vPLfv
vPLfv
vPLfv
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
sion of the process?” and “Who performs the process?” The workflow descriptions included<br />
in our report list a fairly inclusive set of potential answers to each question. Therefore there<br />
are no real roles and responsibilities assigned to any one group in the workflow descriptions<br />
included here. When members of an organization would do such mappings themselves, they<br />
would streamline these descriptions to only include their particular arrangement or structure<br />
(i.e., the answers to the questions for their organization). When they were done mapping their<br />
current state, they would have a list of the processes and who was performing them. Accountability<br />
is very important to effective incident management.<br />
Using this organization-specific information, the process workflow for an organization will<br />
look different from our generic workflow shown above in Figure 6. It will show the workflow<br />
or routes of the work and who is responsible for performing the work. This type of diagram<br />
is called a “swimlane” diagram. More information about swimlane diagrams can be<br />
found in Section 3, “Overview of Process Mapping.”<br />
To see an example of this mapping process and the resulting swimlane diagram, do the following:<br />
1. Look at the Detect Events workflow diagram on page 98 and its corresponding workflow<br />
description on page 100.<br />
2. An organization’s documentation of its own as-is process for Detect might result in the<br />
workflow description shown in Table 2. Notice that instead of the multitude of key people<br />
or technologies that are listed in the generic Detect Events workflow diagram, this<br />
table only includes the actors performing each subprocess and the technologies currently<br />
being used to perform the process for this example organization.<br />
3. When we actually map this process, knowing the responsible actors, we get the swimlane<br />
diagram depicted in Figure 8, which shows the workflow and associated actor. 22<br />
Once the as-is state is documented, and depending on the goal or outcome you are looking<br />
for in your process mapping work, you can benchmark your workflows against our best practice<br />
incident management process model to determine gaps and weaknesses. This is a traditional<br />
gap analysis. During this process, you would look for characteristics of the processes<br />
such as<br />
• missing or poorly defined handoffs<br />
• missing or poorly defined aspects of each process activity (e.g., no procedures in place or<br />
inadequate staff)<br />
• bottlenecks in the process<br />
• poorly defined activity flows (e.g., too much parallelism, too linear, too many handoffs)<br />
22<br />
Note that we only show the workflow description for Detect, but the swimlane diagram also includes<br />
the Triage and Respond processes. There would be a similar workflow description for Triage<br />
and Respond that would have been done, before the swimlane diagram was completed as<br />
shown here.<br />
CMU/SEI-2004-TR-015 29