In the spring of 2020, as organizations made a rapid shift to a remote workforce, their IT teams had to implement, update or alter deployment strategies to accommodate a new or expanded need.
As time went on, new routines, often involving remote or hybrid environments, were introduced. With organizations now reaching steady states, it’s time to take stock of these revised processes through an after-action review, or debriefing. This review will provide management with an opportunity to assess:
- The effectiveness of business continuity planning based on the results of the organization’s response during the pandemic;
- The agility of the organization’s IT infrastructure and support processes; and
- Any necessary updates to policies and processes based on demonstrated needs.
It may not be feasible for an organization to conduct reviews and make adjustments in every area immediately. But the review process should begin by covering three key areas: governance, infrastructure and monitoring.
Effective governance is critical to maintaining efficient operations, especially when an organization experiences a significant change in its processes. Management should consider these questions related to their governance approach and policies:
- Were key stakeholders identified to enable reporting to those charged with governance?
- Were policies and procedures amended to consider the shift in the workforce? Was the review and approval process followed to ensure updates were aligned with overall strategy?
- Are key performance indicators defined based on management’s business objectives, and were thresholds reevaluated based on current circumstances?
- Did IT department leadership have sufficient purchasing authority, such as to purchase software or hardware as necessary?
In evaluating such systems as virtual private networks (VPN), virtual applications and desktop solutions, these questions can help determine whether the organization’s infrastructure successfully handled the shift to remote working:
- Was the infrastructure in place sufficient to support additional remote users?
- Were internet service providers and any hosted systems able to provide enough bandwidth for users to connect to internal systems without latency issues?
- Were adequate licenses available to scale the remote workforce capacity based on expanded need? If not, was an assessment performed to establish a new baseline requirement and additional licenses purchased?
- Were there enough portable workstations available for employees to work remotely, or were there processes in place to allow them to use their own devices while retaining organizational control over connections?
- Were additional safeguards implemented for workstations that were intended to be used on the organization’s network, behind the organization’s firewalls, but had to be taken home and were no longer afforded the internal network’s protections?
- Were patching and update processes designed to handle workstations that only connect remotely? Do they address portable workstations’ firewalls and anti-virus?
- Is there a solution in place for remote end user support?
- Were the data loss prevention processes updated to allow enhanced collaboration among remote workers? Were those adjustments appropriate to safeguard sensitive organizational data?
- Did system changes and updates continue to follow the defined change management process?
IT teams maintain infrastructure and provide support, but management must maintain oversight of organizational processes and controls. To ensure sufficient monitoring and reporting so that key leadership can be notified about important changes, management should ask:
- Were reports on key metrics available to management to enable oversight?
- While system monitoring should have already been in place, were thresholds adjusted to maintain value-driven alerting?
- Were IT security personnel still able to review logs on a regular basis while working remotely? Did the logs appropriately capture pertinent information (i.e. connection source, destination, method, user) that would help in the event of a security incident?
An after-action review that includes these questions will go a long way towards evaluating IT operations and making any necessary adjustments in response to changes in operations. By addressing these key areas, organizations can evaluate the effectiveness of business continuity planning, and determine if IT infrastructure, policies and processes have sufficient flexibility for cost-effective operation during future events.
For more information about after-action reviews or other IT advisory services, contact us. We are here to help.
Authored by David Friedenberg, CISA, CRISC, CISSP, PCIP, QSA.
Early on in the pandemic, as offices cleared out and employees began working remotely, IT departments deployed tens,…