SOC-CMM forum
SOC-CMM: Business Domain - Charter - Printable Version

+- SOC-CMM forum (https://www.soc-cmm.com/forum)
+-- Forum: SOC-CMM (https://www.soc-cmm.com/forum/forumdisplay.php?fid=1)
+--- Forum: SOC-CMM community forum (https://www.soc-cmm.com/forum/forumdisplay.php?fid=2)
+--- Thread: SOC-CMM: Business Domain - Charter (/showthread.php?tid=1229)



SOC-CMM: Business Domain - Charter - cgergen - 02-17-2022

Can anyone help me better understand the expectation of 3.2.7 Accountability under the Business Domain - Charter? The remarks state "Accountability for the SOC for actions taken". What would you expect a Charter to include regarding "Accountability"? A simple statement on who is ultimately accountable for the SOC (e.g. CISO)? A RACI matrix that defines responsibility and accountability for the various services provided by the SOC?

Thanks in advance. First time working through the SOC-CMM and just looking for input from others.


RE: SOC-CMM: Business Domain - Charter - robvanos - 02-18-2022

Hi,

What is meant with 'accountability' is that you are aware as a SOC (or SOC manager) what you can be held accountable for. A RACI matrix is a great way to define and explain your responsibilities and accountability, especially compare to other teams.

For example: the SOC may be responsible for vulnerability scanning and may be held accountable for time scanning and providing reports and advisores to the organisation. However, follow-up (remediation: patching or applying configuration changes) is actually the responsibility of operational teams within the organisation (and they can be held accountable for timely remediation).

Regards,
Rob.


RE: SOC-CMM: Business Domain - Charter - ViliusBenetis - 02-21-2022

Additionally, one can think of SOC's Charter as a Mandate from "above", which is represented by a Responsibility (what they are tasked to take care of/ to do/to be accounted for), and an Authority (what they are allowed/authorised to do).

Sometimes there might be a mismatch: accountability is bigger than the authority required to fulfill the responsibilities, or resources provided are insufficient, thus there might be a conflict. Such situations happen from my experience most often due to lack of precise definitions/clarity in mandate / charter - or strategy/roadmap, how to get to the fulfilment/full coverage of Mandate/Charter (when resources are lacking).

I see objective of this part the SOC-CMM : to identify if this area is clear - that the Charter/Mandate is defined, understood, responsibilities - manageable - i.e. SOC is enabled.

Additional reading might be helpful - https://www.enisa.europa.eu/publications/how-to-set-up-csirt-and-soc (disclosure: I was part of the development team).

Regards,
Vilius Benetis