Back to all activities

Process Mapping

Summary

This activity helps to identify the processes that allow the organization to function (publishing articles, payments, communicating with sources, field work etc) the assets and systems (websites, software, PayPal accounts) they rely on, and which ones are critical to their work.

Participating organization/s are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk.

If done correctly, process mapping can help the auditor - Identify risk exposure - Communication issues and effective incident response - Identify what are affected (people, systems, technologies) - Identify areas of improvement in securing organization's process - Generate a mitigation/solution plan for missing security controls - Show the importance of digital security to staff, management team and stakeholders

Considerations

    This activity contains significant information about the internal process of an organization, and requires proper documentation and secure handling. If this information is leaked, it will expose the organization's process weaknesses. If destroyed without backup, will require you to redo all the steps and activities you have done in the past wasting precious time.

    • Treat device assessment data as well as any additional service information learned with the utmost security
    • Ensure that any physical notes/drawings are erased and destroyed (throughoughly shredded/burnt papers, and whiteboards/blackbroads erased with alcohol/water) once backed up digitally.
    • Ensure that any digital recordings of this process are kept secure, encrypted, and backed up
    • Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
    • For high-risk organizations, or even among others, it is of best practice to keep digital devices such as mobile phones, laptops and computers turned off during the mapping activity. The use of camera, (not camera phones) is recommended. Mobile devices such as laptops and mobile phones if compromised can record audio, and capture videos.

Walkthrough

    • List all organizational processes: The goal of this exercise is for the auditor to lead the host participants in "brain-storming" a list of all the processes the organization takes part in to carry out their work. It is important to remember this is a brainstorming session of all of the processes that occur in the organization. To get started, the auditor may find it useful to give the participants a few examples such as:

      • Research gathering and source management
      • Editing / Publishing
      • Outreach and advocacy
      • Paying Staff
      • Managing grants or other funding
    • Determine critical processes: During this exercise the aim is for the auditor to lead the attendees in narrowing down the subset of activities to those that are crucial to their work. Once the participants have brainstormed these out the facilitator leads the participants in identifying critical processes (this may be all of the processes identified).

      • Quickly identify the main purpose of the organization.
      • Once a complete list has been created, the auditor will then go through through to identify with the participants the critical processes within the organization – that is, without these processes the organization would not be able to function or function at a very poor level, or would not fulfill its mission

    NOTE: If an auditor does not ensure that the uniquely identified subset of processes speaks to the full range of participants, their recommendations are more likely to be met with resistance.

    • Map out critical processes: In this exercises the auditor does free-hand drawing (ideally on a whiteboard to allow for easy changes) mapping for each process guided by the host participants. The auditor needs to make sure that they work to develop a broad understanding of the overall process. This is a time consuming activity, and managing their overall time to complete the entire needs assessment, and respect the time constraints of the staff, is critical.

      • Clearly identify the process name on the whiteboard or flipchart
      • Have your participants explain to you what the process is step-by-step, while making a note on the side where there will be follow on processes.
      • Keep it simple to facilitate broad understanding of the OVERALL process. Too much detail early on can be overwhelming and/or lead to confusion. If you agree that more detail is required on a particular action, it is easy to highlight that box and produce a separate chart showing the process taking place within.

        • Take quick notes to remind yourself of any key points not clearly marked on the map before they move on to the next activity.
      • Keep track of participant engagement and reactions in case there are edge cases you may need to follow up on individually afterwards.

        • After completing all the key events take a photo of the whiteboard / store the chart-paper for later documentation.

    While doing this it is important to consider level of detail you will be mapping out (this should be pre-determined or established so everyone is on the same page). You will generally want to capture:

    • The people involved;
    • The tasks, conversations, and decisions they carry out;
    • The flow of materials, information and documents between them;
    • How the actions take place (email, calls, travel)
    • The relationship and dependance between the steps.
    • Actual processes, not idealized ones
    • Identify points of failure: Begin to ask questions of how or why a particular process or step could be problematic or risky. Depending on the organization, you may want to do this as only mental notes to yourself or as a more interactive discussion. The goal is to improve the organization's understanding of their own processes and the risks they include.

Recommendation

    Process mapping is simply documenting the steps in a certain process or simply an inventory of why you do the things that you do. It is your job as an auditor to map the organization's existing process in order to achieve sound judgement in providing digital security recommendation or solution.

    This activity can sometimes lead to hopelessness, or challenge; it is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.