by Jay Heiser | March 28, 2013 | Comments Off
We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department. If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make [...]
Comments Off
Category: Cloud IT Governance risk management security Tags: risk assessment, risk management
by Jay Heiser | February 15, 2013 | 1 Comment
As 4,200 disgruntled holiday goers, trapped on the ironically named cruise ship Triumph, finally end their 5 day ordeal, it serves as a reminder that the eggs can have more stake in the state of the basket than the basket holder does. From the point of view of the cruise line, each booked up ship [...]
Category: Cloud risk management Tags: cloud failure, cloud risk, concentration risk, portfolio risk, recovery risk, risk, risk management
by Jay Heiser | October 5, 2011 | 1 Comment
The truth of the matter is that the provider actually has no idea of the likelihood of a loss event within their own offering. If a failure occurred, it could impact all of their customers simultaneously. No cloud service provider has enough cash on hand to cover that portfolio risk, and they can’t find any insurer willing to underwrite it.
Category: Cloud risk management security Tags: Cloud, contracts, risk management, symposium
by Jay Heiser | May 30, 2011 | Comments Off
The Commonwealth of Virginia has recently announced that they have settled up with their service provider, Northrup Grumman, over an incident last year that apparently brought down 3/4 of state applications, resulted in the loss of a several days worth of drivers license photos, and forced state offices to open on weekends. Compensation to the state, [...]
Comments Off
Category: Cloud risk management Tags: backups, BCP/DR, continuity, critical infrastructure, disaster recovery, risk management, Security-Summit-NA, storage
by Jay Heiser | May 23, 2011 | 1 Comment
Its not surprising that as a technology approaches the top of the Hype Cycle, some of the vendors turn their Spin Cycle up to 11, which means there are going to be some disappointed buyers, especially those with high expectations for data encryption, and data recovery.
Category: Cloud IT Governance risk management security Vendor Contracts Tags: Cloud, cloud security, continuity, disaster recovery, information security, infosec, outsourcing, risk management, security, Security-Summit-NA, vendor risk
by Jay Heiser | May 9, 2011 | Comments Off
Is it really possible that a single attack can simultaneously impact 100,000,000 people? Multi-tenancy truly gives new significance to concerns about monoculture risk.
Comments Off
Category: Cloud IT Governance risk management security Tags: backups, BCP/DR, Cloud, cloud security, continuity, critical infrastructure, disaster recovery, risk assessment, risk management, security, Security-Summit-NA
by Jay Heiser | April 29, 2011 | Comments Off
Every service provider in the world claims to have clean power and well-aged passwords, but what’s the benefit in that if their proprietary technology is hacked? We live in an IT world characterized by pseudotransparency.
Comments Off
Category: Cloud security Tags: risk management, security, Security-Summit-NA
by Jay Heiser | January 24, 2011 | 1 Comment
I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else. One of the first things that many new infosec managers do is start on a policy rewrite. While this is sometimes a political gesture, meant [...]
Category: IT Governance risk management security Tags: policy, risk management, security, security program management
by Jay Heiser | February 9, 2010 | Comments Off
A man walks into a physician’s office and says “Doctor, it hurts when I use my computer.” The physician replies, “then don’t use your computer.” A dumb old joke or a wise observation on human nature? I receive several calls a week from people looking for the best practices on managing cloud computing security and [...]
Comments Off
Category: Uncategorized Tags: Cloud, cloud security, information security, infosec, risk assessment, risk management
by Jay Heiser | January 26, 2010 | 1 Comment
I’ve spent a lot of the last 2 years researching the problem of making business decisions about the relative levels of risk associated with partners and service providers. Externally provisioned services, such as Cloud Computing (whatever the service) and SaaS (whatever the computing model) are problematic. We’ve learned a lot about security risk management over [...]
Category: Cloud risk management security Tags: Cloud, cloud security, risk assessment, risk management
