by Jay Heiser | March 28, 2013 | Comments Off
We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]
Comments Off
Category: Cloud IT Governance risk management security Tags: risk assessment, risk management
by Jay Heiser | August 10, 2012 | 2 Comments
The process in which the buyer asks a random list of questions that might have some minor relevance to some aspect of a provider’s security posture, and the potential provider pretends to answer them.
Category: Cloud risk management security Tags: cloud computing risk, cloud security standards, risk assessment, security
by Jay Heiser | May 9, 2011 | Comments Off
Is it really possible that a single attack can simultaneously impact 100,000,000 people? Multi-tenancy truly gives new significance to concerns about monoculture risk.
Comments Off
Category: Cloud IT Governance risk management security Tags: backups, BCP/DR, Cloud, cloud security, continuity, critical infrastructure, disaster recovery, risk assessment, risk management, security, Security-Summit-NA
by Jay Heiser | February 24, 2010 | 1 Comment
I’m concerned that we’re going to legally mandate the application of last century’s standards and practices (SAS 70, FISMA, etc) to new computing models that we have only begun to understand. I’m in favor of revisiting the US privacy regulations, but it would be premature to apply them to cloud computing in any highly specific way. Commercial and goverment entities that want to store PII in unproven multi-tenanted services should be held accountable if that experiment fails.
Category: Uncategorized Tags: Cloud, PII, privacy, privacy regulation, regulation, regulatory compliance, risk assessment, security, US Congress
by Jay Heiser | February 9, 2010 | Comments Off
A man walks into a physician’s office and says “Doctor, it hurts when I use my computer.” The physician replies, “then don’t use your computer.” A dumb old joke or a wise observation on human nature? I receive several calls a week from people looking for the best practices on managing cloud computing security and [...]
Comments Off
Category: Uncategorized Tags: Cloud, cloud security, information security, infosec, risk assessment, risk management
by Jay Heiser | February 1, 2010 | 5 Comments
When the global financial services firms melted down in late 2007, much of the blame was attributed to an over-reliance on a highly-leveraged financial abstraction called a Collateralized Debt Obligation (CDO). As described in a recent blog entry by Gartner analyst Andrew White, Cheap money, sloshing around the place, feeding an insatiable growth in demand [...]
Category: Cloud risk management security Tags: CDO, Cloud, cloud risks, cloud security, risk assessment, vendor viability
by Jay Heiser | January 26, 2010 | 1 Comment
I’ve spent a lot of the last 2 years researching the problem of making business decisions about the relative levels of risk associated with partners and service providers. Externally provisioned services, such as Cloud Computing (whatever the service) and SaaS (whatever the computing model) are problematic. We’ve learned a lot about security risk management over [...]
Category: Cloud risk management security Tags: Cloud, cloud security, risk assessment, risk management
