by Jay Heiser | March 20, 2013 | 1 Comment
It would be the rare soul indeed, who, after spending hours or even days cleaning up from a hack, didn’t feel the strong red rage of revengeful urges. And how many PC owners or site managers, still recovering lost data, time, and pride, if presented an opportunity to strike back at their attacker, to make [...]
Category: Policy risk management security Tags: hack back, hackback, hacking, law, retaliation
by Jay Heiser | February 28, 2013 | Comments Off
Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text. This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a [...]
Comments Off
Category: IT Governance Policy Tags:
by Jay Heiser | August 3, 2012 | Comments Off
If you wanted to sabotage a trading system, you might set out to design suicide mechanisms that look very much like today’s automated trading mechanisms. Blaming Knight Capital’s screwed pooch on ‘software bug’ is a simplistic and flawed starting point for understanding the bigger risk picture. Automated mechanisms within trading systems act as positive feedback [...]
Comments Off
Category: Policy risk management Strategic Planning Tags: brittleness, cascading failure, reliability, resiliency, systemic risk, too big to fail
by Jay Heiser | June 20, 2012 | Comments Off
It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]
Comments Off
Category: IT Governance Policy risk management Tags: law, lawyers, policy, regulatory compliance
by Jay Heiser | June 19, 2012 | Comments Off
Its not that I am categorically against the idea of law, but I am convinced that your typical corporate counsel is more motivated by personal convenience than by a sense of organizational proportion. I recognize why virtually every organizational IT policy has the requirement “you must obey the law”, but I question the utility of [...]
Comments Off
Category: Policy risk management Tags: law, legalism, policy
by Jay Heiser | April 26, 2012 | Comments Off
When you buy SaaS, you get what is written on the box. Well, you get what is written on the virtual box. That text may consist of page after page of dense legalese that puts a higher level of emphasis on what you do NOT get than what you DO get. Consumer-oriented agreements often amount [...]
Comments Off
Category: Cloud IT Governance Policy risk management security Vendor Contracts Tags: Cloud, contracts, lawyers, legalese, SaaS, SLA, SLAs
by Jay Heiser | April 19, 2012 | 1 Comment
I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]
Category: Policy security Tags: malware, password slurping, passwords, policy, slurping attack
by Jay Heiser | April 18, 2012 | Comments Off
A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm. Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]
Comments Off
Category: IT Governance Policy Tags: employee morale, policy, sabotage
by Jay Heiser | March 16, 2012 | Comments Off
Earlier this week, the Guardian reported the arrest of Mark Hanna, News International’s head of security. While details are vague, it appears to be the case that the UK justice system is accusing him of criminal offenses in regards to the ongoing phone hacking scandal at News of the World. Articles by the IT trade [...]
Comments Off
Category: Policy risk management security Tags: jail, regulatory compliance, risk
by Jay Heiser | February 27, 2012 | Comments Off
Today, everybody has a sophisticated spy camera hidden on their telephone, and it doesn’t take a degree in espionage to use them.
Comments Off
Category: Policy security Tags: camera, data leakage, espionage, industrial espionage, policy, spy camera, spying
