Jay Heiser

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]

Comments Off

Category: Cloud IT Governance risk management security     Tags: risk assessment, risk management

Share

Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text.  This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]

Comments Off

Category: IT Governance Policy     Tags:

Share

It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]

Comments Off

Category: IT Governance Policy risk management     Tags: law, lawyers, policy, regulatory compliance

Share

When you buy SaaS, you get what is written on the box.  Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get.   Consumer-oriented agreements often amount [...]

Comments Off

Category: Cloud IT Governance Policy risk management security Vendor Contracts     Tags: Cloud, contracts, lawyers, legalese, SaaS, SLA, SLAs

Share

A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm.  Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]

Comments Off

Category: IT Governance Policy     Tags: employee morale, policy, sabotage

Share

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: passwords, policy

Share

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: law, policy, security

Share

What good is a fresh password if it is sitting on top of stale security technology? The history of computer security suggests that attention to the code is at least as important as operational processes.

1 Comment »

Category: Applications Cloud IT Governance risk management security     Tags: history, history of security, security history, security testing

Share

I get a never-ending stream of questions that usually amounts to something like “What control tasks do I need to do to be sure that this SaaS service we are going to use will be adequately secure?” Unfortunately, at this point in time, SaaS providers offer relatively little support for enterprise control over anything.  Assuming that the [...]

1 Comment »

Category: Applications Cloud IAM IT Governance risk management security Vendor Contracts     Tags: backups, BCP/DR, Cloud, cloud security, continuity, disaster recovery, information security, malware, phishing, Trojan horse, vendor risk

Share

In the worst of cases, a figurehead is appointed to give the impression that the problem is being taken care of. This is tantamount to putting a fig leaf over a sucking chest wound.

Comments Off

Category: IT Governance risk management security     Tags: CISO, security, Security-Summit-NA

Share