Amazon calculates a product’s star ratings based on a machine learned model instead of a raw data average. The model takes into account factors including the age of a rating, whether the ratings are from verified purchasers, and factors that establish reviewer trustworthiness.
Great book. I was looking for a book to help me bridge the gap a little between an IT security department and an Operations Infrastructure team. This book isn't the end all be all, but it helped and was well written.
As you implement Lean or ITIL, Security Management hangs out there as obviously important, but a journey as difficult as the ones you've completed. This breaks it down into small, digestible pieces, and makes it straightforward.
I reviewed Visible Ops (VO) in August 2005, and I provided commentary on a draft of Visible Ops Security (VOS) to co-author Gene Kim. I liked VO, with a few caveats that apply to both VO and VOS. I have mixed feelings on VOS because the book seems more about preparations and less about operations. Security operations (SO) obviously include integration with developers and IT staff, but SO also requires action in the face of attack. If VOS is supposed to be about SO, it should address trying to prevent compromise *and* what to do when prevention fails.
Format-wise, I don't like the "mini-book" format of VO and VOS; the text is too small, particularly in certain tables and charts. In some places I tended to get lost due to the format of headers. Both "Task" and "Step" headers are the same font, so I had trouble understanding where I was reading at times.
VOS has plenty of good insights, a few I'd like to cite here.
Julia Allen's foreword summarizes the book: "[H]igh-performing security teams have unique cultural characteristics (trust with IT, understand business context, and foster cooperation) and attributes (business aligned, plugged in, add value, understand priorities, and are people savvy)." (p 7)
The introduction probably explains why VOS doesn't necessarily address defense, and instead spends more time on preparation: "VOS expands the [ITIL] methodology to show how to integrate information security and compliance objectives into day-to-day IT operations, IT service development, project management, release management, and internal audit." (p 10) If the goal is integration into these functions, then VOS succeeds.
"[A]chieving world-class results in IT operations as measured by high service availability, information security as measured by early and consistent integration into the IT service delivery life cycle, and compliance as measured by the fewest number of repeat audit findings." (p 13) I wouldn't consider an enterprise that has an "integrated" security function to be a "secure" enterprise, but achieving that goal certainly helps.
"[O]ur goal is to have automated detective controls in place and integrated into daily operations, so that when there are outages, or when auditors request substantiation, we can quickly answer the question 'what has changed?' without having to resort to firefighting and forensic archaeology during outages." (pp 29-30) This is a very important point, and VOS is a very change-centric book. Change management (CM) is the core of VO as well; while CM is necessary for good security, it's not sufficient.
Just as I liked the "spectrum" of CM maturity in VO, I liked the "Spectrum of Situational Awareness and Information Security Integration" on pp 42-3. Again, these are change-centric, but the idea that visibility is key to rule out unauthorized activity as a cause for a problem is powerful.
Overall, I think you will find VOS a sound resource for integrating security with other IT-related functions. However, VOS will not necessarily shape the totality of activities one should expect to execute as a security operator.
Reviewed in the United States on November 20, 2008
Two categories of problems confront IT personnel and the authors provide many specific examples of each: ' conflicts between the requirements of normal IT operations or development practices and expectations of security interference of security standards and practices with effective and efficient operations.
Another fundamental problem is that 'Although IT supports the business in many different ways, IT has two primary functions: ' Developing new capabilities and functionality to achieve business objectives Operating and maintaining existing IT services to safeguard business commitments The authors write, 'Visible Ops Security describes how to resolve this core chronic conflict by enabling the business to simultaneously respond more quickly to urgent business needs and provide stable, security and predictable IT services.' The remainder of the Introduction provides an overview of the four phases of the systematic approach to resolving fundamental problems in the operations and security sectors: 1. Stabilize the patient and get plugged into production 2. Find business risks and fix fragile artifacts 3. Implement development and release controls 4. Continual improvement
For a 12-page review originally published in my Network World Security Strategies newsletter online in November 2008, download the following file:
M. E. Kabay, PhD, CISSP-ISSMP Operations and Security Management Consultant Technical Writer and Editor
When I first got into the world of IT Service Management, the Visible Ops Handbook distilled the important information and delivered something that was missing from the official ITIL literature...how to execute. What I found in the accessible pages of the Visible Ops Handbook was how to justify and start a service management initiative. The beauty of the rationale in Visible Ops lies in the fact that it contains not only wisdom but a believable recipe for success. Visible Ops Security does much the same for information security. The book focuses on pre-production activities where the costs are lower. Visible Ops Security helps the IT organization understand how to figure out what is important and how to gain a measure of control by developing relationships with key elements of the business and IT organization. Most IT organizations understand that they own a measure of risk due to regulatory requirements, potential loss of brand reputation and the often adversarial relationship between information security and the rest of the IT organization...they just don't know how to quantify or mitigate it. Visible Ops Security shows where to start.
Visible Ops Security provides the clearest recommendations for improving and sustaining an organization's security operations that I have yet seen. It advocates integrating with, not circumventing, existing IT and business processes. It doesn't advocate security for security's sake but properly recognizes the business purpose for appropriate security policies. The authors are clearly skilled in information security and IT methodologies, and Visible Ops Security reflects this knowledge and experience.