The SIEM implementers and the related personnel who maintain the operations and security monitoring practices should be able to handle sociopolitical situations.
These people should be well skilled to handle other IT staff to sort out issues normally found to be created, when SOC team raises security incidents.
Chances are that these people get irritated due to the queries they are asked, particularly when the raised incident is a result of an activity conducted by IT staff, and do not indicate any risk.
There should be a clear guidelines for IT staff to declare any such activities beforehand and avoid such embarrassing queries being asked to them by SOC team.
Information security staff should understand the importance of awareness training to the IT staff and such sessions should periodically conducted, and also tested for its being in practice.
It is also important that SOC people should maintain their independence. The Process Flow should clearly be laid down, segregation of duties well defined and not clashing.
The SOC team should be responsible for opening a new case of incident, have rights to re-open the incident but should never be asked for the delay in closure of the incidents. Proper closure of incidents is important and since they should have rights to re-open incidents, their independence would be violated, if they are asked about the delay. This will also violate the requirement of proper segregation of duties.
These people should be well skilled to handle other IT staff to sort out issues normally found to be created, when SOC team raises security incidents.
Chances are that these people get irritated due to the queries they are asked, particularly when the raised incident is a result of an activity conducted by IT staff, and do not indicate any risk.
There should be a clear guidelines for IT staff to declare any such activities beforehand and avoid such embarrassing queries being asked to them by SOC team.
Information security staff should understand the importance of awareness training to the IT staff and such sessions should periodically conducted, and also tested for its being in practice.
It is also important that SOC people should maintain their independence. The Process Flow should clearly be laid down, segregation of duties well defined and not clashing.
The SOC team should be responsible for opening a new case of incident, have rights to re-open the incident but should never be asked for the delay in closure of the incidents. Proper closure of incidents is important and since they should have rights to re-open incidents, their independence would be violated, if they are asked about the delay. This will also violate the requirement of proper segregation of duties.
