Jay Heiser

A member of the Gartner Blog Network

Entries Categorized as 'IT Governance'


Unknown unknowns in the Cloud

by Jay Heiser  |  April 8, 2014  |  5 Comments

Its too bad that Dick Cheney’s awkward little epistemological speech has been so thoroughly politicized, turning an important risk management principle into an opportunity for derision.  Intelligence analysts, and IT analysts, need to be acutely aware of the limits of their knowledge, especially when making decisions about the how to take advantage of public cloud services. [...]

5 Comments »

Category: Cloud IT Governance risk management security     Tags:

Summer of Cloud Incidents

by Jay Heiser  |  September 25, 2013  |  2 Comments

Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents. On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had [...]

2 Comments »

Category: Cloud IT Governance     Tags: , , ,

Why do you classify?

by Jay Heiser  |  May 29, 2013  |  Comments Off

Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply. In 1998, information security pioneer Donn Parker [...]

Comments Off

Category: IT Governance Policy security     Tags:

We say no because that’s what you ask us to say

by Jay Heiser  |  March 28, 2013  |  Comments Off

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]

Comments Off

Category: Cloud IT Governance risk management security     Tags: ,

Including, but not limited to

by Jay Heiser  |  February 28, 2013  |  Comments Off

Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text.  This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]

Comments Off

Category: IT Governance Policy     Tags:

Do Your Lawyers Actually Know What the Law Is?

by Jay Heiser  |  June 20, 2012  |  Comments Off

It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]

Comments Off

Category: IT Governance Policy risk management     Tags: , , ,

SaaS is a Simon Says World

by Jay Heiser  |  April 26, 2012  |  Comments Off

When you buy SaaS, you get what is written on the box.  Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get.   Consumer-oriented agreements often amount [...]

Comments Off

Category: Cloud IT Governance Policy risk management security Vendor Contracts     Tags: , , , , , ,

It is against our policy to commit sabotage

by Jay Heiser  |  April 18, 2012  |  Comments Off

A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm.  Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]

Comments Off

Category: IT Governance Policy     Tags: , ,

The Peril of Parallel Passwords

by Jay Heiser  |  December 23, 2011  |  2 Comments

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: ,

All employees must obey the law!

by Jay Heiser  |  December 14, 2011  |  Comments Off

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: , ,