if the processes they have described are documented and if they use any supporting documentation. These conversations should be documented. Once you have completed these conversations compare the responses to the formal documentation to determine if the processes used are effective and if they are properly documented. When actually reviewing processes you should first understand the fundamentals. For a network perimeter program there are four key categories of processes that need to be in place:
- Policy development and support processes.
- Implementation processes
- Maintenance processes
- Retirement processes
All of the processes must have certain key fundamental requirements which are that:
- They must operate within a lifecycle. -Therefore each process must be formally approved and have a set review by date. Review by dates can extend from 6 months – 3 years depending on how dynamic the writer feels the material is. Upon review the process could be validated, updated, or retired.
- They must all have a defined Custodian – The custodian of the process will be responsible for overseeing the process review cycle, report on results, and confirm recommended action of the owner.
- They must have defined owners – The owners of the processes are responsible for maintaining and ensuring that the processes are executed properly. The owners are also responsible for reviewing the processes and providing recommendations to the custodian as to their status.
- They must have defined operators – The operator of the process is responsible for the execution of the process and that it is done so properly. The operators are also responsible for identifying any operational weaknesses that they observe in the process due to poor design or age.
- They must be fully documented. – In many, many, many instances there are the documented processes and then the processes that are actually used. Make sure you can differentiate the difference during your review and provide guidance as necessary to correct
- They must have appropriate training material where necessary to convey the correct execution of the process. – Training is often spotty and poorly documented. Carefully consider what is in place, what is documented and what should be in place.
- They must have appropriate metrics and reporting to ensure that the process is operating effectively. As well as guidance on correcting issues observed.
In addition to the key fundamental requirements needed by all processes (which we have just listed) there are additional elements needed for each of the key categories which I have outlined below.
Popularity: 1%
