by Jay Heiser | June 20, 2012 | Comments Off
It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out. Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide [...]
Comments Off
Category: IT Governance Policy risk management Tags: law, lawyers, policy, regulatory compliance
by Jay Heiser | June 19, 2012 | Comments Off
Its not that I am categorically against the idea of law, but I am convinced that your typical corporate counsel is more motivated by personal convenience than by a sense of organizational proportion. I recognize why virtually every organizational IT policy has the requirement “you must obey the law”, but I question the utility of [...]
Comments Off
Category: Policy risk management Tags: law, legalism, policy
by Jay Heiser | April 19, 2012 | 1 Comment
I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]
Category: Policy security Tags: malware, password slurping, passwords, policy, slurping attack
by Jay Heiser | April 18, 2012 | Comments Off
A significant number of enterprise IT policies include some sort of prohibition against the use of computer viruses, interference with the network, and other forms of deliberate harm. Is it really the case that without a policy against it, some employees will insist on using malware to destroy their PC and attempt to bring down [...]
Comments Off
Category: IT Governance Policy Tags: employee morale, policy, sabotage
by Jay Heiser | February 27, 2012 | Comments Off
Today, everybody has a sophisticated spy camera hidden on their telephone, and it doesn’t take a degree in espionage to use them.
Comments Off
Category: Policy security Tags: camera, data leakage, espionage, industrial espionage, policy, spy camera, spying
by Jay Heiser | December 23, 2011 | 2 Comments
Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.
Category: Cloud IT Governance risk management security Tags: passwords, policy
by Jay Heiser | December 14, 2011 | Comments Off
Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.
Comments Off
Category: IT Governance risk management security Tags: law, policy, security
by Jay Heiser | February 18, 2011 | 1 Comment
I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again. Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” [...]
Category: IT Governance risk management security Tags: policy
by Jay Heiser | February 9, 2011 | 1 Comment
I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them. I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6. Dogs are not [...]
Category: IT Governance security Tags: data leakage, encryption, laptops, policy
by Jay Heiser | January 24, 2011 | 1 Comment
I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else. One of the first things that many new infosec managers do is start on a policy rewrite. While this is sometimes a political gesture, meant [...]
Category: IT Governance risk management security Tags: policy, risk management, security, security program management
