Jay Heiser

A member of the Gartner Blog Network

Entries Tagged as 'policy'


Do Your Lawyers Actually Know What the Law Is?

by Jay Heiser  |  June 20, 2012  |  Comments Off

It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]

Comments Off

Category: IT Governance Policy risk management     Tags: , , ,

Has ‘you must obey the law’ ever actually worked?

by Jay Heiser  |  June 19, 2012  |  Comments Off

Its not that I am categorically against the idea of law, but I am convinced that your typical corporate counsel is more motivated by personal convenience than by a sense of organizational proportion. I recognize why virtually every organizational IT policy has the requirement “you must obey the law”, but I question the utility of [...]

Comments Off

Category: Policy risk management     Tags: , ,

You may not write down unmemorizable passwords

by Jay Heiser  |  April 19, 2012  |  1 Comment

I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]

1 Comment »

Category: Policy security     Tags: , , , ,

It is against our policy to commit sabotage

by Jay Heiser  |  April 18, 2012  |  Comments Off

A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm.  Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]

Comments Off

Category: IT Governance Policy     Tags: , ,

We’ve all got spy cameras in our pocket

by Jay Heiser  |  February 27, 2012  |  Comments Off

Today, everybody has a sophisticated spy camera hidden on their telephone, and it doesn’t take a degree in espionage to use them.

Comments Off

Category: Policy security     Tags: , , , , , ,

The Peril of Parallel Passwords

by Jay Heiser  |  December 23, 2011  |  2 Comments

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: ,

All employees must obey the law!

by Jay Heiser  |  December 14, 2011  |  Comments Off

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: , ,

Counterproductive Policies

by Jay Heiser  |  February 18, 2011  |  1 Comment

I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again. Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” [...]

1 Comment »

Category: IT Governance risk management security     Tags:

Dogs, pocket knives, and laptops

by Jay Heiser  |  February 9, 2011  |  1 Comment

I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them.  I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6. Dogs are not [...]

1 Comment »

Category: IT Governance security     Tags: , , ,

Will your successors throw away your policy?

by Jay Heiser  |  January 24, 2011  |  1 Comment

I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else. One of the first things that many new infosec managers do is start on a policy rewrite.  While this is sometimes a political gesture, meant [...]

1 Comment »

Category: IT Governance risk management security     Tags: , , ,