Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents. On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had [...]
Entries Categorized as 'IT Governance'
by Jay Heiser | September 25, 2013 | 2 Comments
by Jay Heiser | May 29, 2013 | Comments Off
Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply. In 1998, information security pioneer Donn Parker [...]
by Jay Heiser | March 28, 2013 | Comments Off
We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]
by Jay Heiser | February 28, 2013 | Comments Off
Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text. This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]
by Jay Heiser | June 20, 2012 | Comments Off
It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]
by Jay Heiser | April 26, 2012 | Comments Off
When you buy SaaS, you get what is written on the box. Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get. Consumer-oriented agreements often amount [...]
by Jay Heiser | April 18, 2012 | Comments Off
A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm. Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]
by Jay Heiser | December 23, 2011 | 2 Comments
Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.
by Jay Heiser | December 14, 2011 | Comments Off
Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.
by Jay Heiser | September 29, 2011 | 1 Comment
What good is a fresh password if it is sitting on top of stale security technology? The history of computer security suggests that attention to the code is at least as important as operational processes.