Jay Heiser

A member of the Gartner Blog Network

Entries Categorized as 'IT Governance'


Sony Sued For Losing Unprotectable Data

by Jay Heiser  |  December 18, 2014  |  Submit a Comment

The CISO asked to protect names and SSNs has been handed a sysyphean task that can never be successful.

Submit a Comment »

Category: IT Governance risk management security     Tags: , ,

Doctor, it hurts when I do this

by Jay Heiser  |  August 4, 2014  |  2 Comments

C: we are concerned about putting our email into the cloud. J: why? C: Somebody might look at it.  J: Somebody can already look at it, even when you do host your email server in house.  SMTP is a data leakage protocol, that isn’t designed to secure your data, but is intended to disseminate it […]

2 Comments »

Category: Cloud IT Governance risk management security     Tags: ,

Cloud sabotaged, all your data is permanently lost

by Jay Heiser  |  June 19, 2014  |  1 Comment

Code Spaces, a vendor that claimed to provide secure Source Code hosting and project management support, has just been forced to admit to their customers that they’ve been sabotaged by a cyber extortionist, and they probably cannot fully recover.   They put all their hopes, and all their customers’ data, into a single cloud, and it burst.  […]

1 Comment »

Category: Cloud IT Governance risk management security     Tags:

Unknown unknowns in the Cloud

by Jay Heiser  |  April 8, 2014  |  5 Comments

Its too bad that Dick Cheney’s awkward little epistemological speech has been so thoroughly politicized, turning an important risk management principle into an opportunity for derision.  Intelligence analysts, and IT analysts, need to be acutely aware of the limits of their knowledge, especially when making decisions about the how to take advantage of public cloud services. […]

5 Comments »

Category: Cloud IT Governance risk management security     Tags:

Summer of Cloud Incidents

by Jay Heiser  |  September 25, 2013  |  2 Comments

Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents. On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had […]

2 Comments »

Category: Cloud IT Governance     Tags: , , ,

Why do you classify?

by Jay Heiser  |  May 29, 2013  |  Comments Off

Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply. In 1998, information security pioneer Donn Parker […]

Comments Off

Category: IT Governance Policy security     Tags:

We say no because that’s what you ask us to say

by Jay Heiser  |  March 28, 2013  |  Comments Off

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make […]

Comments Off

Category: Cloud IT Governance risk management security     Tags: ,

Including, but not limited to

by Jay Heiser  |  February 28, 2013  |  Comments Off

Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text.  This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a […]

Comments Off

Category: IT Governance Policy     Tags:

Do Your Lawyers Actually Know What the Law Is?

by Jay Heiser  |  June 20, 2012  |  Comments Off

It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide […]

Comments Off

Category: IT Governance Policy risk management     Tags: , , ,

SaaS is a Simon Says World

by Jay Heiser  |  April 26, 2012  |  Comments Off

When you buy SaaS, you get what is written on the box.  Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get.   Consumer-oriented agreements often amount […]

Comments Off

Category: Cloud IT Governance Policy risk management security Vendor Contracts     Tags: , , , , , ,