I am currently working on a project for a client, and I am using this amazing framework to improve their capabilities. I am encountering a doubt regarding CMMI levels and I don't finish to understand: Why this levels appear only in Services section (1-Security Monitoring, 2-Security Incident Management, 3-Security Analysis & Forensics ...) from scratch and what is the purpose of them? I mean, I know that it is explained in the Introduction section but apart from that, they appear from a blank document before start covering it, and they don't change if I modify some values; it is like they don't change its value unless I manually modify them.
Moreover, why they go from a gradient format? Let me explain myself, for example, In Security Monitoring (point number 1.2.1 (Key performance indicators)) it starts form CMMI level 2 and it finishes in point number 1.2.11 (service roles & responsibilities) in CMM level 3. Does it mean I can modify myself or it is just a reference value?
Could anyone explain me that? I would really appreciate it!
Hi rob,
Firstly, well done for your amazing job.
Just wondering if you have any training guide for the SOC-CMM tool Assessors? ( end to end flow how assessors can use the spreadsheet)
If you wish to support the SOC-CMM, there are a number of ways to do so:
1. Obtain a license. There is a license option (license only) that is specifically meant for this purpose. License optiosn can be viewed in the SOC-CMM site license section: SOC-CMM - License & Support
2. Contribute ideas or improvements to the SOC-CMM. For example by sharing your own modifications to the SOC-CMM, contributing ideas for improvement or beta-testing a new release.
3. Share assessment results. Sharing assessment results helps the SOC-CMM to create a benchmark, find common issues between SOCs and aid the creation of a SOC maturity landscape report. The template for sharing results can be found in the downloads section of the SOC-CMM site: SOC-CMM - Downloads
Does anyone know of any research that attempts to answer questions like these: In general, do organizations with mature SOC Practices have better security? and experience lesser incidents ?
Can anyone help me better understand the expectation of 3.2.7 Accountability under the Business Domain - Charter? The remarks state "Accountability for the SOC for actions taken". What would you expect a Charter to include regarding "Accountability"? A simple statement on who is ultimately accountable for the SOC (e.g. CISO)? A RACI matrix that defines responsibility and accountability for the various services provided by the SOC?
Thanks in advance. First time working through the SOC-CMM and just looking for input from others.
Greetings, have any members of this forum used SOC-CMM model to perform assessment on Public/Government entities (internationally) and are willing to share the overall maturity scores [anonymously of course]?
One of our client has used this and is keen to compare itself with other peers in terms of maturity.
Additionally would be good to know the community's thoughts on best way to increase the maturity levels gradually.
It’s been 5 years since the initial release of the SOC-CMM. In the past 5 years, the SOC-CMM has evolved from a thesis project to a fully featured self-assessment for Security Operations Centers. The SOC-CMM has found its way into SOCs all around the world, helping security teams mature and professionalize their security operations globally.
Today, I’m happy to announce a new beta release of the SOC-CMM. This release features many enhancements that were introduced in the SOC-CMM4CERT. New elements have also been introduced, mainly in the process domain. With these additions, the SOC-CMM now features Mitre ATT&CK, visibility, detection engineering, adversary emulation and automated defence testing. There are still many more improvements and changes that I initially envisioned for this version, but development takes a lot of time and effort.
If you come across any issues, please let me, preferably through a reply to the post. I’m planning to finalise the product based on your feedback for an official release by the end of this year.
Hello Rob and all the communication,
Many thanks for your work and your powerful publications in the field of SOC. I have a question about SOC-CMM. How to determine the target? You indicate that it is based on ambitions and that it is optional. Is this based on a feeling, an estimation from the SOC manager? I'm having trouble figuring out how to set it.
