Visible Ops Security, Phase 1

The long view of security strategies for your network.

In my last column, I introduced the excellent booklet called "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps", by Gene Kim, Paul Love and George Spafford.

Phase 1 provides a chilling reminder of how badly information assurance implementation can go wrong. A table lists many typical issues (and narrative examples, some of which are hilarious) that security experts encounter all the time in our assessments and audits; examples include (quoting directly):

* Inadequate situational awareness (I came into the information security job full of high hopes, but I started to realize that I was dropped into the desert, with no idea what I was supposed to start walking in. Worse, I didn’t know how big the desert was, but I did know that I had no food or water. / I also started to notice that everyone seemed to be avoiding me, often running in the opposite direction when they saw me.)

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last column, I introduced the excellent booklet called "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps", by Gene Kim, Paul Love and George Spafford.

Phase 1 provides a chilling reminder of how badly information assurance implementation can go wrong. A table lists many typical issues (and narrative examples, some of which are hilarious) that security experts encounter all the time in our assessments and audits; examples include (quoting directly):

* Inadequate situational awareness (I came into the information security job full of high hopes, but I started to realize that I was dropped into the desert, with no idea what I was supposed to start walking in. Worse, I didn’t know how big the desert was, but I did know that I had no food or water. / I also started to notice that everyone seemed to be avoiding me, often running in the opposite direction when they saw me.)

* Information security ineffective as an afterthought (We couldn’t believe they just deployed the application over our objections. I’m literally losing sleep at night because of the potential risk of loss of confidential information. I said, “Look, you can’t put private health information out on the public Internet.” They just don’t seem to understand, and they all say I’m being hysterical, paranoid, and an obstacle.)

* Information security disrupts IT operations and IT operations gets in information security’s way (…. And half the time, when we do get the patches in, I almost wish we hadn’t. At the end of last year, we did a database patch that broke seven of our top business applications. . . .)

Step 1 of Phase 1 is “Gain Situational Awareness.” The authors urge practitioners to know exactly (again, quoting)

1.1 What senior management and the business wants from information security.
1.2 How the business units are organized and operate.
1.3 What the IT process and technology landscapes are.
1.4 What the high-level risk indicators from the past are.

In good, clear English, the authors then expand on each of the four tasks above with some practical examples and excellent suggestions and examples that readers can use in formulating their own responses for their own organizations.

Step 2 of Phase 1 is “Integrate into Change Management.” The key tasks (again, well developed and explained in the text) are as follows:

2.1 Get invited to change advisory board (CAB) meetings (i.e., learn what has to be changed in the production environment before it gets changed behind the security team’s back – and be cooperative and supportive instead of obstructive)
2.2 Build and electrify the fence (i.e., develop automated measures to detect changes in the production code, processes and infrastructure)
2.3 Ensure tone from the top and define the consequences (i.e., use top management’s explicit support to change the corporate culture – and develop a finely-graded scale of consequences for violating security rules)
2.4 Substantiate that the electric fence is working (i.e., audit your own change-control procedures to verify that people are actually following them)
2.5 Look for red flags (i.e., analyze service interruptions and look for evidence that change-control procedures were violated)
2.6 Address failed changes (i.e., perform root-cause analysis on problems)

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.