A Security Operations Centre (SOC) is a centralised unit within an organisation responsible for monitoring, detecting, and responding to security events in real-time. The SOC continuously monitors the organisation’s networks, systems, and data to identify and mitigate cyber threats as they arise. The SOC’s primary function is to provide early detection of potential security incidents, coordinate responses to mitigate any damage, and ensure that appropriate measures are taken to protect sensitive data and business operations.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 11.1: Implement Basic Security Monitoring Tools

Does your enterprise use basic security monitoring tools to keep an eye on your systems and networks for any suspicious activities?
Example: Use free or affordable security tools like Windows Defender, Google Safe Browsing, or UTM (Unified Threat Management) devices to monitor your network and system activities.

Measure 11.2: Establish a Security Incident Response Process

Does your enterprise have a clear and simple process for responding to security incidents, including the identification, containment, and reporting of any issues?
Example: Create a documented response plan outlining steps to take when suspicious activity is detected, including who to contact and what actions to take to minimise damage.

Measure 11.3: Maintain Basic Security Alerts and Notifications

Does your enterprise set up basic alerts for potential security events, such as failed login attempts or unusual system behaviour?
Example: Enable automatic alerts on your firewall or antivirus software to notify administrators when suspicious activities are detected, such as multiple failed login attempts or unauthorised access attempts.

Measure 11.4: Perform Periodic Security Health Checks

Does your enterprise conduct periodic reviews or health checks of your network and systems to ensure that security protocols are working effectively?
Example: Regularly review your firewall settings, antivirus software, and basic network configurations to ensure they are up to date and functioning correctly.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 11.5: Set Up a Centralised Log Management System

Does your enterprise implement a centralised log management system to collect and monitor logs from multiple devices, servers, and applications?
Example: Use tools such as Splunk, SolarWinds, or ELK Stack to centralise logs and monitor for unusual or suspicious activity in real time across the enterprise network.

Measure 11.6: Implement Intrusion Detection/Prevention Systems (IDS/IPS)

Does your enterprise use Intrusion Detection/Prevention Systems (IDS/IPS) to detect and block any attempts to exploit vulnerabilities or gain unauthorised access to your network?
Example: Set up an IDS/IPS system, such as Snort or Suricata, to monitor network traffic and identify potential threats in real time, enabling you to block malicious activity before it causes harm.

Measure 11.7: Develop an Incident Response Plan and Conduct Drills

Does your enterprise have a detailed incident response plan, and do you regularly conduct security incident response drills?
Example: Create a formal incident response plan that outlines the steps for managing cyber incidents, and run mock attack simulations to ensure staff are familiar with the response process.

Measure 11.8: Use Managed Security Services (MSS) for 24/7 Monitoring

Does your enterprise use Managed Security Service Providers (MSSPs) to ensure round-the-clock security monitoring and support?
Example: Partner with an MSSP to provide continuous security monitoring, 24/7 threat detection, and incident response services for your enterprise.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 11.9: Establish a Fully Operational Security Operations Centre

Does your enterprise have a fully staffed and operational Security Operations Centre (SOC) that provides continuous monitoring, detection, and response to security threats?
Example: Set up an in-house SOC or partner with a third-party provider to deliver around-the-clock monitoring, threat detection, and incident response capabilities for your enterprise.

Measure 11.10: Implement Advanced Threat Intelligence Feeds

Does your enterprise utilise advanced threat intelligence feeds to proactively identify emerging threats and integrate them into your SOC’s monitoring?
Example: Subscribe to threat intelligence providers like FireEye, CrowdStrike, or ThreatConnect to receive real-time information about emerging threats, helping your SOC stay ahead of potential cyberattacks.

Measure 11.11: Conduct Comprehensive Security Incident Post-Mortems

Does your enterprise conduct thorough analyses following security incidents to identify lessons learned and improve response procedures?
Example: After any major incident, hold a post-incident review to examine the event’s timeline, response effectiveness, and identify improvements in processes, tools, or training for future incidents.

Measure 11.12: Implement Security Automation and Orchestration (SOAR)

Does your enterprise integrate security automation and orchestration tools (SOAR) to speed up incident detection, response, and mitigation?
Example: Use SOAR platforms like Cortex XSOAR or Splunk Phantom to automate the response to routine security incidents, enabling quicker and more efficient threat mitigation.

Measure 11.13: Perform Continuous Threat Hunting

Does your enterprise actively hunt for hidden threats in your environment using proactive threat-hunting techniques?
Example: Assign dedicated threat hunters within your SOC who use advanced tools and techniques to search for indicators of compromise (IOCs) and potential threats that may have bypassed traditional detection methods.

———————————————————————————————————