Jay Heiser

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: passwords, policy

Share

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: law, policy, security

Share

Its been suggested more than once that avoiding public cloud computing is tantamount to keeping your money in a mattress. Given what’s happened over the last 4 years, why would anyone automatically assume that the use of banks represents a low level of risk?

1 Comment »

Category: Cloud risk management security     Tags: backups, disaster recovery

Share

With the understanding that I am not a lawyer, and Gartner is not a law firm, here’s my brief summary of the contractual language dealing with SaaS security as provided by a prominent vendor: We believe that we obey the law.  If there are any questions pertaining to how your data is handled within our [...]

2 Comments »

Category: Cloud risk management security Vendor Contracts     Tags: disaster recovery

Share

In the olden days, the business viability of your local book store had absolutely no impact on your ability to read whatever you might have bought from them. In the digital world, your continued ability to use rights-managed content, be it music, video, or books, is completely dependent upon the willingness and ability of a service to support it on your device.

1 Comment »

Category: Applications Cloud risk management security     Tags: DRM, rights management, vendor lockin

Share

I ask you to take a silent moment to try to visualize the sort of infosec security failure that would be solved with scooters.

1 Comment »

Category: Cloud risk management security     Tags: BCP, Cloud, security, symposium, transparency

Share

The truth of the matter is that the provider actually has no idea of the likelihood of a loss event within their own offering. If a failure occurred, it could impact all of their customers simultaneously. No cloud service provider has enough cash on hand to cover that portfolio risk, and they can’t find any insurer willing to underwrite it.

1 Comment »

Category: Cloud risk management security     Tags: Cloud, contracts, risk management, symposium

Share

What good is a fresh password if it is sitting on top of stale security technology? The history of computer security suggests that attention to the code is at least as important as operational processes.

1 Comment »

Category: Applications Cloud IT Governance risk management security     Tags: history, history of security, security history, security testing

Share

Its been just shy of a year and a half since one of my financial service firms has cancelled one of my credit cards, so I was probably past due.  I was able to tank up at the start of a multi-state trip this weekend, but by the time I was ready for a refill, [...]

Comments Off

Category: security     Tags: authentication, credit card, fraud, magstrip

Share

The big hacks make the news, but its the constant barrage of low-level anonymous attack that represents the larger social and economic cost.

Comments Off

Category: security     Tags: hacking, Security-Summit-EMEA, spam

Share