by Jay Heiser | May 4, 2011 | 1 Comment
Commercial cloud computing is like sending your rings, bracelets, and brooches out to be repaired–the service provider has your family jewels in hand. Unlike a CSP, a power company doesn’t have possession of your means of production or your IP, a signficant loss potential that is also missing from the utility trope.
Category: Cloud IT Governance risk management security Tags: Cloud, security, Security-Summit-NA, utility computing
by Jay Heiser | February 18, 2011 | 1 Comment
I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again. Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” [...]
Category: IT Governance risk management security Tags: policy
by Jay Heiser | February 9, 2011 | 1 Comment
I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them. I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6. Dogs are not [...]
Category: IT Governance security Tags: data leakage, encryption, laptops, policy
by Jay Heiser | January 24, 2011 | 1 Comment
I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else. One of the first things that many new infosec managers do is start on a policy rewrite. While this is sometimes a political gesture, meant [...]
Category: IT Governance risk management security Tags: policy, risk management, security, security program management
by Jay Heiser | December 7, 2010 | Comments Off
…is like a day without news. By my reckoning, I managed to go almost 24 hours without hearing the words ‘Wikileak’ or ‘Assange’. Watching the Jets get blown out of New England was probably one of the best possible ways to watch TV while avoiding current events. Its no wonder that a huge number of [...]
Comments Off
Category: IT Governance risk management security Tags: classification, data leakage, Wikileaks
by Jay Heiser | July 14, 2010 | 1 Comment
Gartner analysts have claimed that SAS 70 is being misused by many vendors and their customers.
Category: Cloud IT Governance risk management security Tags: AICPA, certification, Cloud, SAS 70, SAS70, security
by Jay Heiser | July 5, 2010 | 4 Comments
SAS 70 is a) not a certification, b) not a standard, and c) isn’t meant to be applied the way it is being applied now. To be fair, all service providers are under huge customer pressure to provide SAS 70, but instead of explaining their security, continuity, and recovery capabilities in more appropriate terms, most [...]
Category: Cloud IT Governance risk management security Vendor Contracts Tags: AICPA, certification, SAS 70, SAS70, standards
