<metaproperty="og:title"content="Different Roles - Spearhead Systems Incident Response Documentation"/>
<metaproperty="og:site_name"content="Spearhead Systems Incident Response Documentation"/>
<metaproperty="og:description"content="A collection of information about the Spearhead Systems incident response process. Not only how to prepare new employees for on-call responsibilities, but also how to handle major incidents, both in preparation and after-work."/>
<metaname="twitter:title"content="Different Roles - Spearhead Systems Incident Response Documentation"/>
<metaname="twitter:description"content="A collection of information about the Spearhead Systems incident response process. Not only how to prepare new employees for on-call responsibilities, but also how to handle major incidents, both in preparation and after-work."/>
<p>There are several roles for our incident response teams at Spearhead Systems. Certain roles only have one person per incident (e.g. support engineer), whereas other roles can have multiple people (e.g. Sysadmins, Solution Architects, etc.). It's all about coming together as a team, working the problem, and getting a solution quickly.</p>
<h3id="what-is-it">What is it?<aclass="headerlink"href="#what-is-it"title="Permanent link">#</a></h3>
<p>A Team Leader acts as the single source of truth of what is currently happening and what is going to happen during an major incident. They come in all shapes, sizes, and colors. TL's are also the key elements in a project (boards in DoIT).</p>
<h3id="why-have-one">Why have one?<aclass="headerlink"href="#why-have-one"title="Permanent link">#</a></h3>
<p>As any system grows in size and complexity, things break and cause incidents. The TL is needed to help drive major incidents to resolution by organizing his team towards a common goal.</p>
<h3id="what-are-the-responsibilities">What are the responsibilities?<aclass="headerlink"href="#what-are-the-responsibilities"title="Permanent link">#</a></h3>
<ol>
<li>Help prepare for projects and incidents,<ul>
<li>Setup communications channels.</li>
<li>Create the DoIT board(s) and other project planning related materials.</li>
<li>Funnel people to these communications channels.</li>
<li>Train team members on how to communicate and train other TL's.</li>
</ul>
</li>
<li>Drive incidents and projects to resolution,<ul>
<li>Get everyone on the same communication channel.</li>
<li>Collect information from team members for their services/area of ownership status.</li>
<li>Collect proposed repair actions, then recommend repair actions to be taken.</li>
<li>Delegate all repair actions, the TL is NOT a resolver.</li>
<li>Be the single authority on system status</li>
<li>Communicate directly with the customers and end-users<ul>
<li>not the engineers themselves!</li>
</ul>
</li>
</ul>
</li>
<li>Post Mortem,<ul>
<li>Creating the initial template right after the incident so people can put in their thoughts while fresh.</li>
<li>Assigning the post-mortem after the event is over, this can be done after the call.</li>
<li>Work with Managers/Support on scheduling preventive actions.</li>
</ul>
</li>
</ol>
<h3id="who-are-they">Who are they?<aclass="headerlink"href="#who-are-they"title="Permanent link">#</a></h3>
<p>Anyone on the TL on-call schedule. Trainees are typically on the TL Shadow schedule.</p>
<h3id="how-can-i-become-one">How can I become one?<aclass="headerlink"href="#how-can-i-become-one"title="Permanent link">#</a></h3>
<p>Take a look at our <ahref="../../training/incident_commander/">Team Leader training guide</a>.</p>
<p>A Sysadmin is a direct support role for the Team Leader. This is not a shadow where the person just observes, the Sysadmin is expected to perform important tasks during an incident.</p>
<p>It's important for the TL to focus on the problem at hand, rather than worrying about documenting the steps or monitoring timers. The Sysadmin helps to support the TL and keep them stay focussed on the incident.</p>
<h3id="what-are-the-responsibilities_1">What are the responsibilities?<aclass="headerlink"href="#what-are-the-responsibilities_1"title="Permanent link">#</a></h3>
<li>Bring up issues to the TL that may otherwise not be addressed (keeping an eye on timers that have been started, circling back around to missed items from a roll call, etc).</li>
<li>Be a "hot standby" TL, should the primary need to either transition to a SME, or otherwise have to step away from the TL role.</li>
<li>Page SME's or other on-call engineers as instructed by the Team Leader.</li>
<li>Manage the incident call, and be prepared to remove people from the call if instructed by the Team Leader.</li>
<li>Liaise with stakeholders and provide status updates on DoIT (using worklogs and comments), Slack and email/telefone as necessary.</li>
<p>Take a look at our <ahref="../../training/deputy/">Sysadmin training guide</a>. Sysadmins also need to be <ahref="../../training/incident_commander/">trained as an Team Leaders</a>.</p>
<h3id="what-is-it_2">What is it?<aclass="headerlink"href="#what-is-it_2"title="Permanent link">#</a></h3>
<p>A Scribe documents the timeline of an incident as it progresses, and makes sure all important decisions and data are captured for later review.</p>
<h3id="why-have-one_2">Why have one?<aclass="headerlink"href="#why-have-one_2"title="Permanent link">#</a></h3>
<p>The incident commander will need to focus on the problem at hand, and the subject matter experts will need to focus on resolving the incident. It is important to capture a timeline of events as they happen so that they can be reviewed during the post-mortem to determine how well we performed, and so we can accurate determine any additional impact that we might not have noticed at the time.</p>
<h3id="what-are-the-responsibilities_2">What are the responsibilities?<aclass="headerlink"href="#what-are-the-responsibilities_2"title="Permanent link">#</a></h3>
<p>The Scribe is expected to:</p>
<ol>
<li>Ensure the incident call is being recorded.</li>
<li>Note in Slack important data, events, and actions, as they happen. Specifically:<ul>
<li>Key actions as they are taken (Example: "prod-server-387723 is being restarted to attempt to remove the stuck lock")</li>
<li>Status reports when one is provided by the IC (Example: "We are in SEV-1, service A is currently not processing events due to a stuck lock, X is restarting the app stack, next checkin in 3 minutes")</li>
<li>Any key callouts either during the call or at the ending review (Example: "Note: (Bob B) We should have a better way to determine stuck locks.")</li>
</ul>
</li>
</ol>
<h3id="who-are-they_2">Who are they?<aclass="headerlink"href="#who-are-they_2"title="Permanent link">#</a></h3>
<p>Anyone can act as a scribe during an incident, and are chosen by the Incident Commander at the start of the call. Typically the Deputy will act as the Scribe, but that doesn't necessarily need to happen, and for larger incidents may not be possible.</p>
<h3id="how-can-i-become-one_2">How can I become one?<aclass="headerlink"href="#how-can-i-become-one_2"title="Permanent link">#</a></h3>
<p>Follow our <ahref="../../training/scribe/">Scribe training guide</a>, and then notify the Incident Commanders that you would like to be considered for scribing for the next incident.</p>
<p>A Subject Matter Expert (SME), sometimes called a "Resolver" or "Architect", is a domain expert or designated owner of a component or service that is part of the Spearhead Systems service delivery concept.</p>
<p>The TL and Sysadmins are not all-knowing super beings. When there is a problem with a service or a particular system, an expert in that service is needed to be able to quickly help identify and fix issues.</p>
<h3id="what-are-the-responsibilities_3">What are the responsibilities?<aclass="headerlink"href="#what-are-the-responsibilities_3"title="Permanent link">#</a></h3>
<ol>
<li>Being able to diagnose common problems with the service.</li>
<li>Being able to rapidly fix issues found during an incident.</li>
<li>Concise communication skills, specifically for CAN reports:<ul>
<li>Condition: What is the current state of the service? Is it healthy or not?</li>
<li>Actions: What actions need to be taken if the service is not in a healthy state?</li>
<li>Needs: What support does the resolver need to perform an action?</li>
</ul>
</li>
</ol>
<h3id="who-are-they_3">Who are they?<aclass="headerlink"href="#who-are-they_3"title="Permanent link">#</a></h3>
<p>Anyone who is considered a "domain expert" can act as a resolver for an incident. Typically the service's primary on-call will act as the SME for that service.</p>
<h3id="how-can-i-become-one_3">How can I become one?<aclass="headerlink"href="#how-can-i-become-one_3"title="Permanent link">#</a></h3>
<p>Take a look at our <ahref="../../training/subject_matter_expert/">Subject Matter Expert training guide</a>. You should also discuss with your team and service owner to determine what the requirements are for your particular service.</p>
<h3id="what-is-it_4">What is it?<aclass="headerlink"href="#what-is-it_4"title="Permanent link">#</a></h3>
<p>A person responsible for interacting with customers, either directly, or via our public communication channels. Typically a member of the Customer Support team.</p>
<h3id="why-have-one_4">Why have one?<aclass="headerlink"href="#why-have-one_4"title="Permanent link">#</a></h3>
<p>All of the other roles will be actively working on identifying the cause and resolving the issue, we need a role which is focused purely on the customer interaction side of things so that it can be done properly, with the due care and attention it needs.</p>
<h3id="what-are-the-responsibilities_4">What are the responsibilities?<aclass="headerlink"href="#what-are-the-responsibilities_4"title="Permanent link">#</a></h3>