Couple of typical scenarios which we face:
1. Our key technical SME does not want to get involve in the documentation or process build part and wants to remain involved in technical stuff only and we allow same by taking it for granted. The SME and lead have perception of looking documentation as sub- standard task and same is passed on it on to someone who is not directly involved in the execution of the process.
2. We become too busy in our work that we forget to document important processes, risks, Minutes of Meetings etc.
3. We do create some documents, but for the sake of compliance and in reality if we look inside we find the material generally not usable or not latest.
Let us try to address how we may add value to project with documentation:
Foremost, we need to understand why we require a technical documentation or process. It is required to assure that whatever we do, we have an established process to support it and also to ensure that our work doesn’t take a hit if our SME suddenly disappears and that too with all the inherent and acquired knowledge about the stuff one was executing. Our approach has to be process centric and not person-centric, and this will solve our technical documentation related issues. A person moves, the process remains.
Involving technical SME in documentation is required because he/ she is the one who understand the product/ technology well and is well placed to put it on the paper and SME involvement will consume less documentation time than what it takes to involve a non-SME and get it reviewed by SME thus resulting in multiple review iterations and loss of time. Plus, we may not end up skipping, some very small but important tasks, done by SME but might forget if he starts translating things to other documentation personnel. What will our SME get out of it? Well as one grow up against the ladder of management chain, one will realize the importance of documentation skill at that stage and may not feel handicap when executing one’s part.
Apart from the technical stuff, what all documentation we may require? Well, we do business meetings and take some important decisions but we fail to make minutes of meetings (MoM). We find out issues in our products and implementations. We do track these issues but do this in emails and do not maintain a clear tracker for all the issues. We highlight some risks to management but at times end up doing it verbally and do not formally document them. We maintain checklists of various kinds to support process documentation but we do not maintain their versions properly. These are all part of the documentation and at times not maintaining MoM or not documenting risks properly may end up in impacts such as customer citing that you have not highlighted the issue on time and thus invoking some kind of penalty clause. So the impact is severe and the impact of same on your future prospects will be even more serious if such things happen.
One more thing, it’s not all about just making a document but it’s about making a good quality document so the quality check of any formal document you make is also a must and must not be skipped.
But there is one more angle to our problem, I have seen personnel making all good efforts in making and timely updating documents but are we ensuring that only the current version of any document/ checklist should be published to the user community at large? If not, our whole effort of documentation and maintaining same is going to be futile.
Apart from above, some good practices of having a good document like reviewing from a similar SME or from a user perspective, classifying it appropriately, getting it approval and authorization and as discussed earlier, maintaining it regularly and also version controlling it are some essential part of the documentation.
Documentation is an important factor when we start taking care of ‘availability’ aspect of information security.
Let us be secure by making appropriate and quality documentation and not make documents just to be compliant.