SOC-CMM forum

Full Version: SOC-CMM: Business Domain - Charter
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Can anyone help me better understand the expectation of 3.2.7 Accountability under the Business Domain - Charter? The remarks state "Accountability for the SOC for actions taken". What would you expect a Charter to include regarding "Accountability"? A simple statement on who is ultimately accountable for the SOC (e.g. CISO)? A RACI matrix that defines responsibility and accountability for the various services provided by the SOC?

Thanks in advance. First time working through the SOC-CMM and just looking for input from others.
Hi,

What is meant with 'accountability' is that you are aware as a SOC (or SOC manager) what you can be held accountable for. A RACI matrix is a great way to define and explain your responsibilities and accountability, especially compare to other teams.

For example: the SOC may be responsible for vulnerability scanning and may be held accountable for time scanning and providing reports and advisores to the organisation. However, follow-up (remediation: patching or applying configuration changes) is actually the responsibility of operational teams within the organisation (and they can be held accountable for timely remediation).

Regards,
Rob.
Additionally, one can think of SOC's Charter as a Mandate from "above", which is represented by a Responsibility (what they are tasked to take care of/ to do/to be accounted for), and an Authority (what they are allowed/authorised to do).

Sometimes there might be a mismatch: accountability is bigger than the authority required to fulfill the responsibilities, or resources provided are insufficient, thus there might be a conflict. Such situations happen from my experience most often due to lack of precise definitions/clarity in mandate / charter - or strategy/roadmap, how to get to the fulfilment/full coverage of Mandate/Charter (when resources are lacking).

I see objective of this part the SOC-CMM : to identify if this area is clear - that the Charter/Mandate is defined, understood, responsibilities - manageable - i.e. SOC is enabled.

Additional reading might be helpful - https://www.enisa.europa.eu/publications/how-to-set-up-csirt-and-soc (disclosure: I was part of the development team).

Regards,
Vilius Benetis