Tuesday, March 19, 2002
Securing Business InformationWrestling Demons. I've recently upgraded my desktop system to Windows 2000 and am having my share of problems. One of the most frustrating is the fact that my vanilla, PS/2 keyboard is not recognized! The good news is my system now boots faster. The bad news is I cannot interact with it via my keyboard. The worst news, though, is my keyboard is the Microsoft Internet model. I'm starting to share Mike's disdain for anything coming out of Redmond.
Cookbook approach that makes a complex task manageable
Of all the security books I've read this one stands out as the best for two reasons: (1) it lays out what is needed and the steps to take to develop an enterprise security policy in a clear, logical sequence, and (2) there no gaps in the proposed process. Indeed, it appears that the authors had 'due diligence' as their foremost principle when they wrote this book. In addition their experience is evident by the way they approach the subject and tie it together.
The approach is straightforward: initiate, assess, gather requirements, perform a gap analysis, develop a baseline and implement. What makes the approach unique is the 'divide and conquer' technique that partitions the business into security domains. This has benefits beyond decomposing the complexities of enterprise security into manageable pieces - it can also be linked into enterprise problem management and business continuity planning processes because you're forced to examine your resources and systems, and to prioritize them according to their criticality. I also liked the discussion of policies, which discussed the merits of identity-based and role-based approaches, and included excellent advice on policy auditing. One strong point about this section was the treatment of finding documented *and* undocumented policies. This material is applicable to anyone who is involved in policies and procedures development, regardless of whether or not it's related to security. I also especially liked the chapter on trust modeling. This is one area where I learned much from the book.
I've only touched upon key elements of this book. A review of the table of contents will reveal that it's complete and filled with case studies and important discussions of technologies that can be employed to create an effective enterprise security posture. This book is obviously applicable to security specialists, but is also useful to business continuity planners, service delivery practitioners and service providers. It is, to date, the best book on security from among the 20 I've read, that I've come across. It's also a complete recipe for a successful development and implementation of enterprise security policies, processes and procedures.
Enterprise Data Center Design
Hard to find information that is clearly presented
There is a large gap between IT data center operations and facilities management professionals. This book bridges that gap, at least on the IT side, by clearly explaining the issues and factors that need to be addressed for effective management of a data center that complies with local codes and regulations. Most IT professionals are unaware of the regulatory requirements with which a data center must comply - unless they've been shut down by a city inspector at which point the concept of reliability, availability and support becomes moot. This book provides a good education about this obscure topic, as well as everything else that a data center operations manager should know in order to do his or her job. This doesn't shift responsibilities away from facilities managers, but does give IT and facilities common ground and a shared understanding of each domain's roles and responsibilities. Here's an example of why this is necessary: systems that need to be brought into production usually require platforms, storage and network connections. These consume power, environmental system capacity and require space, all of which are finite and all of which are governed by building, fire and safety codes. Many organizations order equipment first, then notify facilities, when the right way is to jointly plan and manage data center growth. This book provides the basis for doing this, and if followed by both IT and facilities, will ensure smooth and uninterrupted operations and proactive physical capacity management.
The book starts with data center design philosophy, giving the top ten design guidelines. This is followed with detailed design criteria that covers project issues, insurance and local building codes. While these are of more concern to facilities managers, IT needs to be aware of their impact. It also discusses availability profiles, which does directly concern IT. Chapter 3 is also of direct interest to IT because it discusses physical and logical Security, facilities system monitoring and planning for expansion. In fact, this chapter is where IT and facilities professionals intersect.
Chapters 4 through 8 are of more interest to facilities professionals because the topics cover details such as physical capacities and resources, site selection and construction details, implementing raised floors, power distribution and HVAC. Despite the slant towards facilities, reading through these chapters will give IT data center managers insights into the challenges faced by facilities, and will offer a lot of information that can be used to develop safety plans and general housekeeping procedures.
The next chapters (9 through 12) are of interest to both IT and facilities, and cover network cabling infrastructure, shipping, receiving, and staging, hazards and environmental contaminants, codes and construction. These are areas in which IT and facilities need to closely collaborate.
This is the first book that covers data center facilities in a manner that IT professionals will find readable and understandable. It usually takes years of experience and reading facilities-focused materials of which only a fraction is applicable to gain the knowledge that the author provides.
Information Technology: Management Challenge
Essential to seeing the big picture
The eleven chapters in this 199-page book give a roadmap for aligning business and IT, and for effectively delivering value. As such this book should be on the book shelf or reading list for anyone who is involved in IT management or consulting.
Chapter 1 opens with IT as it relates to the global business environment. Much has been said about the global nature of the connected world, but views provided by two essays, reinforced with a case study and capped off with an action checklist sum up the key issues.
The book uses the same discussion-reinforcing case study-action checklist structure in every chapter. I like this approach because it has enabled the author to provide the key issues in succinct terms, demonstrate those issues in action, then give a structure from which you can develop your own plans. I also like the fact that management views written by other writers who are experts in their fields are included in many of the chapters.
Each chapter addresses a specific and important aspect of IT management, and each builds upon the preceding chapter. The sequence is: frameworks for thinking about business and IT (an especially solid chapter because it gives a point of reference for the rest of the book), delivering information, IT for competitive advantage (another excellent chapter!) and managing the development of an IT strategy. Although the book is not divided into sections, the preceding chapters are a foundation for what's to come. The next two chapters cover analyzing IT investments and impact of IT on an organization. These set the stage for the two that follow: implementing the IT strategy and the business manager's role in development. The book concludes with two chapters that cover major trends in IT (this chapter is still valid despite the fact that the book was written in 1999) and management concerns for the future.
The book is well written and thought-provoking. I got through it in a weekend, then spent weeks thinking about much of what was presented, and frequently referred back to key chapters. The action checklists are probably the most valuable parts of the book and are carefully crafted to make you think about key issues as they relate to your organization.
Subscribe to Posts [Atom]