Best Practices for SOC Design

Tips for planning and deploying an in-house Security Operations Center

Faced with the decision to stay in-house or used a managed services provider, many large organizations have decided to keep security under their own roof and build their own Security Operations Center (SOC) to correlate events and centralize all security monitoring and functions. There may be unique business requirements that require a dedicated, “proprietary” SOC — such as a casino or very large campus environment — or there may be cost drivers that indicate the need for an in-house SOC.

The adjective “proprietary” is used in the security industry to describe a number of different attributes — some good and some not as much. In this context, it refers to an SOC located at the user’s premises (in contrast to a commercial central alarm station) and usually owned and operated by the user.

Building an in-house SOC presents a myriad of challenges, and many security groups struggle on how to best start. This article outlines the design criteria to be considered in the development of a proprietary security systems monitoring and administration environment. The user could be a landlord or tenant and the SOC could be responsible for multiple tenants or for many locations of a single company.


Location, Location, Location

The monitoring location can either be the pride of the physical security operation, or a space more reminiscent of the Black Hole of Calcutta. Its attributes usually depend on the importance given to security within the organization. A number of years ago, it was argued in a court case that an organization had not given security the prominence that it should since the security operation was located in the building basement. The counter argument is that the SOC needs to remain operational throughout a myriad of threat scenarios and may be best located in a more secure environment, away from traffic.

It should be remembered that efficiency and productivity are related, and that security’s image can be enhanced by a well-designed work environment. In addition, the security department will demand more respect when it projects a positive image, rather than one that lives in a cluttered hole-in-the-wall. The SOC should be housed in a location with a quality of working environment at least as good as other employees are given.

Two common types of monitoring locations are “up-front,” such as the reception desk in the main lobby; or a “back office” dedicated SOC. In some cases, both should be considered: the reception area may be too busy and distracting for effective security monitoring during regular business hours, but a small, off-hours (evenings, weekends and holidays), security presence may best be located in an entry lobby for high visibility and deterrence. The duplication of monitoring equipment at both locations may not add significantly to the cost of a new installation; in fact, the additional cost can be saved very quickly in the reduction of security staffing expenses.

The first target is to obtain sufficient space, especially where real estate is at a premium. For the construction of a new facility, or a major refurbishment, it is necessary to clearly document space needs early in the design process and to “sell” those requirements to the space planners — usually the architect.


What Will Happen in the SOC?

The analysis of space requirements can begin by listing what will be happening in the SOC — what functions need to be performed there and how much space needs to be allocated to each function. Here are a few of the functions that may be included on your list:

  • Alarm monitoring and video verification.
  • Alarm response and communication with and deployment of security personnel.
  • Security communications: phone and intercom with the user population, and two-way with security officers.
  • Door and gate operations, including lock/unlock, open/close and video verification.
  • Issuing employee credentials.
  • Administration of access privileges.
  • Visitor management, including pre-approvals, verification, validation and credentialing.
  • Investigations, including review of video, alarm and access archives.
  • Duplicate stations where heavy security traffic is too much for a single officer.
  • Supervision of SOC functions and other officers.
This content continues onto the next page...