The roles and responsibilities of the Security Operations Centre (SOC)
In simple terms, the role of the SOC is to protect the IT infrastructure and the data on it.
Achieving that is, however, a lot easier to say than to do, and in order to achieve it, we need to first consider the role of the SOC in more detail, then the people in the SOC and finally the process and procedures that are needed for a SOC to function properly.
As we will discuss later, the exact roles and responsibilities will be determined by the size of the organisation involved. However, most SOCs hold the following key responsibilities:
This can be considered to be one of the core responsibilities of the SOC, although it is often now subsumed into security information and event management. Here, the SOC is responsible for monitoring any security aspect of the IT system. There can be a large degree of overlap here with other parts of the organisation, as it will obviously interface with physical security which is commonly looked after by a different part of the organisation. There may be overlap with other parts of the IT operations team, especially when it comes to issues of availability, which can be the responsibility of both the SOC team and the operations team.
Security incident response
In many ways, this is the main reactive job of the SOC. In incident response, we are detecting and responding to security incidents in a timely fashion. For those of you who will continue on MSc Cyber Security degree, we’ll discuss this in more detail later on in the program.
Security Information and Event Management (SIEM)
SIEM takes ideas from ITSM and applies it to the management of security-related data. This data can take the form of event information obtained from monitoring, but also includes other security information such as existing controls, configuration item details, threat intelligence, security knowledge bases and other similar information.
An increasingly common part of the role of the SOC is to be able to respond to potential threats. In order to do this, the SOC needs to gather threat intelligence which can guide the actions of the SOC. This can take many forms and utilise a range of sources such as social media, Computer Emergency Response Teams (CERT) warnings, vendor briefings, observations from our own systems, etc. This responsibility is often only undertaken by larger SOCs and may be outsourced. For example, in the UK the national CERT is the National Cyber Security Centre.
Information risk management
The SOC may take on responsibility for information risk management where the SOC is responsible for quantifying the amount of information security risk the organisation is exposed to, as well as specifying the controls to manage the risk. Management of risk will often be done in conjunction with the operations team and will normally be based on standards such as the ISO 27005 standard.
Information assurance (IA)
After we have defined the risk and established the controls that are needed, we need to make sure that the controls are implemented. This is information assurance (IA) and if a SOC is responsible for information risk management, it will normally be responsible for IA. The UK Cabinet Office defines IA as ‘the confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users’ (UK Cabinet Office 2011). As such, IA can be thought of as the superset of information security as it covers any risk to availability, not just security risks.
Information security compliance
Information security compliance is concerned with the degree of compliance with external regulation and internal policies. The external regulation is often legal (eg GDPR, Computer Misuse Act, etc), but may also be sector standards such as the Payment Card Industry Data Security Standard (PCI DSS) which is the standard organisations must adhere to in order to process credit card data.
Until recently, governance was seen purely as a board-level activity, and while it is true that governance is still primarily a board responsibility, the last best practice approaches encourage governance to be embedded at all levels and allow specialist parts of the organisation to handle appropriate parts of the governance process. For IT governance, it is therefore logical for the SOC to advise or take a lead in aspects of IT security governance.
The SOC will often perform other roles relating to security in addition to the ones listed above; however, those will be largely determined by the organisational context in which the SOC operates.
Which of the tasks and responsibilities described above do you think would be most important for Ethos? There is no real right or wrong answer to this so remember to justify your opinion.
BSI (2018) ISO/IEC 27005:2018 Information Technology. Security Techniques. Information Security Risk Management. [online] available from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030372032 [30 July 2019]
UK Cabinet Office (2011) HMG Security Policy Framework London: The Stationery Office
© Coventry University. CC BY-NC 4.0