Whenever anything happens, good or bad, you should implement the lessons learned procedures. Learning from all successes and failures is vital to ensuring consistency of implementation, sound metrics, and proactive advancements through learned successes. There is a darker reason to have a well-documented and thorough lessons learned process as well, CYA (cover your assets). Lessons learned should have three main sections: the initial stage; the interim stage; and the final result.
the initial stage should indicate how things were before an event took place and what conditions permitted the event to transpire. The interim stage should detail the event and what actions or reactions were taken to assist the event’s promulgation (usually for positive events with an example being the optimization of script management) or what was done to curtail and remediate the event (usually a negative event such as an employee downloading ransomeware). The final stage should detail what actions ultimately ended the event and how the environment, operating conditions have changed as a result of the interim stage, and all changes that must be sustained moving forward. Of course details such as dates, times, system identifiers, and personnel identifiers (that do not include personally identifiable information) should be interlaced into the lessons learned as appropriate but the document should not be used to cast blame or subvert responsibility. Lessons learned should be a historical record of event based facts that highlight actions and not people. The weakest link of a chain is the one that claims the weakness was caused by another link and not the manufacturer; all team members have interlaced responsibilities just as all links on a chain are interlaced with other links. When lessons learned are performed properly they provide a historical record of the total team effort within a defined operating environment with defined conditions that are as objective as possible and there is no better way to CYA than having documented objective event-based truth (unless you think words like espionage and sabotage are sexy but in that case you probably shouldn’t remain part of the team very long). Lessons learned, a valuable tool when carried out properly.
ANTHKOAndrew Kosakowski’s Official Digital Presence