Jay Heiser

A member of the Gartner Blog Network

Entries Categorized as 'Policy'


Why do you classify?

by Jay Heiser  |  May 29, 2013  |  Comments Off

Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply. In 1998, information security pioneer Donn Parker [...]

Comments Off

Category: IT Governance Policy security     Tags:

Hack back, jack?

by Jay Heiser  |  March 20, 2013  |  1 Comment

It would be the rare soul indeed, who, after spending hours or even days cleaning up from a hack, didn’t feel the strong red rage of revengeful urges. And how many PC owners or site managers, still recovering lost data, time, and pride, if presented an opportunity to strike back at their attacker, to make [...]

1 Comment »

Category: Policy risk management security     Tags: , , , ,

Including, but not limited to

by Jay Heiser  |  February 28, 2013  |  Comments Off

Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text.  This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]

Comments Off

Category: IT Governance Policy     Tags:

Why today’s stock market is inherently unreliable

by Jay Heiser  |  August 3, 2012  |  Comments Off

If you wanted to sabotage a trading system, you might set out to design suicide mechanisms that look very much like today’s automated trading mechanisms.  Blaming Knight Capital’s screwed pooch on ‘software bug’ is a simplistic and flawed starting point for understanding the bigger risk picture. Automated mechanisms within trading systems act as positive feedback [...]

Comments Off

Category: Policy risk management Strategic Planning     Tags: , , , , ,

Do Your Lawyers Actually Know What the Law Is?

by Jay Heiser  |  June 20, 2012  |  Comments Off

It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]

Comments Off

Category: IT Governance Policy risk management     Tags: , , ,

Has ‘you must obey the law’ ever actually worked?

by Jay Heiser  |  June 19, 2012  |  Comments Off

Its not that I am categorically against the idea of law, but I am convinced that your typical corporate counsel is more motivated by personal convenience than by a sense of organizational proportion. I recognize why virtually every organizational IT policy has the requirement “you must obey the law”, but I question the utility of [...]

Comments Off

Category: Policy risk management     Tags: , ,

SaaS is a Simon Says World

by Jay Heiser  |  April 26, 2012  |  Comments Off

When you buy SaaS, you get what is written on the box.  Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get.   Consumer-oriented agreements often amount [...]

Comments Off

Category: Cloud IT Governance Policy risk management security Vendor Contracts     Tags: , , , , , ,

You may not write down unmemorizable passwords

by Jay Heiser  |  April 19, 2012  |  1 Comment

I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]

1 Comment »

Category: Policy security     Tags: , , , ,

It is against our policy to commit sabotage

by Jay Heiser  |  April 18, 2012  |  Comments Off

A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm.  Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]

Comments Off

Category: IT Governance Policy     Tags: , ,

Yes, we CAN be arrested

by Jay Heiser  |  March 16, 2012  |  Comments Off

Earlier this week, the Guardian reported the arrest of Mark Hanna, News International’s head of security.  While details are vague, it appears to be the case that the UK justice system is accusing him of criminal offenses in regards to the ongoing phone hacking scandal at News of the World. Articles by the IT trade [...]

Comments Off

Category: Policy risk management security     Tags: , ,