| | |  | Computer Security | Home » » Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps | | | | | | | Description: | | Visible Ops Security builds upon the methodology presented in the original Visible Ops Handbook. It guides information security professionals in strengthening relationships with IT operations and development groups to advance IT objectives and business goals. It addresses the people side of IT, empowering security to work with operations teams to achieve closely aligned objectives and with development and release teams to integrate security requirements into preproduction work. The Visible Ops Security methodology helps IT organizations move beyond a focus on technology to address the core operational aspects of security. It complements publications that focus on securing the network, access, and data, including COBIT (Control Objectives for Information and related Technology), ISO 27001:2005 (International Standards Organization), and ITIL® (IT Infrastructure Library) manuals. It promotes effective teamwork, which helps security professionals ensure that security is built into key development and production processes. This effort positions the IT organization to meet business needs by delivering highly available, cost-effective, and secure services. | | | Product Details: | | | Author:
| Gene Kim | | Paperback:
| 112 pages | | Publisher:
| IT Process Institute, Inc. | | Publication Date:
| March 17, 2008 | | Language:
| English | | ISBN:
| 0975568620 | | Package Length:
| 7.8 inches | | Package Width:
| 5.5 inches | | Package Height:
| 0.2 inches | | Package Weight:
| 0.25 pounds | | Average Customer Rating:
|  based on 5 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 5 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
4 of 4 found the following review helpful:
 Excellent, practical guide to improving operations securityNov 20, 2008
By M. E. KABAY
Two categories of problems confront IT personnel and the authors provide many specific examples of each: ' conflicts between the requirements of normal IT operations or development practices and expectations of security interference of security standards and practices with effective and efficient operations.
Another fundamental problem is that 'Although IT supports the business in many different ways, IT has two primary functions: ' Developing new capabilities and functionality to achieve business objectives Operating and maintaining existing IT services to safeguard business commitments The authors write, 'Visible Ops Security describes how to resolve this core chronic conflict by enabling the business to simultaneously respond more quickly to urgent business needs and provide stable, security and predictable IT services.' The remainder of the Introduction provides an overview of the four phases of the systematic approach to resolving fundamental problems in the operations and security sectors: 1. Stabilize the patient and get plugged into production 2. Find business risks and fix fragile artifacts 3. Implement development and release controls 4. Continual improvement
For a 12-page review originally published in my Network World Security Strategies newsletter online in November 2008, download the following file:
[...]
M. E. Kabay, PhD, CISSP-ISSMP
Operations and Security Management Consultant
Technical Writer and Editor
2 of 2 found the following review helpful:
More good stuff from the Visibe Ops guysJul 10, 2008
By Alan Cantrell
"IT Service Management Program Sponsor"
When I first got into the world of IT Service Management, the Visible Ops Handbook distilled the important information and delivered something that was missing from the official ITIL literature...how to execute. What I found in the accessible pages of the Visible Ops Handbook was how to justify and start a service management initiative. The beauty of the rationale in Visible Ops lies in the fact that it contains not only wisdom but a believable recipe for success. Visible Ops Security does much the same for information security. The book focuses on pre-production activities where the costs are lower.
Visible Ops Security helps the IT organization understand how to figure out what is important and how to gain a measure of control by developing relationships with key elements of the business and IT organization. Most IT organizations understand that they own a measure of risk due to regulatory requirements, potential loss of brand reputation and the often adversarial relationship between information security and the rest of the IT organization...they just don't know how to quantify or mitigate it. Visible Ops Security shows where to start.
2 of 2 found the following review helpful:
Visible Ops SecurityApr 21, 2008
By Sasha Romanosky
Visible Ops Security provides the clearest recommendations for improving and sustaining an organization's security operations that I have yet seen. It advocates integrating with, not circumventing, existing IT and business processes. It doesn't advocate security for security's sake but properly recognizes the business purpose for appropriate security policies. The authors are clearly skilled in information security and IT methodologies, and Visible Ops Security reflects this knowledge and experience.
2 of 2 found the following review helpful:
 Plenty of good insights, but not the whole storyApr 04, 2008
By Richard Bejtlich
"TaoSecurity"
I reviewed Visible Ops (VO) in August 2005, and I provided commentary on a draft of Visible Ops Security (VOS) to co-author Gene Kim. I liked VO, with a few caveats that apply to both VO and VOS. I have mixed feelings on VOS because the book seems more about preparations and less about operations. Security operations (SO) obviously include integration with developers and IT staff, but SO also requires action in the face of attack. If VOS is supposed to be about SO, it should address trying to prevent compromise *and* what to do when prevention fails.
Format-wise, I don't like the "mini-book" format of VO and VOS; the text is too small, particularly in certain tables and charts. In some places I tended to get lost due to the format of headers. Both "Task" and "Step" headers are the same font, so I had trouble understanding where I was reading at times.
VOS has plenty of good insights, a few I'd like to cite here.
Julia Allen's foreword summarizes the book: "[H]igh-performing security teams have unique cultural characteristics (trust with IT, understand business context, and foster cooperation) and attributes (business aligned, plugged in, add value, understand priorities, and are people savvy)." (p 7)
The introduction probably explains why VOS doesn't necessarily address defense, and instead spends more time on preparation: "VOS expands the [ITIL] methodology to show how to integrate information security and compliance objectives into day-to-day IT operations, IT service development, project management, release management, and internal audit." (p 10) If the goal is integration into these functions, then VOS succeeds.
"[A]chieving world-class results in IT operations as measured by high service availability, information security as measured by early and consistent integration into the IT service delivery life cycle, and compliance as measured by the fewest number of repeat audit findings." (p 13) I wouldn't consider an enterprise that has an "integrated" security function to be a "secure" enterprise, but achieving that goal certainly helps.
"[O]ur goal is to have automated detective controls in place and integrated into daily operations, so that when there are outages, or when auditors request substantiation, we can quickly answer the question 'what has changed?' without having to resort to firefighting and forensic archaeology during outages." (pp 29-30) This is a very important point, and VOS is a very change-centric book. Change management (CM) is the core of VO as well; while CM is necessary for good security, it's not sufficient.
Just as I liked the "spectrum" of CM maturity in VO, I liked the "Spectrum of Situational Awareness and Information Security Integration" on pp 42-3. Again, these are change-centric, but the idea that visibility is key to rule out unauthorized activity as a cause for a problem is powerful.
Overall, I think you will find VOS a sound resource for integrating security with other IT-related functions. However, VOS will not necessarily shape the totality of activities one should expect to execute as a security operator.
DiscussionFeb 17, 2012
By Benjamin Degennaro
I purchased this book as part of an ITIL Book Club at work. We haven't started discussing the book yet, but I look forward to it.
| | |
|
