Security Operations Center Design

Examining the key design elements in a successful SOC implementation


A key and often overlooked consideration is that the reliability of the SOC itself is a critical business continuity and disaster recovery issue. Thus, redundancy is a key design element — from strategic issues like establishing an alternate or fallback SOC location, to technical issues such as ensuring network equipment and communications redundancy.

 

Location

Although selecting a secure and safe site would seem to be obvious, few SOC design phases include an initial vulnerability assessment and final vulnerability review after build-out. There are many vulnerabilities that can disable SOC operations. Not all risks can be fully eliminated, but contingencies and fall-back modes can be established to prevent loss of critical functionality. The space should be easily accessible to entrance facilities, but within at least one other security boundary layer.

Today's SOCs are critical data centers that contain computer server and network equipment. Thus the recommendations commonly provided for a data center apply to an SOC. The selected space must be able to be built out according to facility use requirements (monitoring station, observer and meeting requirements), technology requirements (including provisions for primary and backup power, lighting and HVAC systems), and cabling system and network design requirements .

 

Range of Functions

Basic SOC operations include monitoring and dispatch functions for security, safety, building services and maintenance, and can even include primary or backup Network Operations Center (NOC) monitoring. However, response for a significant event can include planning and management for business continuity and disaster recovery operations. Is there adjoining space for a management team to assemble and view updated incident status information? One room over from the Security and Facilities Operations Center (SFOC) at the San Jose headquarters of Cisco Systems Inc., is the Emergency Operations Center (EOC), which is activated when strategic management decisions need to be made. Cisco's SFOC maintains situational awareness, provides security operations human intervention, and generates the data for the EOC's electronic dashboard. Cisco's theater crisis management teams (Americas International, Asia, and EMEA) and corporate crisis management teams rely on the EOC to keep updated on key situational elements. Some enterprises, such as key international airports, must accommodate traveling dignitaries and press, and support them with telephone lines and internet connections.

 

Scope of Monitoring

The scope of SOC monitoring impacts its design and technology use.

The larger the scope of monitoring, the more important it is to set standards for the signals and data that will be received by the SOC from individual facilities. (That also means the related devices and systems must be installed at the monitored facilities.) Leading companies establish written security standards to establish uniform SOC situational awareness for each type or category of facility. These standards should be based on risk assessment results and the risk tolerance level of the organization for each type of facility.

Some global companies use a “follow the sun” approach to monitoring, whereby global monitoring is performed in rotation by two or three SOCs during their facility's normal business operations hours. When an enterprise has multiple SOCs, their strategic use can optimize the staffing requirements if the right monitoring system technology is deployed. For example, on occurrence of a major incident, monitoring of all non-incident related signals can be routed to another SOC, allowing the primary SOC's personnel to concentrate on the incident without distraction and without requiring a higher level of personnel.

The use of network-based technologies can also allow global companies to deploy a strategy of using their multiple SOCs as fail-over operations centers to the other centers. Should one SOC become disabled or non-operational, monitoring, communications, and command and control functions can be forwarded to the “fail-over” SOC.