Discover millions of ebooks, audiobooks, and so much more with a free trial

Only $11.99/month after trial. Cancel anytime.

Security Operations Center Guidebook: A Practical Guide for a Successful SOC
Security Operations Center Guidebook: A Practical Guide for a Successful SOC
Security Operations Center Guidebook: A Practical Guide for a Successful SOC
Ebook431 pages8 hours

Security Operations Center Guidebook: A Practical Guide for a Successful SOC

Rating: 3 out of 5 stars

3/5

()

Read preview

About this ebook

Security Operations Center Guidebook: A Practical Guide for a Successful SOC provides everything security professionals need to create and operate a world-class Security Operations Center. It starts by helping professionals build a successful business case using financial, operational, and regulatory requirements to support the creation and operation of an SOC.  It then delves into the policies and procedures necessary to run an effective SOC and explains how to gather the necessary metrics to persuade upper management that a company’s SOC is providing value.

This comprehensive text also covers more advanced topics, such as the most common Underwriter Laboratory (UL) listings that can be acquired, how and why they can help a company, and what additional activities and services an SOC can provide to maximize value to a company.

  • Helps security professionals build a successful business case for a Security Operations Center, including information on the necessary financial, operational, and regulatory requirements
  • Includes the required procedures, policies, and metrics to consider
  • Addresses the often opposing objectives between the security department and the rest of the business with regard to security investments
  • Features objectives, case studies, checklists, and samples where applicable
LanguageEnglish
Release dateMay 17, 2017
ISBN9780128036822
Security Operations Center Guidebook: A Practical Guide for a Successful SOC
Author

Gregory Jarpey

Gregory Jarpey works for Orbital ATK as the Security Operations Manager for Corporate Security. He has more than 20 years of security experience starting in the United States Army as an Infantryman. Greg has his Bachelor’s degree in Business Management and received his PSP (Physical Security Professional) certification from ASIS in 2004. Greg has more than 15 years of experience managing Underwriter Laboratories (UL) certified Security Operation Center as a contractor for Xcel Energy and at Orbital ATK. Greg is a member of and contributor to the ASIS Protection of Assets manuals released in 2012. He hosted a local ASIS chapter meeting in 2010 by conducting a round table about SOC’s.

Related to Security Operations Center Guidebook

Related ebooks

Business For You

View More

Related articles

Reviews for Security Operations Center Guidebook

Rating: 3 out of 5 stars
3/5

2 ratings0 reviews

What did you think?

Tap to rate

Review must be at least 10 words

    Book preview

    Security Operations Center Guidebook - Gregory Jarpey

    level.

    Part I

    Developing Your Security Operations Center

    Outline

    Chapter 1 What is a Security Operations Center?

    Chapter 2 Needs Assessment

    Chapter 3 Business Case

    Chapter 4 Building Your SOC

    Chapter 5 Staffing Options

    Chapter 1

    What is a Security Operations Center?

    Abstract

    While many of you who currently have a security operations center of one kind or another may be tempted to skip ahead, confident that your current incarnation is sufficient for your needs, we encourage you to take additional time and walk through these first chapters and challenge your assumptions. You may, for instance, be convinced that since you already have a facility that you can focus on operations and improvement. From hard experience, we’ve learned that a business case is not done once approval for a project or function is in place. As your company evolves through acquisition and change in leadership, you will need to justify all that you do and in some cases change those functions to better fit your new environment. In some cases this will require a downsizing, but expansion is also likely. Regardless, the answer can only be discovered if you challenge your assumptions and evaluate the new environment as if you had just taken over the security leadership role.

    Keywords

    Security leadership; corporate security; card access system; deck-to-deck walls; alarm monitoring; monitoring screens

    While many of you who currently have a security operations center of one kind or another may be tempted to skip ahead, confident that your current incarnation is sufficient for your needs, we encourage you to take additional time and walk through these first chapters and challenge your assumptions. You may, for instance, be convinced that since you already have a facility that you can focus on operations and improvement. From hard experience, we’ve learned that a business case is not done once approval for a project or function is in place. As your company evolves through acquisition and change in leadership, you will need to justify all that you do and in some cases change those functions to better fit your new environment. In some cases this will require a downsizing, but expansion is also likely. Regardless, the answer can only be discovered if you challenge your assumptions and evaluate the new environment as if you had just taken over the security leadership role.

    When you hear the term security operations center (SOC), a picture will form in your mind, likely the picture of the first SOC you had experience with or the one you worked with the longest. Like companies, no two SOCs are the same. There are an infinite number of variations, but for our purposes we will focus on the most common delineations.

    From an employee perspective, your SOC should be what they think about if they ever think about physical security, just like the help desk is what most employees think about when they have information technology (IT) issues. You aren’t just building a room full of stuff; you are building an easily identifiable entity for all things security in your company. Lost a badge? Call the SOC. See something suspicious? Call the SOC. Have something stolen? You get the idea. The phone number should be easy to remember and be located in many different places. Have it printed in the back of your badges or as part of a second card that goes with your badge. Have it located on the home page of your company’s internal website. Put stickers on the phones. Whatever it takes to get the word out and whatever works at your company. It may take a few years to become most people’s first thought when a security issue occurs, but be persistent and creative and you will get there.

    The first SOC we ever built was at an electric and gas utility. There was a room already built with CCTV monitors, workstations, and alarm receiver, and the server running the card access system. It had one person per shift sitting in it, but this was not a SOC. The room and equipment doesn’t make it a SOC, it’s the people, processes, procedures, and most importantly, the awareness of its existence. A SOC must be useful to be used, and that takes time in order to build trust and prove competency.

    It took a couple of years and a successful business case to get the funding to make that room the SOC that one company needed. By 2007, most employees had no idea that there was a security department other than the SOC. Frankly, they had no reason to know that there was still a group that conducted risk assessments, investigation, and other corporate security tasks. In fact, we prefer to delineate between physical security and corporate security functions. The SOC is firmly in the physical security side, which is basically guards and gates. Corporate security, who the SOC reports to, deals with policy, regulatory compliance, risk assessments, and investigations.

    A SOC can be as small as a reception desk that is staffed only during business hours, or it can be a combination of multiple physical locations with dozens of staff working 24/7/365, and in physical or virtual locations all over the globe. It can be staffed by employees and located only on company property, or entirely outsourced. To figure out what you need, at least from a starting point, you will need to complete a needs assessment that is covered in Chapter 2. A large part of that assessment will be figuring out what you want the SOC to do for your company.

    Most SOCs have at a minimum, alarm monitoring for the building they reside in and cameras to verify alarms, and verify the identity of employees requesting access at a remote entry and to conduct accident and theft investigations. For companies with one or more locations, the SOC is also a common location to manage the access control system (usually card-based) and often also the location badges are printed. Regardless of the number of locations, centralized control of a card access system and badge printing operation is the most cost-effective. Separating it out and having other groups perform those functions is dramatically more expensive and less secure than centralization, due to the redundancy in personnel and equipment. Speed is always a concern when on-boarding new staff, but even for a large company, photos can be taken at remote locations, printed off hours when the call volumes are down and shipped the next day interoffice or sent via courier. Temporary badges can be used for the few days it takes for the new badge to arrive.

    Beyond those more common security-related functions that make sense in combining, there are other less obvious activities a SOC can perform to assist the company and make it more user-friendly or even help the company save money. One option is to be the 24/7 location where all material safety data sheets for the company are located. The SOC number is distributed to all workers and posted throughout the buildings on the safety boards and as part of their site procedures, and if there is an accident dealing with chemicals, employees need only call the SOC to get the instructions read and even sent via smart phone to the appropriate party.

    A SOC is a great location to centralize all of the crisis communication for a corporation. Basically, any function when a person can receive a call and take a series of prescribed actions, without the need of making upper management-level decisions (because for many common occurrences, the response can be predetermined), the SOC can follow the procedure and take all of the actions listed. Call trees, documentation, alerting, testing, or whatever. Procedures, training, and documentation are the core strengths of any SOC. One company where we both worked had us take all employee-related vehicle accident reports, because again, they are there 24/7 and the number was selected to be easy to remember, and they advertised in multiple location and formats. For the employee-related car accidents, the safety department had a few thousand key chains made with the phone number of the SOC in the shape of a crashed car, so every company car would have one and everyone would know whom to call. These activities had to be performed by someone, and without a SOC, especially a 24/7 operation, there would be additional expense, usually with some third party who does not understand how your company works or who the proper personnel to contact are.

    Once you have decided what type of activities you want the SOC to perform, you need to decide what type of operation you need to support them. We’ve listed the three most common variations of a SOC: Third Party, Hybrid, and Dedicated. Based on the scope you created, the type of SOC you need should become evident. If not, then you will need to wait until you move onto the business case portion to determine what is the most cost-effective solution that still meets all your requirements.

    Third Party

    The configuration and staffing levels of an outsourced SOC are irrelevant, because you only need to focus on two things, the price you pay for the service and whether the outsourced provider meets your service level agreements (SLAs). This may be a good option for a smaller company that can’t reasonably fund its own dedicated facility. Likely this type of company also is not a critical infrastructure and may not have many facilities. It is important to clearly define the SLAs to make sure you are getting the services you need in the time and at the quality you require. Contract negotiations are crucial, and if your company is too small to have a robust sourcing or legal department, make sure you get third-party assistance for help in procuring security services.

    It’s likely that the third party will have some connectivity to your facility if they are to provide access control, monitoring alarms, or viewing cameras, so make sure you have a third party conduct an IT security assessment to ensure that the provider is not introducing additional risk into your environment by having a poorly run IT security program.

    Hybrid

    A hybrid approach would consist of having dedicated staff for part of the day, but transferring over to a third-party SOC or central station after hours or over weekends and holidays. In some cases, the in-house staff may program access and issue badges, while leaving alarm and video monitoring to someone else outside of normal working hours. Whatever combination, a minimal amount of functionality is required for the in-house staff and it is best to have a dedicated work area for this function. Electronic and physical control of access and monitoring systems must be maintained in the off hours to ensure that there is no abuse or subversion of the systems. This dedicated space has minimal requirements, but if possible, a card reader and camera should be installed to control and monitor access as long as the walls extend from deck to deck, in case there is a need to conduct an investigation. If for whatever reason you can’t have deck-to-deck walls, you would also need some form of motion detector inside the SOC to ensure that no one has climbed over the wall to gain access.

    Dedicated

    In order to have a dedicated facility, there needs to be a round-the-clock staffing to include weekends, or you are sending your alarms to a third party and fall under the hybrid model. Regardless of whether the staff are employees or contract, someone needs to be on site to monitor the alarms at all times. This is a constant expense referred to by contract security companies as a 168, or 24 hours a day by 7 days a week, including holidays. This can be difficult to staff internally since, unless there is a larger onsite guard force, it will be difficult to staff when people require vacation or sick days. Going to a purely dedicated internal model is a huge step in responsibility and expense for any company and should never be taken lightly. One way to mitigate this is to use contract security staff and require that the post always be staffed in the contract. The contract company will have a larger pool of people to call on to fill the post in those circumstances; however, this will require training multiple backups and putting up with degraded service. The SOC itself may be dedicated and run 24/7 but the staff can all be contract. There are pros and cons to contract an in-house security staff that we will discuss later; for now, we’re focused on the facility.

    With no reliance from an outside provider, the SOC should, at a minimum, be in a secured location with deck-to-deck walls and have a card reader and camera at the entrance. As with the hybrid option, if deck-to-deck walls can’t be installed, some form of motion alarm is required. With dedicated staff on site, it may seem as if these controls were not needed, but with only one person on staff, there will always be some need to leave the SOC for periods of time regardless of how short, be it for bathroom breaks, meals, or to respond to some form of

    Enjoying the preview?
    Page 1 of 1