security Vendor Contracts Tags: backups, BCP/DR, Cloud, cloud security, continuity, disaster recovery, information security, malware, phishing, Trojan horse, vendor risk
by Jay Heiser | June 14, 2011 | Comments Off
In the worst of cases, a figurehead is appointed to give the impression that the problem is being taken care of. This is tantamount to putting a fig leaf over a sucking chest wound.
Category: IT Governance risk management security Tags: CISO, security, Security-Summit-NA