The Visible Ops Handbook: Starting ITIL in 4 Practical Steps [Paperback]

Kevin Behr (Author), Gene Kim (Author), George Spafford (Author)

Book Description

Publication Date: June 2004

THE CORE OF VISIBLE OPS Visible Ops is a methodology designed to jumpstart implementation of controls and process improvement in IT organizations needing to increase service levels, security, and auditability while managing costs. Visible Ops is comprised of four prescriptive and self-fueling steps that take an organization from any starting point to a continually improving process.

MAKING ITIL ACTIONABLE
Although the Information Technology Infrastructure Library (ITIL) provides a wealth of best practices, it lacks prescriptive guidance: What do you implement first, and how do you do it? Moreover, the ITIL books remain relatively expensive to distribute. Other information, publicly available from a variety of sources, is too general and vague to effectively aid organizations that need to start or enhance process improvement efforts. The Visible Ops booklet provides a prescriptive roadmap for organizations beginning or continuing their IT process improvement journey.

WHY DO WE NEED VISIBLE OPS?
The Visible Ops methodology was developed because there was not a satisfactory answer to the question: "I believe in the need for IT process improvement, but where do I start?" Since 2000, Gene Kim and Kevin Behr have met with hundreds of IT organizations and identified eight high-performing IT organizations with the highest service levels, best security, and best efficiencies.

For years, they studied these high-performing organizations to figure out the secrets to their success. Visible Ops codifies how these organizations achieved their transformation from good to great, showing how interested organizations can replicate the key processes of these high-performing organizations in just four steps:

1. Stabilize Patient, Modify First Response – Almost 80% of outages are self-inflicted. The first step is to control risky changes and reduce MTTR by addressing how changes are managed and how problems are resolved.

2. Catch and Release, Find Fragile Artifacts – Often, infrastructure exists that cannot be repeatedly replicated. In this step, we inventory assets, configurations and services, to identify those with the lowest change success rates, highest MTTR and highest business downtime costs.

3. Establish Repeatable Build Library – The highest return on investment is implementing effective release management processes. This step creates repeatable builds for the most critical assets and services, to make it "cheaper to rebuild than to repair."

4. Enable Continuous Improvement – The previous steps have progressively built a closed-loop between the Release, Control and Resolution processes. This step implements metrics to allow continuous improvement of all of these process areas, to best ensure that business objectives are met.

Editorial Reviews

Review

If you are tired of ‘management by hair on fire,’ read this book and consider it carefully. -- Stephen Northcutt, Director of Training and Certification, The SANS Institute

The easy mapping between the Visible Ops phases and any maturity model validates the compelling logic of the book. -- Jan Vromant, ITSM Consultant

Visible Ops creates a logical starting point and details the key ‘issues and indicators’. -- Henry E. Wojcik, Network Data Systems, May, 2004

VisibleOps is the Rosetta Stone that the IT industry has been seeking to communicate the business value of ITIL. -- Daniel S. Waite, Senior Consultant, BMC Software

VisibleOps shows IT managers how to build operational processes to answer the auditors’ eternal question: ’How do you really know?’ -- Ruby Christina Bauske, Lead Technology Auditor, CPA, CIA, CISA, CISSP

From the Publisher

The Information Technology Process Institute (ITPI), a not for profit organization, is engaged in three principle areas of activity: research, benchmarking and the development of prescriptive guidance for practitioners and business executives. The ITPI has collaboration agreements in place with research organizations such as the Software Engineering Institute at Carnegie Mellon University and faculty from the Decision Sciences program at the University of Oregon. We are currently developing the necessary guidance that solves the common objectives of IT Security, Corporate Governance, Audit and Operations. Through research, development and benchmarking, the ITPI creates powerful measurement tools, prescriptive adoption methods, and control metrics to facilitate management by fact. Visible Ops is the first major publication of the ITPI.

See all Editorial Reviews

Product Details

• Paperback: 84 pages
• Publisher: Information Technology Process Institute (June 2004)
• ISBN-10: 0975568604
• ISBN-13: 978-0975568606
• Product Dimensions: 6.9 x 4.9 x 0.4 inches
• Shipping Weight: 4 ounces
• Average Customer Review: 4.4 out of 5 stars  See all reviews (50 customer reviews)
• Amazon Best Sellers Rank: #1,894,049 in Books (See Top 100 in Books)

More About the Author

Kevin Behr is the president and founder of the ITPI, as well as the CTO of IP Services, Inc. Kevin's 15 years experience in IT operations, security and field engineering spans environments ranging from financial services, manufacturing and technology sectors, allowing him to identify common problem domains and develop powerful solutions for IT Operations that span industry and scale. Kevin is working on development of IT operations management curriculum and research grants in conjunction with researchers from the Decision Sciences and MBA Programs at the University Of Oregon Lundquist College Of Business. Kevin is currently working with Gene Kim and Julia Allen, a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute at Carnegie Mellon University on prescriptive adoption methods that integrate best practices in IT operations, security, and audit. Kevin holds the CISA designation and is ITIL certified. Kevin is also a frequently invited speaker called on to address a broad range of technology and management framework topics by organizations such as The National Academies of Science, Hewlett Packard, The SANS Institute, AFCOM, The Palmer Group, The Software Engineering Institute at Carnegie Mellon University, CERT, Tripwire, and BetterManagement.com.

Customer Reviews

Most Helpful Customer Reviews

59 of 60 people found the following review helpful:

4.0 out of 5 stars A way to stop the IT insanity, August 5, 2005

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps (Paperback)

I read The Visible Ops Handbook because a friend told me his company was considering integrating the booklet's ideas into their product line. I had not heard much about the Information Technology Infrastructure Library (ITIL), but I was familiar with the problems caused by poor administration. I perform network incident response (IR), so I am often asked to solve problems in three days that clients have been confronting for three months or years. After reading Visible Ops, I will recommend it to every IR client who asks me to remediate intrusions.

Simply put, Visible Ops provides four simple steps to stop the IT insanity. The book offers a quote attributed to Albert Einstein on p 42: "Insanity is doing the same thing over and over, and expecting a different result." Many organizations have unintentionally embraced this concept, continuing to pursue the same broken administration techniques and wondering when they will ever stop fighting fires. The Visible Ops process is the answer they have been pursuing.

My favorite aspect of the book is its narrative examples. These contain quotes by real administrators and managers and address problems like "the DHCP server, running on a DNS server, built four years ago by a college intern, that no one touches nor understands." Another similarly amusing (and sad) section presents seven steps in the "spectrum of change" on p 36. This ranges from the poor end, like "Oblivious to Change: 'Hey, did the switch just reboot?'" and "Aware of Change: 'Hey, who just rebooted the switch?'" to the most mature option, "Managing Change".

In terms of the booklet's advice, I found it rock solid, especially this recommendation: when a problem occurs, don't log into the infrastructure and begin troubleshooting. Rather, check to see who made the last configuration change. Since "80% of IT and system outages are caused by operator and application errors," and not intruders, those confronting an incident should always begin by looking at themselves, and not outside "hackers."

I also found Appendix A, Preparing for Audits, to be a succinct and helpful look at the worldview of the auditor. The "Controls 101" section described preventative, detective, and corrective controls, which reminded me of the protection, detection, and response phases of the security process. Advice on p 70 also made sense in light of the debate over intrusion detection systems vs "intrusion prevention systems": "Document your preventative controls, and have detective controls in place to show they work." If your IPS is both a preventative and detective control, how do you check when it has failed?

I found few reasons to dislike Visible Ops, but I had enough issues to give only four stars. First, the book needs to be printed in a bigger form factor. The problem with Visible Ops is that its small size (5x7) reduces some of the fonts used in various tables to be almost illegible. Second, the booklet is too internally repetitive. This is especially true in the appendices, where points continue to reappear.

Third, I fear that the book, along with all those taking an audit-centric approach to security, sees controls as the be-all, end-all of the security process. It seems too much attention is paid to preventing incidents, with not enough resources devoted to detection and response. Corrective controls, for example, do not receive the attention they deserve. Rebuilding from bare metal is the recovery action of choice in Visible Ops, but rebuilding another vulnerable server strays towards the definition of insanity mentioned earlier.

Overall, I recommend everyone associated with IT, security, operations, and audit read Visible Ops. The booklet is small enough to read in a few hours, since the main material and Appendix A ends on p 73. I look forward to more extensive materials from this excellent team of authors.

15 of 15 people found the following review helpful:

5.0 out of 5 stars Philosophy Of Information Technology Control 101, October 22, 2004

By 

John Withington - See all my reviews
(REAL NAME)   

This review is from: The Visible Ops Handbook: Starting ITIL in 4 Practical Steps (Paperback)

Visible Ops gets to the essence of good control practices for today's IT environment. Having preached the gospel of IT control and governance for over 20 years, I believe Visible Ops presents a control philosophy and methodology that is a dream come true for IT auditors. The extensive journey of discussions with IT professionals, Palmer Group members, and Practitioner's Roundtable sessions that Kevin, Gene, and George embarked on has produced a gem.

John P. Withington
Vice President - Information Systems Audit
NASD

18 of 19 people found the following review helpful:

5.0 out of 5 stars NO IT Professional should be without a copy of...., October 21, 2004

By 

Robin J. Basham "Robin Basham" (Needham, MA) - See all my reviews
(REAL NAME)   

This review is from: The Visible Ops Handbook: Starting ITIL in 4 Practical Steps (Paperback)

After reading the Visible Ops Handbook, my VP of IT Governance and I were so impressed that we made it required client reading on all of our Sarbanes-Oxley compliance engagements. Plenty of writers are saying what needs to be in place, while Visible Ops actually explains a path to getting there.

Great, clear, concise reading. A MUST.

Robin Basham,
President, Phoenix Businsess & Systems Process, Inc.