Re: [PLUG] DevOps practices/framework

JP Vossen on 17 Nov 2018 08:59:57 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] DevOps practices/framework

From: JP Vossen <jp@jpsdomain.org>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] DevOps practices/framework
Date: Sat, 17 Nov 2018 11:59:52 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1

On 11/15/18 8:54 PM, JP Vossen wrote:

I've been asked at $WORK to see if there is some kind of bestpractices/framework/standard thing we can align to so we can be BigCompany Buzzword Compliant. I'm aware of these so far but I have notyet read them in depth:

...

Thanks to all who replied. I guess I was not 100% clear, because theAgile, etc., references were jokes, and the devops stuff is justbackground/context for what my team actually does. This has nothing todo with "devops" standards, it has to do with overall IT governance andgeneral Big Company Buzzword Compliance.

Note the markup below is what I get when I copy & paste from my "ZimDesktop Wiki", which I left since it illustrates the other thread aboutalternatives to M$ Word. [ ] is a unchecked box, [*] is checked, [x] isred-Xed, * is a bullet, etc. Simple but awesome and plain text. It cantie into Git, BZR, & Hg too.



After spending Friday afternoon reading, I think I can make this one work:

NIST: Framework for Improving Critical Infrastructure Cybersecurity
-------------------------------------------------------------------
	* https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework

### v1.1 2018-04-16
[*] https://www.nist.gov/cyberframework
	[*] wget https://doi.org/10.6028/NIST.CSWP.04162018
	[*] 55 Pages: Framework for Improving Critical Infrastructure Cybersecurity
		* Version 1.1
		* National Institute of Standards and Technology
		* April 16, 2018


I also read a bit about the following, just for reference.

### DHS: Cyber Resilience Review
[*] https://en.wikipedia.org/wiki/Cyber_Resilience_Review

* The Cyber Resilience Review (CRR) is an assessment method developedby the United States Department of Homeland Security (DHS).

That sounds good until you look athttps://www.us-cert.gov/ccubedvp/assessments then downloadhttps://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdfand realize:WOW!!! This is a PDF that executes things! That sounds just ironicallyand AMAZINGLY insecure! And it Adobe garbage!


No.  Just no.


NIST ITL 800-series
-------------------

[*]https://www.nist.gov/itl/nist-special-publication-800-series-general-information

	[*] Content free as far as I can tell
	[*] But it kind of points to the NIST framework above
[*] 193 records: https://csrc.nist.gov/publications/sp

### NIST Special Publication 800-53: Security and Privacy Controls forFederal Information Systems and Organizations

[*] https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53

* NIST Special Publication 800-53 provides a catalog of securitycontrols for all U.S. federal information systems except those relatedto national security.

	* http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

* Security and Privacy Controls for Federal Information Systems andOrganizations

		* http://dx.doi.org/10.6028/NIST.SP.800-53r4
		* 462 pages!


ITIL
----
[*] https://en.wikipedia.org/wiki/ITIL

* After the initial publication in 1989–96, the number of books quicklygrew within ITIL Version 1 to more than 30 volumes.

...

* Changes and characteristics of the 2011 edition of ITIL. A summaryof changes has been published by the UK Government. In line with the2007 edition, the 2011 edition consists of five core publications...


30 books!?  OK, down to 5 books now?  Ummmm, no.


ISO/IEC_20000
-------------
[*] https://en.wikipedia.org/wiki/ISO/IEC_20000
	[*] Mostly content free, but basically ITIL


ISO/IEC_27001
-------------
[*] https://en.wikipedia.org/wiki/ISO/IEC_27001
	* AKA BS 7799, etc.

* I've worked with this one before, I could make it work, but I likethe NIST one better.



ISACA COBIT: Control Objectives for Information and Related Technologies
------------------------------------------------------------------------

[*] Cheat sheet:http://miroslawdabrowski.com/downloads/COBIT5/COBIT%205%20-%20Cheatsheet%20%5Bv1.0,%20Minimarisk%5D.pdf

[*] https://en.wikipedia.org/wiki/COBIT

* COBIT is a more generic superset of "more detailed IT standards andgood practices such as COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF andPMBOK" so that's even less applicable for us.



The Common Criteria for Information Technology Security Evaluation
------------------------------------------------------------------
[*] https://en.wikipedia.org/wiki/Common_Criteria

* I can argue it either way but I'm leaning to not applicable to my usecase.* I've worked with this one before, I could make it work, but I likethe NIST one better.



Thanks again,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] DevOps practices/framework
  - From: JP Vossen <jp@jpsdomain.org>

Prev by Date: Re: [PLUG] Open Source Equivalent of WordPerfect
Next by Date: Re: [PLUG] Open Source Equivalent of WordPerfect
Previous by thread: Re: [PLUG] DevOps practices/framework
Next by thread: Re: [PLUG] DevOps practices/framework
Index(es):
- Date
- Thread