SOC-CMM forum
Follow-up of SOC-CMM assessments - Best practices - Printable Version

+- SOC-CMM forum (https://www.soc-cmm.com/forum)
+-- Forum: SOC-CMM (https://www.soc-cmm.com/forum/forumdisplay.php?fid=1)
+--- Forum: SOC-CMM community forum (https://www.soc-cmm.com/forum/forumdisplay.php?fid=2)
+--- Thread: Follow-up of SOC-CMM assessments - Best practices (/showthread.php?tid=12)



Follow-up of SOC-CMM assessments - Best practices - robvanos - 04-10-2019

I've often received questions on follow-up of assessments. The survey also revealed that more guidance for follow-up would be appreciated. The SOC-CMM can never provide a tailored advice for improving your SOC. You will need to analyze the results to determine the exact next steps. However, I'd like to share some best practices regarding follow-up that I've used personally.  These may overlap somewhat with the sheet that is already part of the SOC-CMM.

  1. Compare results to target levels to determine which areas require most improvement. The SOC-CMM output sheets should provide the desired insight into areas for improvement. The output sheet does not contain a drill-down function, so you should navigate to the appropriate sections to determine which elements affect the score the most. In the basic version, you only need to look at the scoring column. In the advanced version, you will need to look at the importance column as well (that is, if you've changed any values).
  2. Perform a root cause analysis. A root cause analysis will be required to find common causes obstructing growth of the SOC. These root causes can be addressed to improve in multiple aspects at once.
  3. Determine a path for improvement. There are many factors that contribute to this path, but some of the most common factors are:
    A. associated risk. Every aspect that needs to be improved carries some level of risk. Ask yourself the question: what happens if we do not invest in this aspect? Is there an immediate impact? For example, contractual agreements are not met, or security incidents are not properly handled. Or a long-term impact? Not having a charter may not cause immediate problems, but in the long run, it may obstruct growth of the SOC due to lack of management support. The risk can be used to prioritize improvements. Use a MoSCoW method (Must haves, should haves, could haves, won't haves) to further structure this analysis.B. ease of improvement. Complexity could be caused by dependence on other teams or departments within the organization. Complexity can also be caused by internal politics and lack of management support or budget. By focusing on low-hanging fruit, quick wins can be made.C. interdependency. Some improvements may depend on each other, so there is a natural order in which they should be addressed.D. same or similar root cause. Improving the SOC by addressing root causes will likely have a positive effect across multiple domains and thus contribute greatly to improvement. Use the output from the root cause analysis from step 2.
  4. Define a formal (improvement) track or project. With many things that need to be improved, it is wise to create a project or program for monitoring progress and success. This track could be monitored from within the SOC or by a project manager outside the SOC. The size of the improvement program and the organizational culture determines which is best suited.
  5. Follow-up with a new assessment to measure and show progress. Note that this also requires taking notes during the assessments, especially for those parts of the assessment that raised a lot of discussion regarding interpretation. Otherwise, different questions may be interpreted differently in the second assessment.
Following these 5 steps should help you to get to the next step in your SOC's maturity.

If any one has other best practices to share, please do so.