Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps | 
 enlarge | Authors: Gene Kim, Paul Love, George Spafford
Publisher: IT Process Institute, Inc.
Category: Book
Buy New: $21.95
Rating:  3 reviews
Sales Rank: 410849
Media: Paperback
Pages: 112
Shipping Weight (lbs): 0.4
Dimensions (in): 7.8 x 5.4 x 0.3
ISBN: 0975568620
EAN: 9780975568620
ASIN: 0975568620
Publication Date: March 17, 2008
Shipping: Eligible for Super Saver Shipping
Availability: Usually ships in 24 hours
| |
| Similar Items:
|
| Editorial Reviews:
Product Description
Visible Ops Security builds upon the methodology presented in the original Visible Ops Handbook. It guides information security professionals in strengthening relationships with IT operations and development groups to advance IT objectives and business goals. It addresses the people side of IT, empowering security to work with operations teams to achieve closely aligned objectives and with development and release teams to integrate security requirements into preproduction work. The Visible Ops Security methodology helps IT organizations move beyond a focus on technology to address the core operational aspects of security. It complements publications that focus on securing the network, access, and data, including COBIT (Control Objectives for Information and related Technology), ISO 27001:2005 (International Standards Organization), and ITIL (IT Infrastructure Library) manuals. It promotes effective teamwork, which helps security professionals ensure that security is built into key development and production processes. This effort positions the IT organization to meet business needs by delivering highly available, cost-effective, and secure services.
|
| Customer Reviews:
 More good stuff from the Visibe Ops guys July 10, 2008
Alan Cantrell (Vanderbilt University Medical Center, Nashville, TN)
1 out of 1 found this review helpful
When I first got into the world of IT Service Management, the Visible Ops Handbook distilled the important information and delivered something that was missing from the official ITIL literature...how to execute. What I found in the accessible pages of the Visible Ops Handbook was how to justify and start a service management initiative. The beauty of the rationale in Visible Ops lies in the fact that it contains not only wisdom but a believable recipe for success. Visible Ops Security does much the same for information security. The book focuses on pre-production activities where the costs are lower.
Visible Ops Security helps the IT organization understand how to figure out what is important and how to gain a measure of control by developing relationships with key elements of the business and IT organization. Most IT organizations understand that they own a measure of risk due to regulatory requirements, potential loss of brand reputation and the often adversarial relationship between information security and the rest of the IT organization...they just don't know how to quantify or mitigate it. Visible Ops Security shows where to start.
Visible Ops Security April 21, 2008
Sasha Romanosky (Carnegie Mellon University, Pittsburgh, PA)
1 out of 2 found this review helpful
Visible Ops Security provides the clearest recommendations for improving and sustaining an organization's security operations that I have yet seen. It advocates integrating with, not circumventing, existing IT and business processes. It doesn't advocate security for security's sake but properly recognizes the business purpose for appropriate security policies. The authors are clearly skilled in information security and IT methodologies, and Visible Ops Security reflects this knowledge and experience.
 Plenty of good insights, but not the whole story April 4, 2008
Richard Bejtlich (Washington, DC)
1 out of 2 found this review helpful
I reviewed Visible Ops (VO) in August 2005, and I provided commentary on a draft of Visible Ops Security (VOS) to co-author Gene Kim. I liked VO, with a few caveats that apply to both VO and VOS. I have mixed feelings on VOS because the book seems more about preparations and less about operations. Security operations (SO) obviously include integration with developers and IT staff, but SO also requires action in the face of attack. If VOS is supposed to be about SO, it should address trying to prevent compromise *and* what to do when prevention fails.
Format-wise, I don't like the "mini-book" format of VO and VOS; the text is too small, particularly in certain tables and charts. In some places I tended to get lost due to the format of headers. Both "Task" and "Step" headers are the same font, so I had trouble understanding where I was reading at times.
VOS has plenty of good insights, a few I'd like to cite here.
Julia Allen's foreword summarizes the book: "[H]igh-performing security teams have unique cultural characteristics (trust with IT, understand business context, and foster cooperation) and attributes (business aligned, plugged in, add value, understand priorities, and are people savvy)." (p 7)
The introduction probably explains why VOS doesn't necessarily address defense, and instead spends more time on preparation: "VOS expands the [ITIL] methodology to show how to integrate information security and compliance objectives into day-to-day IT operations, IT service development, project management, release management, and internal audit." (p 10) If the goal is integration into these functions, then VOS succeeds.
"[A]chieving world-class results in IT operations as measured by high service availability, information security as measured by early and consistent integration into the IT service delivery life cycle, and compliance as measured by the fewest number of repeat audit findings." (p 13) I wouldn't consider an enterprise that has an "integrated" security function to be a "secure" enterprise, but achieving that goal certainly helps.
"[O]ur goal is to have automated detective controls in place and integrated into daily operations, so that when there are outages, or when auditors request substantiation, we can quickly answer the question 'what has changed?' without having to resort to firefighting and forensic archaeology during outages." (pp 29-30) This is a very important point, and VOS is a very change-centric book. Change management (CM) is the core of VO as well; while CM is necessary for good security, it's not sufficient.
Just as I liked the "spectrum" of CM maturity in VO, I liked the "Spectrum of Situational Awareness and Information Security Integration" on pp 42-3. Again, these are change-centric, but the idea that visibility is key to rule out unauthorized activity as a cause for a problem is powerful.
Overall, I think you will find VOS a sound resource for integrating security with other IT-related functions. However, VOS will not necessarily shape the totality of activities one should expect to execute as a security operator.
|
|
|
