Jay Heiser

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: passwords, policy

Share

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: law, policy, security

Share

I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again. Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” [...]

1 Comment »

Category: IT Governance risk management security     Tags: policy

Share

I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them.  I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6. Dogs are not [...]

1 Comment »

Category: IT Governance security     Tags: data leakage, encryption, laptops, policy

Share

I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else. One of the first things that many new infosec managers do is start on a policy rewrite.  While this is sometimes a political gesture, meant [...]

1 Comment »

Category: IT Governance risk management security     Tags: policy, risk management, security, security program management

Share