Product Description

The Core of Visible Ops Visible Ops is a methodology designed to jumpstart implementation of controls and process improvement in IT organizations needing to increase service levels, security, and auditability while managing costs. Visible Ops is comprised of four prescriptive and self-fueling steps that take an organization from any starting point to a continually improving process. Making ITIL Actionable Although the Information Technology Infrastructure Library (ITIL) provides a wealth of best practices, it lacks prescriptive guidance: What do you implement first, and how do you do it? Moreover, the ITIL books remain relatively expensive to distribute. Other information, publicly available from a variety of sources, is too general and vague to effectively aid organizations that need to start or enhance process improvement efforts. The Visible Ops booklet provides a prescriptive roadmap for organizations beginning or continuing their IT process improvement journey. Why Do You Need Visible Ops? The Visible Ops methodology was developed because there was not a satisfactory answer to the question: “I believe in the need for IT process improvement, but where do I start?” Since 2000, Gene Kim and Kevin Behr have met with hundreds of IT organizations and identified eight high-performing IT organizations with the highest service levels, best security, and best efficiencies. For years, they studied these high-performing organizations to figure out the secrets to their success. Visible Ops codifies how these organizations achieved their transformation from good to great, showing how interested organizations can replicate the key processes of these high-performing organizations in just four steps: 1. Stabilize Patient, Modify First Response – Almost 80% of outages are self-inflicted. The first step is to control risky changes and reduce MTTR by addressing how changes are managed and how problems are resolved. 2. Catch and Release, Find Fragile Artifacts – Often, infrastructure exists that cannot be repeatedly replicated. In this step, we inventory assets, configurations and services, to identify those with the lowest change success rates, highest MTTR and highest business downtime costs. 3. Establish Repeatable Build Library – The highest return on investment is implementing effective release management processes. This step creates repeatable builds for the most critical assets and services, to make it “cheaper to rebuild than to repair.” 4. Enable Continuous Improvement – The previous steps have progressively built a closed-loop between the Release, Control and Resolution processes. This step implements metrics to allow continuous improvement of all of these process areas, to best ensure that business objectives are met.

Product Details

• Amazon Sales Rank: #27335 in Books
• Published on: 2005-06-15
• Original language: English
• Binding: Paperback
• 112 pages

Review
If you are tired of ‘management by hair on fire,’ read this book and consider it carefully. -- Stephen Northcutt, Director of Training and Certification, The SANS Institute, May 2004

If you are tired of ‘management by hair on fire,’ read this book and consider it carefully. --Stephen Northcutt, Director of Training and Certification, The SANS Institute, May 2004

The easy mapping between the Visible Ops phases and any maturity model validates the compelling logic of the book. -- Jan Vromant, ITSM Consultant, May 2004

The easy mapping between the Visible Ops phases and any maturity model validates the compelling logic of the book. --Jan Vromant, ITSM Consultant, May 2004

Visible Ops creates a logical starting point and details the key ‘issues and indicators’. -- Henry E. Wojcik, Network Data Systems, May 2004

Visible Ops creates a logical starting point and details the key ‘issues and indicators’. --Henry E. Wojcik, Network Data Systems, May 2004

From the Publisher
The Information Technology Process Institute (ITPI), a not for profit organization, is engaged in three principle areas of activity: research, benchmarking and the development of prescriptive guidance for practitioners and business executives. The ITPI has collaboration agreements in place with research organizations such as the Software Engineering Institute at Carnegie Mellon University and faculty from the Decision Sciences program at the University of Oregon. We are currently developing the necessary guidance that solves the common objectives of IT Security, Corporate Governance, Audit and Operations. Through research, development and benchmarking, the ITPI creates powerful measurement tools, prescriptive adoption methods, and control metrics to facilitate management by fact. Visible Ops is the first major publication of the ITPI.

About the Author
Kevin Behr is the president and founder of the ITPI, as well as the CTO of IP Services, Inc. Kevin’s 15 years experience in IT operations, security and field engineering spans environments ranging from financial services, manufacturing and technology sectors, allowing him to identify common problem domains and develop powerful solutions for IT Operations that span industry and scale. Kevin is working on development of IT operations management curriculum and research grants in conjunction with researchers from the Decision Sciences and MBA Programs at the University Of Oregon Lundquist College Of Business. Kevin is currently working with Gene Kim and Julia Allen, a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute at Carnegie Mellon University on prescriptive adoption methods that integrate best practices in IT operations, security, and audit. Kevin holds the CISA designation and is ITIL certified. Kevin is also a frequently invited speaker called on to address a broad range of technology and management framework topics by organizations such as The National Academies of Science, Hewlett Packard, The SANS Institute, AFCOM, The Palmer Group, The Software Engineering Institute at Carnegie Mellon University, CERT, Tripwire, and BetterManagement.com. Gene Kim is the CTO and co-founder of Tripwire, Inc. In 1992, he co-authored Tripwire while at Purdue University with Dr. Gene Spafford. Although Gene is widely published on computer security, operating systems and networking in SANS, ACM and IEEE publications, he is continually fixated on the problems of process integrity issues in Operations and Security. He is currently actively working on a series of projects with the Software Engineering Institute and Institute of Internal Auditors to capture how "best in class" organizations have Security, Operations, Audit, Management, and Governance working together to solve common objectives. Gene is certified on both IT management and audit processes, possessing both ITIL Foundations and CISA certifications. In 2004, he was named by InfoWorld as one of the “Four Up and Coming CTOs to Watch.” Gene holds an M.S. in computer science from University of Arizona and a B.S. in computer sciences from Purdue University. Gene co-chaired! the April 2003 SANS technical workshop called Auditable Security Controls That Work, hailed by SANS as one of their top five gifts back to the community. In October, Gene co-chaired the Best In Class Security And Operations Roundtable (BIC-SORT) with the Software Engineering Institute at Carnegie Mellon University. George Spafford is an IT process consultant interested in the intersection of human factors, security, and complexity in the world of information technology. George is a prolific author on a wide range of topics including project management, technology business, communication, and security. He is the Vice President of Publishing for the ITPI. George has held a number of positions in IT operations, development and management. He holds an MBA from Notre Dame, a BA in Materials and Logistics Management from Michigan State University and an honorary degree from Konan Daigaku of Japan. He's a member of the ISACA and ITPI.

Customer Reviews

A way to stop the IT insanity
I read The Visible Ops Handbook because a friend told me his company was considering integrating the booklet's ideas into their product line. I had not heard much about the Information Technology Infrastructure Library (ITIL), but I was familiar with the problems caused by poor administration. I perform network incident response (IR), so I am often asked to solve problems in three days that clients have been confronting for three months or years. After reading Visible Ops, I will recommend it to every IR client who asks me to remediate intrusions.

Simply put, Visible Ops provides four simple steps to stop the IT insanity. The book offers a quote attributed to Albert Einstein on p 42: "Insanity is doing the same thing over and over, and expecting a different result." Many organizations have unintentionally embraced this concept, continuing to pursue the same broken administration techniques and wondering when they will ever stop fighting fires. The Visible Ops process is the answer they have been pursuing.

My favorite aspect of the book is its narrative examples. These contain quotes by real administrators and managers and address problems like "the DHCP server, running on a DNS server, built four years ago by a college intern, that no one touches nor understands." Another similarly amusing (and sad) section presents seven steps in the "spectrum of change" on p 36. This ranges from the poor end, like "Oblivious to Change: 'Hey, did the switch just reboot?'" and "Aware of Change: 'Hey, who just rebooted the switch?'" to the most mature option, "Managing Change".

In terms of the booklet's advice, I found it rock solid, especially this recommendation: when a problem occurs, don't log into the infrastructure and begin troubleshooting. Rather, check to see who made the last configuration change. Since "80% of IT and system outages are caused by operator and application errors," and not intruders, those confronting an incident should always begin by looking at themselves, and not outside "hackers."

I also found Appendix A, Preparing for Audits, to be a succinct and helpful look at the worldview of the auditor. The "Controls 101" section described preventative, detective, and corrective controls, which reminded me of the protection, detection, and response phases of the security process. Advice on p 70 also made sense in light of the debate over intrusion detection systems vs "intrusion prevention systems": "Document your preventative controls, and have detective controls in place to show they work." If your IPS is both a preventative and detective control, how do you check when it has failed?

I found few reasons to dislike Visible Ops, but I had enough issues to give only four stars. First, the book needs to be printed in a bigger form factor. The problem with Visible Ops is that its small size (5x7) reduces some of the fonts used in various tables to be almost illegible. Second, the booklet is too internally repetitive. This is especially true in the appendices, where points continue to reappear.

Third, I fear that the book, along with all those taking an audit-centric approach to security, sees controls as the be-all, end-all of the security process. It seems too much attention is paid to preventing incidents, with not enough resources devoted to detection and response. Corrective controls, for example, do not receive the attention they deserve. Rebuilding from bare metal is the recovery action of choice in Visible Ops, but rebuilding another vulnerable server strays towards the definition of insanity mentioned earlier.

Overall, I recommend everyone associated with IT, security, operations, and audit read Visible Ops. The booklet is small enough to read in a few hours, since the main material and Appendix A ends on p 73. I look forward to more extensive materials from this excellent team of authors.

Philosophy Of Information Technology Control 101
Visible Ops gets to the essence of good control practices for today's IT environment. Having preached the gospel of IT control and governance for over 20 years, I believe Visible Ops presents a control philosophy and methodology that is a dream come true for IT auditors. The extensive journey of discussions with IT professionals, Palmer Group members, and Practitioner's Roundtable sessions that Kevin, Gene, and George embarked on has produced a gem.

John P. Withington
Vice President - Information Systems Audit
NASD

NO IT Professional should be without a copy of....
After reading the Visible Ops Handbook, my VP of IT Governance and I were so impressed that we made it required client reading on all of our Sarbanes-Oxley compliance engagements. Plenty of writers are saying what needs to be in place, while Visible Ops actually explains a path to getting there.

Great, clear, concise reading. A MUST.

Robin Basham,
President, Phoenix Businsess & Systems Process, Inc.