Professional Documents
Culture Documents
Soc-Cmm 2.0 - Basic
Soc-Cmm 2.0 - Basic
Soc-Cmm 2.0 - Basic
B2 - Customers
B 2.1 1 M 0 3
B 2.2
B 2.2.1 1
B 2.2.2 1
B 2.2.3 1
B 2.2.4 1
B 2.2.5 1
B 2.2.6 1
B 2.2.7 1
B 2.2.8
B 2.3 1 M 0 3
B 2.4 1 M 0 3
B 2.5 1 M 0 3
B 2.6 1 M 0 3
B 2.7 1 M 0 3
SUM 0 18
B3 - SOC Charter
B 3.1 1 M 0 3
B 3.2 Incomplete
B 3.2.1 1
B 3.2.2 1
B 3.2.3 1
B 3.2.4 1
B 3.2.5 1
B 3.2.6 1
B 3.2.7 1
B 3.2.8 1
B 3.2.9 1
B 3.2.10 1
B 3.2.11 1
B 3.3 1 M 0 3
B 3.4 1 M 0 3
B 3.5 1 M 0 3
SUM 0 12
B4 - Governance
B 4.1 1 M 0 3
B 4.2 1 M 0 3
B 4.3 Incomplete
B 4.3.1 1
B 4.3.2 1
B 4.3.3 1
B 4.3.4 1
B 4.3.5 1
B 4.3.6 1
B 4.3.7 1
B 4.3.8 1
B 4.3.9 1
B 4.3.10 1
B 4.3.11 1
B 4.3.12 1
B 4.3.13 1
B 4.4 1 M 0 3
B 4.5 Incomplete
B 4.5.1 1
B 4.5.2 1
B 4.5.3 1
B 4.5.4 1
B 4.5.5 1
B 4.5.6 1
B 4.5.7 1
B 4.5.8 1
B 4.6 1 M 0 3
B 4.7 1 M 0 3
B 4.8 1 M 0 3
B 4.9 1 M 0 3
Maturity SUM 0 18
B5 - Privacy
B 5.1 1 M 0 3
B 5.2 1 M 0 3
B 5.2 1 M 0 3
B 5.2 1 M 0 3
B 5.3 1 M 0 3
B 5.4 1 M 0 3
B 5.5 1 M 0 3
B 5.6 1 M 0 3
Maturity SUM 0 18
P3 - People Management
P 3.1 1 M 0 3
P 3.2 1 M 0 3
P 3.3 1 M 0 3
P 3.4 1 M 0 3
P 3.5 1 M 0 3
P 3.6 1 M 0 3
P 3.7 1 M 0 3
P 3.8 1 M 0 3
P 3.9 1 M 0 3
P 3.10 1 M 0 3
Maturity SUM 0 30
P4 - Knowledge Management
P 4.1 1 M 0 3
P 4.2
P 4.2.1 1 M 0 3
P 4.2.2 1 M 0 3
P 4.2.3 1 M 0 3
P 4.2.4 1 M 0 3
P 4.2.5 1 M 0 3
P 4.2.6 1 M 0 3
P 4.3
P 4.3.1 1 M 0 3
P 4.3.2 1 M 0 3
P 4.3.3 1 M 0 3
P 4.3.4 1 M 0 3
P 4.3.5 1 M 0 3
P 4.4 1 M 0 3
P 4.5 1 M 0 3
Maturity SUM 0 42
M3 - Reporting
M 3.1 1 M 0 3
M 3.2 1 M 0 3
M 3.3 1 M 0 3
M 3.4 1 M 0 3
M 3.5 1 M 0 3
M 3.6 1 M 0 3
M 3.7
M 3.7.1 1 M 0 3
M 3.7.2 1 M 0 3
M 3.7.3 1 M 0 3
M 3.7.4 1 M 0 3
M 3.7.5 1 M 0 3
M 3.7.6 1 M 0 3
M 3.7.7 1 M 0 3
M 3.7.8 1 M 0 3
M 3.8
M 3.8.1 1 M 0 3
M 3.8.2 1 M 0 3
M 3.8.3 1 M 0 3
M 3.8.4 1 M 0 3
M 3.8.5 1 M 0 3
M 3.9
M 3.9.1 1 M 0 3
M 3.9.2 1 M 0 3
M 3.9.3 1 M 0 3
Maturity SUM 0 66
T2 - IDPS Tooling
T 2 - Scope 2
T 2.1
T 2.1.1 1 M 0 3
T 2.1.2 1 M 0 3
T 2.2
T 2.2.1 1 M 0 3
T 2.2.2 1 M 0 3
T 2.3
T 2.3.1 1 M 0 3
T 2.3.2 1 M 0 3
T 2.3.3 1 M 0 3
T 2.3.4 1 M 0 3
T 2.4
T 2.4.1 1 M 0 3
T 2.4.2 1 M 0 3
T 2.4.3 1 M 0 3
T 2.4.4 1 M 0 3
T 2.4.5 1 M 0 3
T 2.4.6 1 M 0 3
T 2.5
T 2.5.1 1 M 0 3
T 2.5.1 1 M 0 3
T 2.5.2 1 M 0 3
T 2.5.2 1 M 0 3
T 2.6
T 2.6.1 1 C 0 3
T 2.6.2 1 C 0 3
T 2.6.3 1 C 0 3
T 2.6.4 1 C 0 3
T 2.6.5 1 C 0 3
T 2.6.6 1 C 0 3
T 2.6.7 1 C 0 3
T 2.6.8 1 C 0 3
T 2.6.9 1 C 0 3
T 2.6.10 1 C 0 3
T 2.6.11 1 C 0 3
T 2.6.12 1 C 0 3
T 2.6.13 1 C 0 3
T 2.6.14 1 C 0 3
T 2.6.14 1 C 0 3
T 2.6.15 1 C 0 3
T 2.6.16 1 C 0 3
T 2.6.17 1 C 0 3
Capability SUM 0 51
Maturity SUM 0 48
T3 - Security Analytics
T 3 - Scope 2
T 3.1
T 3.1.1 1 M 0 3
T 3.1.2 1 M 0 3
T 3.2
T 3.2.1 1 M 0 3
T 3.2.2 1 M 0 3
T 3.3 1
T 3.3.1 1 M 0 3
T 3.3.2 1 M 0 3
T 3.3.3 1 M 0 3
T 3.3.4 1 M 0 3
T 3.4
T 3.4.1 1 M 0 3
T 3.4.2 1 M 0 3
T 3.4.3 1 M 0 3
T 3.4.4 1 M 0 3
T 3.4.5 1 M 0 3
T 3.4.6 1 M 0 3
T 3.5
T 3.5.1 1 M 0 3
T 3.5.1 1 M 0 3
T 3.5.2 1 M 0 3
T 3.5.2 1 M 0 3
T 3.6
T 3.6.1 1 C 0 3
T 3.6.2 1 C 0 3
T 3.6.3 1 C 0 3
T 3.6.4 1 C 0 3
T 3.6.5 1 C 0 3
T 3.6.6 1 C 0 3
T 3.6.7 1 C 0 3
T 3.6.8 1 C 0 3
T 3.6.9 1 C 0 3
T 3.6.10 1 C 0 3
T 3.6.11 1 C 0 3
T 3.6.12 1 C 0 3
T 3.6.13 1 C 0 3
T 3.6.14 1 C 0 3
T 3.6.15 1 C 0 3
T 3.6.16 1 C 0 3
T 3.6.17 1 C 0 3
T 3.6.18 1 C 0 3
T 3.6.19 1 C 0 3
T 3.6.20 1 C 0 3
T 3.6.21 1 C 0 3
T 3.6.22 1 C 0 3
T 3.6.23 1 C 0 3
T 3.6.23 1 C 0 3
T 3.6.24 1 C 0 3
Capability SUM 0 72
Maturity SUM 0 48
S 3 - Security Analysis
S 3 - Scope 2
S 3.1 1 M 0 3
S 3.1 1 M 0 3
S 3.1 1 M 0 3
S 3.1 1 M 0 3
S 3.2
S 3.2.1 1
S 3.2.2 1
S 3.2.3 1
S 3.2.4 1
S 3.2.5 1
S 3.2.6 1
S 3.2.7 1
S 3.2.8 1
S 3.2.9 1
S 3.2.10 1
S 3.2.11 1
S 3.3 1 M 0 3
S 3.4 1 M 0 3
S 3.5 1 M 0 3
S 3.6 1 M 0 3
S 3.7 1 M 0 3
S 3.8 1 M 0 3
S 3.9 1 M 0 3
S 3.9 1 M 0 3
S 3.10 1 M 0 3
S 3.11 1 M 0 3
S 3.12 1 M 0 3
S 3.12 1 M 0 3
S 3.12 1 M 0 3
S 3.12 1 M 0 3
S 3.13 1 M 0 3
S 3.14 1 M 0 3
S 3.15
S 3.15.1 1 C 0 3
S 3.15.2 1 C 0 3
S 3.15.3 1 C 0 3
S 3.15.4 1 C 0 3
S 3.15.5 1 C 0 3
S 3.15.6 1 C 0 3
S 3.15.7 1 C 0 3
S 3.15.8 1 C 0 3
S 3.15.9 1 C 0 3
S 3.15.10 1 C 0 3
S 3.15.11 1 C 0 3
S 3.15.12 1 C 0 3
S 3.15.13 1 C 0 3
S 3.15.14 1 C 0 3
S 3.15.15 1 C 0 3
S 3.15.16 1 C 0 3
S 3.15.17 1 C 0 3
S 3.15.18 1 C 0 3
S 3.15.19 1 C 0 3
S 3.15.20 1 C 0 3
S 3.15.21 1 C 0 3
S 3.15.22 1 C 0 3
S 3.15.23 1 C 0 3
S 3.15.24 1 C 0 3
S 3.16
Capability SUM 0 72
Maturity SUM 0 39
S4 - Threat Intelligence
S 4 - Scope 2
S 4.1 1 M 0 3
S 4.2
S 4.2.1 1
S 4.2.2 1
S 4.2.3 1
S 4.2.4 1
S 4.2.5 1
S 4.2.6 1
S 4.2.7 1
S 4.2.8 1
S 4.2.9 1
S 4.2.10 1
S 4.2.11 1
S 4.3 1 M 0 3
S 4.4 1 M 0 3
S 4.5 1 M 0 3
S 4.6 1 M 0 3
S 4.7 1 M 0 3
S 4.8 1 M 0 3
S 4.9 1 M 0 3
S 4.9 1 M 0 3
S 4.10 1 M 0 3
S 4.11 1 M 0 3
S 4.12 1 M 0 3
S 4.13 1 M 0 3
S 4.14
S 4.14.1 1 C 0 3
S 4.14.2 1 C 0 3
S 4.14.3 1 C 0 3
S 4.14.4 1 C 0 3
S 4.14.5 1 C 0 3
S 4.14.6 1 C 0 3
S 4.14.7 1 C 0 3
S 4.14.8 1 C 0 3
S 4.14.9 1 C 0 3
S 4.14.10 1 C 0 3
S 4.14.11 1 C 0 3
S 4.14.12 1 C 0 3
S 4.14.13 1 C 0 3
S 4.14.14 1 C 0 3
S 4.14.15 1 C 0 3
S 4.14.16 1 C 0 3
S 4.14.17 1 C 0 3
S 4.14.18 1 C 0 3
S 4.14.19 1 C 0 3
S 4.14.20 1 C 0 3
S 4.14.21 1 C 0 3
S 4.14.22 1 C 0 3
S 4.14.23 1 C 0 3
S 4.14.24 1 C 0 3
S 4.14.25 1 C 0 3
S 4.14.26 1 C 0 3
S 4.14.27 1 C 0 3
S 4.14.28 1 C 0 3
S 4.14.29 1 C 0 3
S 4.15
Capability SUM 0 87
Maturity SUM 0 36
S5 - Hunting
S 5 - Scope 2
S 5.1 1 M 0 3
S 5.2 1 M 0 3
S 5.3
S 5.3.1 1
S 5.3.2 1
S 5.3.3 1
S 5.3.4 1
S 5.3.5 1
S 5.3.6 1
S 5.3.7 1
S 5.3.8 1
S 5.3.9 1
S 5.3.10 1
S 5.3.11 1
S 5.4 1 M 0 3
S 5.5 1 M 0 3
S 5.6 1 M 0 3
S 5.7 1 M 0 3
S 5.8 1 M 0 3
S 5.9 1 M 0 3
S 5.10 1 M 0 3
S 5.10 1 M 0 3
S 5.11 1 M 0 3
S 5.12 1 M 0 3
S 5.13 1 M 0 3
S 5.14 1 M 0 3
S 5.15
S 5.15.1 1 C 0 3
S 5.15.2 1 C 0 3
S 5.15.3 1 C 0 3
S 5.15.4 1 C 0 3
S 5.15.5 1 C 0 3
S 5.15.6 1 C 0 3
S 5.15.7 1 C 0 3
S 5.15.8 1 C 0 3
S 5.15.9 1 C 0 3
S 5.15.10 1 C 0 3
S 5.15.11 1 C 0 3
S 5.15.12 1 C 0 3
S 5.15.13 1 C 0 3
S 5.15.14 1 C 0 3
S 5.15.15 1 C 0 3
S 5.15.16 1 C 0 3
S 5.15.17 1 C 0 3
S 5.15.18 1 C 0 3
S 5.15.19 1 C 0 3
S 5.15.20 1 C 0 3
S 5.15.21 1 C 0 3
S 5.16
Capability SUM 0 63
Maturity SUM 0 39
S6 - Vulnerability Management
S 6 - Scope 2
S 6.1 1 M 0 3
S 6.1 1 M 0 3
S 6.2
S 6.2.1 1
S 6.2.2 1
S 6.2.3 1
S 6.2.4 1
S 6.2.5 1
S 6.2.6 1
S 6.2.7 1
S 6.2.8 1
S 6.2.9 1
S 6.2.10 1
S 6.2.11 1
S 6.3 1 M 0 3
S 6.4 1 M 0 3
S 6.5 1 M 0 3
S 6.6 1 M 0 3
S 6.7 1 M 0 3
S 6.8 1 M 0 3
S 6.9 1 M 0 3
S 6.9 1 M 0 3
S 6.10 1 M 0 3
S 6.10 1 M 0 3
S 6.11 1 M 0 3
S 6.12 1 M 0 3
S 6.13 1 M 0 3
S 6.14
S 6.14.1 1 C 0 3
S 6.14.1 1 C 0 3
S 6.14.2 1 C 0 3
S 6.14.2 1 C 0 3
S 6.14.3 1 C 0 3
S 6.14.3 1 C 0 3
S 6.14.4 1 C 0 3
S 6.14.4 1 C 0 3
S 6.14.5 1 C 0 3
S 6.14.6 1 C 0 3
S 6.14.7 1 C 0 3
S 6.14.8 1 C 0 3
S 6.14.9 1 C 0 3
S 6.14.10 1 C 0 3
S 6.14.10 1 C 0 3
S 6.14.10 1 C 0 3
S 6.14.11 1 C 0 3
S 6.14.11 1 C 0 3
S 6.14.12 1 C 0 3
S 6.14.13 1 C 0 3
S 6.14.13 1 C 0 3
S 6.14.14 1 C 0 3
S 6.14.15 1 C 0 3
S 6.14.16 1 C 0 3
S 6.14.17 1 C 0 3
S 6.14.18 1 C 0 3
S 6.15
Capability SUM 0 57
Maturity SUM 0 36
S7 - Log Management
S 7 - Scope 2
S 7.1 1 M 0 3
S 7.2
S 7.2.1 1
S 7.2.2 1
S 7.2.3 1
S 7.2.4 1
S 7.2.5 1
S 7.2.6 1
S 7.2.7 1
S 7.2.8 1
S 7.2.9 1
S 7.2.10 1
S 7.2.11 1
S 7.3 1 M 0 3
S 7.4 1 M 0 3
S 7.5 1 M 0 3
S 7.6 1 M 0 3
S 7.7 1 M 0 3
S 7.8 1 M 0 3
S 7.9 1 M 0 3
S 7.9 1 M 0 3
S 7.10 1 M 0 3
S 7.11 1 M 0 3
S 7.12 1 M 0 3
S 7.13 1 M 0 3
S 7.14
S 7.14.1 1 C 0 3
S 7.14.2 1 C 0 3
S 7.14.3 1 C 0 3
S 7.14.4 1 C 0 3
S 7.14.5 1 C 0 3
S 7.14.6 1 C 0 3
S 7.14.7 1 C 0 3
S 7.14.8 1 C 0 3
S 7.14.9 1 C 0 3
S 7.14.10 1 C 0 3
S 7.14.11 1 C 0 3
S 7.14.12 1 C 0 3
S 7.14.13 1 C 0 3
S 7.14.14 1 C 0 3
S 7.14.15 1 C 0 3
S 7.14.16 1 C 0 3
S 7.14.17 1 C 0 3
S 7.14.18 1 C 0 3
S 7.14.19 1 C 0 3
S 7.14.19 1 C 0 3
S 7.14.20 1 C 0 3
S 7.15
Capability SUM 0 60
Maturity SUM 0 36
NIST mapping NIST in scope NIST mapping NIST in scope factor
(CSF 1.0) (CSF 1.0) (CSF 1.1) (CSF 1.1) (SUM = MIN score)
ID.BE-5 ID.BE-5 1
ID.BE-5 ID.BE-5 1
ID.BE-5 ID.BE-5 1
ID.BE-5 ID.BE-5 1
ID.BE-5 ID.BE-5 1
5
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
6
ID.BE-3 ID.BE-3 1
ID.BE-3 ID.BE-3 1
ID.BE-3 ID.BE-3 1
ID.BE-3 ID.BE-3 1
4
ID.GV-3 ID.GV-3 1
ID.GV-1 ID.GV-1 1
ID.BE-4 ID.BE-4 1
ID.GV-1 ID.GV-1 1
ID.GV-3 ID.GV-3 1
ID.GV-2 ID.GV-2 1
ID.GV-4 ID.GV-4 1
6
ID.GV-3 ID.GV-3 1
ID.GV-3 ID.GV-3 1
PR.IP-6 PR.IP-6 1
PR.DS-5 PR.DS-5 1
ID.GV-3 ID.GV-3 1
ID.GV-3 ID.GV-3 1
ID.GV-3 ID.GV-3 1
ID.GV-3 ID.GV-3 1
6
1
1
1
1
1
1
6
ID.AM-6 ID.AM-6 1
ID.GV-2 ID.GV-2 1
DE.DP-1 DE.DP-1 1
ID.AM-6 ID.AM-6 1
DE.DP-1 DE.DP-1 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
ID.GV-2 ID.GV-2 1
DE.DP-1 DE.DP-1 1
ID.AM-6 ID.AM-6 1
PR.AT-5 PR.AT-5 1
DE.DP-1 DE.DP-1 1
ID.AM-6 ID.AM-6 1
ID.AM-6 ID.AM-6 1
8
1
1
1
1
1
PR.AT-1 PR.AT-1 1
PR.IP-11 PR.IP-11 1
1
1
1
10
1
1
1
1
1
1
1
1
1
1
1
1
1
14
PR.AT-1 PR.AT-1 1
1
PR.AT-1 PR.AT-1 1
PR.AT-1 PR.AT-1 1
PR.AT-1 PR.AT-1 1
1
PR.AT-1 PR.AT-1 1
7
1
1
1
1
4
PR.IP-10 PR.IP-10 1
1
1
1
1
1
PR.IP-3 PR.IP-3 1
1
1
1
PR.IP-5 PR.IP-5 1
PR.AC-5 PR.AC-5 1
PR.AC-2 PR.AC-2 1
1
1
1
1
1
1
1
1
1
1
23
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
22
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RM-1 ID.RM-1 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
ID.RA-3 ID.RA-3 1
ID.RA-4 ID.RA-4 1
ID.RA-5 ID.RA-5 1
12
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
1
PR.AT-5 PR.AT-5 1
PR.AT-5 PR.AT-5 1
1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-9 PR.IP-9 1
PR.IP-10 PR.IP-10 1
PR.DS-7 PR.DS-7 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
PR.AC-4 PR.AC-4 1
PR.MA-1 PR.MA-1 1
PR.MA-2 PR.MA-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
26
16
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
1
PR.AT-5 PR.AT-5 1
PR.AT-5 PR.AT-5 1
1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-9 PR.IP-9 1
PR.IP-10 PR.IP-10 1
PR.DS-7 PR.DS-7 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
PR.DS-6 PR.DS-6 1
DE.CM-7 DE.CM-7 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.AE-1 DE.AE-1 1
DE.DP-2 DE.DP-2 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
PR.AC-4 PR.AC-4 1
PR.MA-1 PR.MA-1 1
PR.MA-2 PR.MA-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
17
16
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
1
PR.AT-5 PR.AT-5 1
PR.AT-5 PR.AT-5 1
1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-9 PR.IP-9 1
PR.IP-10 PR.IP-10 1
PR.DS-7 PR.DS-7 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
DE.DP-2 DE.DP-2 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
PR.PT-1 PR.PT-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.AE-1 DE.AE-1 1
DE.AE-1 DE.AE-1 1
DE.AE-1 DE.AE-1 1
DE.AE-1 DE.AE-1 1
DE.AE-1 DE.AE-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
PR.AC-4 PR.AC-4 1
PR.MA-1 PR.MA-1 1
PR.MA-2 PR.MA-2 1
DE.DP-2 DE.DP-2 1
24
16
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
1
PR.AT-5 PR.AT-5 1
PR.AT-5 PR.AT-5 1
1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-4 PR.IP-4 1
PR.IP-9 PR.IP-9 1
PR.IP-10 PR.IP-10 1
PR.DS-7 PR.DS-7 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
PR.PT-3 PR.PT-3 1
PR.AC-4 PR.AC-4 1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
PR.AC-4 PR.AC-4 1
PR.MA-1 PR.MA-1 1
PR.MA-2 PR.MA-2 1
1
1
19
16
DE.DP-1 DE.DP-1 1
DE.CM-1 DE.CM-1 1
DE.CM-2 DE.CM-2 1
DE.CM-3 DE.CM-3 1
DE.CM-4 DE.CM-4 1
DE.CM-5 DE.CM-5 1
DE.CM-6 DE.CM-6 1
DE.CM-7 DE.CM-7 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-4 DE.DP-4 1
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.CM-1 DE.CM-1 1
DE.CM-2 DE.CM-2 1
DE.CM-3 DE.CM-3 1
DE.CM-4 DE.CM-4 1
DE.CM-5 DE.CM-5 1
DE.CM-6 DE.CM-6 1
DE.CM-7 DE.CM-7 1
DE.AE-3 DE.AE-3 1
DE.DP-2 DE.DP-2 1
DE.DP-5 DE.DP-5 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.CM-4 DE.CM-4 1
DE.CM-5 DE.CM-5 1
DE.DP-2 DE.DP-2 1
DE.AE-5 DE.AE-5 1
DE.AE-5 DE.AE-5 1
PR.DS-4 PR.DS-4 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-7 DE.CM-7 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
PR.DS-5 PR.DS-5 1
PR.DS-5 PR.DS-5 1
DE.CM-6 DE.CM-6 1
DE.CM-2 DE.CM-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
24
13
1
RS.CO-1 RS.CO-1 1
RS.IM-1 RS.IM-1 1
1
RS.CO-2 RS.CO-2 1
RS.CO-3 RS.CO-3 1
RS.CO-4 RS.CO-4 1
RS.CO-5 RS.CO-5 1
1
RS.CO-1 RS.CO-1 1
1
RS.CO-1 RS.CO-1 1
RS.MI-1 RS.MI-1 1
RS.MI-2 RS.MI-2 1
1
RS.RP-1 RS.RP-1 1
RS.IM-1 RS.IM-1 1
RS.IM-1 RS.IM-1 1
RS.IM-2 RS.IM-2 1
RS.CO-2 RS.CO-2 1
RS.MI-2 RS.MI-2 1
RS.AN-1 RS.AN-1 1
RS.AN-2 RS.AN-2 1
RS.AN-3 RS.AN-3 1
1
PR.AT-5 PR.AT-5 1
RS.RP-1 RS.RP-1 1
DE.DP-3 DE.DP-3 1
RS.CO-1 RS.CO-1 1
RS.CO-1 RS.CO-1 1
RS.CO-2 RS.CO-2 1
RS.CO-2 RS.CO-2 1
RS.AN-1 RS.AN-1 1
RS.AN-2 RS.AN-2 1
DE.AE-4 DE.AE-4 1
RS.AN-2 RS.AN-2 1
DE.AE-4 DE.AE-4 1
RS.AN-4 RS.AN-4 1
RS.CO-4 RS.CO-4 1
RS.CO-4 RS.CO-4 1
RS.CO-2 RS.CO-2 1
RS.CO-4 RS.CO-4 1
RS.CO-4 RS.CO-4 1
RS.CO-2 RS.CO-2 1
1
RS.AN-3 RS.AN-3 1
RS.MI-1 RS.MI-1 1
RS.MI-2 RS.MI-2 1
RS.MI-1 RS.MI-1 1
RS.MI-2 RS.MI-2 1
RS.MI-1 RS.MI-1 1
RS.MI-2 RS.MI-2 1
RS.IM-1 RS.IM-1 1
RS.CO-2 RS.CO-2 1
RS.MI-2 RS.MI-2 1
RS.IM-1 RS.IM-1 1
RS.IM-2 RS.IM-2 1
32
13
DE.DP-1 DE.DP-1 1
RS.AN-1 RS.AN-1 1
RS.AN-3 RS.AN-3 1
DE.AE-2 DE.AE-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-4 DE.DP-4 1
DE.DP-1 DE.DP-1 1
DE.DP-1 DE.DP-1 1
DE.DP-2 DE.DP-2 1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
DE.DP-2 DE.DP-2 1
RS.AN-1 RS.AN-1 1
RS.AN-3 RS.AN-3 1
DE.AE-2 DE.AE-2 1
DE.DP-2 DE.DP-2 1
DE.DP-5 DE.DP-5 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
DE.AE-2 DE.AE-2 1
RS.AN-3 RS.AN-3 1
RS.AN-3 RS.AN-3 1
DE.AE-2 DE.AE-2 1
RS.AN-3 RS.AN-3 1
RS.AN-3 RS.AN-3 1
DE.AE-2 DE.AE-2 1
RS.CO-2 RS.CO-2 1
RS.AN-3 RS.AN-3 1
RS.AN-3 RS.AN-3 1
RS.AN-3 RS.AN-3 1
24
13
ID.RA-3 ID.RA-3 1
1
1
1
1
1
ID.RA-5 ID.RA-5 1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
1
ID.RA-3 ID.RA-3 1
1
1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
ID.RA-3 ID.RA-3 1
DE.AE-2 DE.AE-2 1
1
1
1
ID.RA-5 ID.RA-5 1
1
1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
ID.RA-2 ID.RA-2 1
29
12
1
ID.RA-3 ID.RA-3 1
1
1
1
1
1
1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
1
1
1
DE.DP-5 DE.DP-5 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
DE.CM-1 DE.CM-1 1
1
1
1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
1
1
1
1
21
13
PR.IP-12 PR.IP-12 1
ID.RA-1 ID.RA-1 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
PR.IP-12 PR.IP-12 1
ID.RA-1 ID.RA-1 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
DE.CM-8 DE.CM-8 1
ID.AM-1 ID.AM-1 1
DE.CM-8 DE.CM-8 1
ID.RA-1 ID.RA-1 1
ID.RA-5 ID.RA-5 1
ID.RA-1 ID.RA-1 1
RS.MI-3 RS.MI-3 1
DE.CM-8 DE.CM-8 1
DE.CM-8 DE.CM-8 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
ID.RA-5 ID.RA-5 1
ID.RA-1 ID.RA-1 1
RS.MI-3 RS.MI-3 1
PR.IP-12 PR.IP-12 1
ID.RA-1 ID.RA-1 1
ID.AM-2 ID.AM-2 1
PR.IP-12 PR.IP-12 1
ID.RA-1 ID.RA-1 1
DE.CM-8 DE.CM-8 1
PR.IP-12 PR.IP-12 1
PR.IP-12 PR.IP-12 1
DE.CM-8 DE.CM-8 1
DE.CM-8 DE.CM-8 1
19
12
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.IP-9 PR.IP-9 1
PR.MA-1 PR.MA-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
PR.PT-1 PR.PT-1 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
DE.AE-3 DE.AE-3 1
PR.DS-4 PR.DS-4 1
PR.DS-2 PR.DS-2 1
DE.AE-3 DE.AE-3 1
PR.DS-2 PR.DS-2 1
DE.AE-3 DE.AE-3 1
1
1
1
PR.DS-1 PR.DS-1 1
ID.GV-3 ID.GV-3 1
PR.PT-1 PR.PT-1 1
ID.GV-3 ID.GV-3 1
PR.IP-6 PR.IP-6 1
ID.GV-3 ID.GV-3 1
20
12
total score MAX score final score
0 5 0
0 5 0
0 5 0
0 5 0
0 5 0
0 25 0
0 5
0 5
0 5
0 5
0 5
0 5
0 30 0
0 5
0 5
0 5
0 5
0 20 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 30 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 30 0
0 5
0 5
0 5
0 5
0 5
0 5
0 30 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 40 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 50 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 70 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 35 0
0 5
0 5
0 5
0 5
0 20 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 115 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 110 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 60 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 130 0
0 80 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 85 0
0 80 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 120 0
0 80 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 95 0
0 80 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 120 0
0 65 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 160 0
0 65 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 120 0
0 65 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 145 0
0 60 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 105 0
0 65 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 95 0
0 60 0
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 5
0 100 0
0 60 0
remarks
Click on any section name to proceed directly to that part of the assessment
Domain Section % complete
Introduction 1. Introduction N/A
2. Usage N/A
People 1. Employees 0
2. Roles and Hierarchy 0
3. People Management 0
4. Knowledge Management 0
5. Training and Education 0
Process 1. Management 0
2. Operations and Facilities 0
3. Reporting 0
4. Use Case Management 0
General information
Author Rob van Os
Site https://www.soc-cmm.com/
Contact info [at] SOC-CMM.com
Version 2.0, basic version
Date April 25th, 2018
Background
The SOC-CMM is a capability maturity model that can be used to perform a self-assessment of your Security Operati
conducted on literature regarding SOC setup and existing SOC models as well as literature on specific elements with
validated by questioning several Security Operations Centers in different sectors and on different maturity levels to d
The output from the survey, combined with the initial analysis is the basis for this self-assessment.
For more information regarding the scientific background and the literature used to create the SOC-CMM self-asses
available through: https://www.soc-cmm.com/
If you have any questions or comments regarding the contents of this document, please use the above information t
Besides the primary purpose of performing an assessment of the SOC, the assessment can also be used for extensive
valuable insights.
This tool is intended for use by SOC and security managers, experts within the SOC and SOC consultants.
The purpose of the SOC-CMM is to gain insight into the strengths and weaknesses of the SOC. This enables the SOC
which elements of the SOC require additional attention and/or budget. By regularly assessing the SOC for maturity a
Besides the primary purpose of performing an assessment of the SOC, the assessment can also be used for extensive
valuable insights.
This tool is intended for use by SOC and security managers, experts within the SOC and SOC consultants.
Navigation
Navigation through this tool is done using the navigation bar at the top of each page. Each of the numbered section
section. Furthermore, the icons can be used to navigate through sections within a domain and between domains. Th
Assessment Model
The assessment model consists of 5 domains and 25 aspects. All domains are evaluated for maturity (blue), only tec
maturity and capability (purple)
Maturity Levels
CMMI defines maturity as a means for an organization "to characterize its performance" for a specific entity (here:
The SOC-CMM calculates a maturity score using 6 maturity levels:
- Level 0: non-existent
- Level 1: initial
- Level 2: managed
- Level 3: defined
- Level 4: quantitatively managed
- Level 5: optimizing
These maturity levels are measured across 5 domains: business, people, process, technology and services. The mat
staged with pre-requisites for each level. Instead, every element adds individually to the maturity score: a continuo
Capability Levels
Capabilities are indicators of completeness. In essence, capabilities can support maturity.
The SOC-CMM calculates a capability score using 4 capability levels, similar to CMMi:
- Level 0: incomplete
- Level 1: performed
- Level 2: managed
- Level 3: defined
These capability levels have a strong technical focus and are measured across 2 domains: technology and services.
capability level is continuous. There are no prerequisites for advancing to a higher level, thus the capability growth
Disclaimer
The SOC-CMM is provided without warranty of any kind. The author of the document cannot assure its accuracy an
based on the output of this tool. The usage of this tool does not in any way entitle the user to support or consultan
conditions.
License
The SOC-CMM advanced version is part of the SOC-CMM.
The SOC-CMM is free software: you can redistribute it and/or modify it under the terms of the GNU General Public
Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the impl
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see <http://ww
t of your Security Operations Center (SOC). The model is based on review
on specific elements within a SOC. The literature analysis was then
erent maturity levels to determine which elements were actually in place.
sment.
OC. This enables the SOC management to make informed decisions about
ng the SOC for maturity and capability, progress can be monitored.
also be used for extensive discussions about the SOC and can thus provide
consultants.
OC. This enables the SOC management to make informed decisions about
ng the SOC for maturity and capability, progress can be monitored.
also be used for extensive discussions about the SOC and can thus provide
consultants.
maturity (blue), only technology and services are evaluated for both
or a specific entity (here: the SOC).
gy and services. The maturity levels as implemented in this tool are not
aturity score: a continuous maturity model.
ot assure its accuracy and is not liable for any cost as a result of decisions
to support or consultancy. By using this tool, you agree to these
The evaluation is based on questions that can be answered using a drop-down that presents a 5-point scale. This sc
below under 'Scoring mechanism'. This tool should be used by assessing each sheet in order. When all domains are c
the total scoring and detailed scoring for each domain. A sheet 'Next steps' is also included to provide pointers for fo
There is also a weighing mechanism in place. For each question, the importance of that element can be changed. Th
that the score is not modified. Changing to importance to 'low' will cause the element to have less impact on the sco
element to have more impact on the score. Setting it to 'none' will ignore the element in scoring entirely, as explaine
should be used with care.
Scoring mechanism
Each question that is part of the maturity scoring can be answered by selecting one of 5 options. These options vary
questions regarding completeness, the following applies:
- Incomplete, score: 0
- Partially complete, score: 1,25
- Averagely complete, score: 2,5
- Mostly complete, score: 3,75
- Fully complete, score: 5
As indicated, the score can be modified by using the weighing mechanism (use with care)
Each question that is part of the maturity scoring can be answered by selecting one of 5 options. These options vary
questions regarding completeness, the following applies:
- Incomplete, score: 0
- Partially complete, score: 1,25
- Averagely complete, score: 2,5
- Mostly complete, score: 3,75
- Fully complete, score: 5
As indicated, the score can be modified by using the weighing mechanism (use with care)
Guidance
For each of the maturity questions, guidance is available. When a value is selected from the dropdown box, guidanc
column. This guidance can be used to help determine the correct level. Note that this is truly meant as guidance on
Weighing mechanism
The weighing mechanism in the tool works by applying a factor to the element score as follows:
- Importance 'None', factor = 0 (not included in scoring)
- Importance 'Low', factor = 0.5 (score divided by 2)
- Importance 'Normal', factor = 1 (score not affected)
- Importance 'High', factor = 2 (score doubled)
- Importance 'Critical', factor = 4 (score quadrupled)
e for answering other questions. These elements have a lighter color. For
2 (not part of maturity score) as a guideline.
filling in those parts of the assessment.
bilities do not have a 5-point scale and an importance, but use a 6-point
cale is 'not required'. Use this if you do not feel like you need that
g on the level of detail you put into the assessment. Before you start,
owledgeable SOC employee perform a quick scan and subsequently focus
ce the assessment effort.
tions. These options vary based on the type of question. For example, for
tions. These options vary based on the type of question. For example, for
e dropdown box, guidance for that value is show under the guidance
y meant as guidance on interpretation and scoring, not as the single truth.
ows:
nular scoring. The exact mapping can be found on the SOC-CMM site as a
Profile
1. Profile
2. Scope
Please fill in the information below to create a short profile of the SOC and the assessment
Assessment Details
Date of assessment
Name(s)
Department(s)
Intended purpose of the assessment
Scope
SOC Profile
Number of year in operation
Number of FTE's
SOC model
Geographic operation
Notes or comments
Follow the sun, hybrid (partially outsourced), centralized, multiple individual SOCs, multi-tiered SOC model
Regional, National, Continental, Global
Please select the services and technologies that should be included into the assessment. Excluding a service or techn
Security Information and Event management tooling. Used to gather logging information from company assets and correlate events
Intrusion Detection and Prevention Tooling. Used to detect in-line exploits and anomalous network activity
Big data security solution. Used to gather structured and unstructured security information and find anomalies using statistical and da
Used to automate workflows and SOC actions, support incident response and orchestrate between different security products
The security monitoring service aims at detecting security incidents and events
The security incident management service aims at responding to security incidents in a timely, accurate and organized fashion
The security analysis service supports security monitoring and security incident management. Analysis includes event analysis and for
The threat intelligence service provides information about potential threats that can be used in security monitoring, security incident
The hunting service takes a proactive approach to finding threats in the infrastructure. Threat intelligence is often used to guide hunti
The vulnerability management service is used to detect vulnerabilities in assets by discovery and actively scanning assets for known vu
The log management service is used to collect, store and retain logging. Can be used for compliance purposes as well as investigation
er logging information from company assets and correlate events
exploits and anomalous network activity
ured security information and find anomalies using statistical and data analysis techniques
sponse and orchestrate between different security products
s and events
ecurity incidents in a timely, accurate and organized fashion
urity incident management. Analysis includes event analysis and forensic analysis
al threats that can be used in security monitoring, security incident response, security analysis and threat hunting
n the infrastructure. Threat intelligence is often used to guide hunting efforts
ties in assets by discovery and actively scanning assets for known vulnerabilities
gging. Can be used for compliance purposes as well as investigation purposes
lysis techniques
1 Business Drivers
1.1 Have you identified the main business drivers?
1.2 Have you documented the main business drivers?
1.3 Do you use business drivers in the decision making process?
1.4 Do you regularly check if the current service catalogue is aligned with business drivers?
1.5 Have the business drivers been validated with business stakeholders?
2 Customers
2.1 Have you identified the SOC customers?
2.2 Please specify your customers:
2.2.1 Legal
2.2.2 Audit
2.2.3 Engineering / R&D
2.2.4 IT
2.2.5 Business
2.2.6 External customers
2.2.7 (Senior) Management
2.2.8 Other customers:
Formal registration of customer contact details, place in the organization, geolocation, etc.
For example, are communication style and contents to Business customers different than that to IT?
Service level agreements are used to provide standardized services operating within known boundaries
For example: changes in service scope or delivery. Can also be reports, dashboards, etc.
Business
1. Business Drivers 5. Privacy
2. Customers
3. Charter
4. Governance
3 Charter
3.1 Does the SOC have a formal charter document in place?
3.2 Please specify elements of the charter document:
3.2.1 Mission
3.2.2 Vision
3.2.3 Strategy
3.2.4 Service Scope
3.2.5 Deliverables
3.2.6 Responsibilities
3.2.7 Accountability
3.2.8 Operational Hours
3.2.9 Stakeholders
3.2.10 Objectives / Goals
3.2.11 Statement of success
Completeness
3.3 Is the SOC charter document regularly updated?
3.4 Is the SOC charter document approved by the business / CISO?
3.5 Are all stakeholders familiar with the SOC charter document contents?
Incomplete
Remarks
See 3.2 for charter document elements
A SOC mission should be established to provide insight into the reason for existence of the SOC
A vision should be created to determine long-term goals for the SOC
A strategy should be in place to show how to meet goals and targets set by mission and vision
Service scope is documented to provide insight into SOC service delivery
The output provided by the SOC, for example: reports, incidents, investigations, advisories, etc.
Responsibilities of the SOC
Accountability for the SOC for actions taken
Operational hours of the SOC
All relevant stakeholders for the SOC
Objectives and goals should be concrete and measurable so that they are fit for reporting purposes
A statement of success is used to determine when the SOC is successful. Should be aligned with goals and objectives
Use this outcome as a guideline to determine the score for 3.1
Regularity should be matched to your own internal policy. At least yearly is recommended
Approval from the relevant stakeholders will aid in business support for SOC operations
Making stakeholders aware of the contents can help in
Business
1. Business Drivers 5. Privacy
2. Customers
3. Charter
4. Governance
4 Governance
4.1 Does the SOC have a governance process in place?
4.2 Have all governance elements been identified?
4.3 Please specify identified governance elements
4.3.1 Business Alignment
4.3.2 Accountability
4.3.3 Sponsorship
4.3.4 Mandate
4.3.5 Relationships
4.3.6 Vendor Engagement
4.3.7 Service Commitment
4.3.8 Project / Program Management
4.3.9 Continual Improvement
4.3.10 Span of control / federation governance
4.3.11 Outsourced service management
4.3.12 SOC KPIs & Metrics
4.3.13 Customer Engagement / Satisfaction
Completeness
4.4 Is cost management in place?
4.5 Please specify cost management elements
4.5.1 People cost
4.5.2 Process cost
4.5.3 Technology cost
4.5.4 Services cost
4.5.5 Facility cost
4.5.6 Budget forecasting
4.5.7 Budget alignment
4.5.8 Return on investment
Completeness
4.6 Are all governance elements formally documented?
4.7 Is the governance process regularly reviewed?
4.8 Is the governance process aligned with all stakeholders?
4.9 Is the SOC regularly audited or subjected to external assessments?
Incomplete
Incomplete
Remarks
A governance process is required to determine the way the SOC should be managed
Possible governance elements can be found in under 4.3
Costs associated with employees. Should be managed to prove FTE requirements to stakeholders
Cost associated with processes. Should be managed to ensure process elements can be delivered
Cost associated with technology. Should be managed to prove budget requirements for new technology or replacement
Cost associated with service delivery. Especially important for managed service providers to ensure a healthy business mo
Cost associated with facilities used by the SOC
Forecasting of required budget over time. Should be aligned with business needs; increased spending must be justified
Alignment of budget with business requirements and drivers to ensure balanced spending on the SOC
Prove the return on investment to stakeholders to ensure continued budget allocation
Use this outcome as a guideline to determine the score for 4.4
Formal documentation should be signed off and stored in a quality management system
Regularity should be matched to your own internal policy. At least yearly is recommended
Alignment will help the SOC obtain required mandate, budget and management support
Frequency should be matched to your own internal policy. At least yearly is recommended
Business
1. Business Drivers 5. Privacy
2. Customers
3. Charter
4. Governance
5 Privacy
5.1 Is a privacy policy regarding security monitoring of employees in place?
5.2 Does the SOC operate in compliance with all applicable privacy laws and regulations?
5.3 Does the SOC cooperate with legal departments regarding privacy matters?
5.4 Are specific procedures in place for dealing with privacy related investigations?
5.5 Is the SOC aware of all information that it processes and is subject to privacy regulations?
5.6 Is a Privacy Impact Assessment (PIA) regularly conducted?
1 Employees
1.1 How many FTE’s are in your SOC?
1.2 Do you use external employees / contractors in your SOC?
1.2.1 If yes, specify the number of external FTE's
1.3 Does the current size of the SOC meet FTE requirements?
1.4 Does the SOC meet requirements for internal to external employee FTE ratio?
1.5 Does the SOC meet requirements for internal to external employee skillset?
1.6 Are all positions filled?
1.7 Do you have a recruitment process in place?
1.8 Do you have a talent acquisition process in place?
If you have no tiers, and you feel this is not a restriction, select importance 'None'
Consider the staffing levels (desired FTE count) as well as knowledge and experience for all roles
If you have no hierarchy, and you feel this is not a restriction, select importance 'None'
Possible documentation elements can be found in under 2.7
3 People Management
3.1 Do you have a job rotation plan in place?
3.2 Do you have a career progression process in place?
3.3 Do you have a talent management process in place?
3.4 Do you have team diversity goals?
3.5 Do you perform a periodic evaluation of SOC employees?
3.6 Do you have a 'new hire' process in place?
3.7 Are all SOC employees subjected to screening?
3.8 Do you measure employee satisfaction for improving the SOC?
3.9 Are there regular 1-on-1 meetings between the SOC manager and the employees?
3.10 Do you perform regular teambuilding exercises?
4 Knowledge Management
4.1 Do you have a formal knowledge management process in place?
4.2 SOC skill matrix:
4.2.1 Does the skill matrix cover hard skills?
4.2.2 Does the skill matrix cover soft skills?
4.2.3 Is the skill matrix fully covered by current SOC personnel?
4.2.4 Is a skill assessment regularly carried out?
4.2.5 Are the results from skill assessments used for team and personal improvement?
4.2.6 Is the skill assessment process regularly updated with new skills?
4.3 SOC knowledge matrix:
4.3.1 Does the knowledge matrix cover all employees?
4.3.2 Does the knowledge matrix cover all relevant knowledge areas?
4.3.3 Is the knowledge matrix fully covered by current SOC personnel?
4.3.4 Is the knowledge matrix used to determine training and education needs?
4.3.5 Is the knowledge matrix regularly updated?
4.4 Do you regularly assess and revise the knowledge management process?
4.5 Is there effective tooling in place to support knowledge documentation and distribution?
0
Formal knowledge management helps to optimize knowledge creation and distribution
Incomplete
Incomplete
Remarks
A training program is used to ensure a minimal level of knowledge for employees
Training on the job can be done internally by senior employees or using external consultants
Product-specific training may be required for new technologies or complex solutions
e.g. training on internal policies
For example: security analysis training for the security analyst role
To complement hard skills, soft skills should be trained as well
Formal education may be university or university college degrees
Use this outcome as a guideline to determine the score for 5.1
A certification program is used to provide a demonstrable minimum level of knowledge and skills
Internal certifications may be in place to demonstrate knowledge of company processes and policies
Certification track with external certification organizations (e.g. ISACA, (ISC)2, SANS
Permanent education (PE) may be part of the certification itself
Use this outcome as a guideline to determine the score for 5.3
e.g. certain training and certifications are required to grow from a junior level function to a more senior level function
i.e. a fixed percentage of the total SOC budget that is allocated for education and cannot be used for other purposes
This is an extension of education budget
Workshops are an informal way of distributing knowledge
Training and certification must be a relevant reflection of SOC knowledge and skill requirements
Process
1. Management
2. Operations and Facilities
3. Reporting
4. Use Case Management
1 Management
1.1 Is there a SOC management process in place?
1.2 Are SOC management elements formally identified and documented?
1.3 Please specify identified SOC management elements:
1.3.1 Internal relationship management
1.3.2 External relationship management
1.3.3 Vendor management
1.3.4 Continuous service improvement
1.3.5 Project methodology
1.3.6 Process documentation and diagrams
1.3.7 RACI matrix
1.3.8 Service Catalogue
1.3.9 Service on-boarding procedure
1.3.10 Service off-loading procedure
Completeness
1.4 Is the SOC management process regularly reviewed?
1.5 Is the SOC management process aligned with all stakeholders?
Incomplete
Remarks
A SOC management process is used to manage all aspects SOC service delivery and quality
Possible SOC management elements can be found in under 1.3
Are SOC services and procedures aligned and integrated with the organization's configuration management process?
Are SOC services and procedures aligned and integrated with the organization's change management process?
Are SOC services and procedures aligned and integrated with the organization's problem management process?
Are SOC services and procedures aligned and integrated with the organization's incident management process?
Are SOC services and procedures aligned and integrated with the organization's asset management process?
A dedicated physical location decreases likelihood of unauthorized access and provides confidentiality for security incident
Given the confidentiality of the SOC and the importance of monitoring, it is recommended to use a separate network
e.g. key cards (badges) for access with access logging
A video wall can be used to display the real-time security status and can be used for decision making as well as PR
Since communication and coordination are important features of a SOC, call-center capability may be required
e.g. multiple screen setup, virtual machines, etc.
The system should support different file types, authorizations and version management; possibly even encryption
e.g. a wiki space or SharePoint that allows collaboration and supports team efforts
Process
1. Management
2. Operations and Facilities
3. Reporting
4. Use Case Management
3 Reporting
3.1 Do you regularly provide reports?
3.2 Are these reports tailored to the recipients?
3.3 Are the report contents approved by or reviewed by the recipients?
3.4 Do you have established reporting lines within the organization?
3.5 Do you regularly revise and update the report templates?
3.6 Do you have formal agreements with the recipients regarding reports?
3.7 Report types
3.7.1 Do you provide technical security reports?
3.7.2 Do you provide executive security reports?
3.7.3 Do you provide operational reports?
3.7.4 Do you provide incident reports?
3.7.5 Do you provide a newsletter or digest?
3.7.6 Do you provide KPI reports?
3.7.7 Do you provide trend reports?
3.7.8 Do you have real-time reporting dashboards available to SOC customers?
3.8 Metric types
3.8.1 Are quantitative metrics used in reports?
3.8.2 Are qualitative metrics used in reports?
3.8.3 Are incident & case metrics used in reports?
3.8.4 Are timing metrics used in reports?
3.8.5 Are metrics regarding SLAs used in reports?
3.9 Advisories
3.9.1 Do you provide advisories to the organization regarding threats and vulnerabilities?
3.9.2 Do you perform risk / impact assessments of these advisories?
3.9.3 Do you perform follow-up of these advisories?
[1] The MaGMa Use Case Framework is a framework and tool for use case management created by the Dutch
financial sector and can be obtained from the following location:
https://www.betaalvereniging.nl/en/safety/magma/
Answer Guidance
1 SIEM tooling
1.1 Accountability
1.1.1 Has functional ownership of the solution been formally assigned?
1.1.2 Has technical ownership of the solution been formally assigned?
1.2 Documentation
1.2.1 Has the solution been technically described?
1.2.2 Has the solution been functionally described?
1.3 Personnel & support
1.3.1 Is there dedicated personnel for support?
1.3.2 Is the personnel for support formally trained?
1.3.3 Is the personnel for support certified?
1.3.4 Is there a support contract for the solution?
1.4 Availability & Integrity
1.4.1 Is there high availability (HA) in place for the solution?
1.4.2 Is there data backup / replication in place for the solution?
1.4.3 Is there configuration backup / replication in place for the solution?
1.4.4 Is there a Disaster Recovery plan in place for this solution?
1.4.5 Is the Disaster Recovery plan regularly tested?
1.4.6 Is there a separate development / test environment for this solution?
1.5 Confidentiality
1.5.1 Is access to the solution limited to authorized personnel?
1.5.2 Are access rights regularly reviewed and revoked if required?
1.6 Specify which technological capabilities and artefacts are present:
1.6.1 Aggregation
1.6.2 Correlation
1.6.3 Custom parsing
1.6.4 Threat Intelligence integration
1.6.5 Subtle event detection
1.6.6 Automated alerting
1.6.7 Alert acknowledgement
1.6.8 Automated threat response
1.6.9 Multi-stage correlation
1.6.10 Pattern detection
1.6.11 Case management system
1.6.12 Asset management integration
1.6.13 Business context integration
1.6.14 Identity context integration
1.6.15 Asset context integration
1.6.16 Vulnerability context integration
1.6.17 Standard rules
1.6.18 Custom rules
1.6.19 Network model
1.6.20 Customized SIEM reports
1.6.21 Customized SIEM dashboards
1.6.22 Granular access control
1.6.23 Controlled and monitored maintenance / support
1.6.24 API Integration
1.6.25 Secure Event Transfer
1.6.26 Support for multiple event transfer technologies
Completeness (%)
Dedicated personnel should be in place to ensure that support is always available. Can also be staff with outsourced provid
Training helps to jump start new hires, and to learn a proper way of working with the tool
Certification demonstrates ability to handle the tooling properly
A support contract may cover on-site support, support availability, response times, escalation and full access to resources
The SIEM system will contain confidential information and information that possibly impacts employee privacy
Revocation is part of normal employee termination. Special emergency revocation should be in place for suspected misuse
2 IDPS Tooling
2.1 Accountability
2.1.1 Has functional ownership of the solution been formally assigned?
2.1.2 Has technical ownership of the solution been formally assigned?
2.2 Documentation
2.2.1 Has the solution been technically described?
2.2.2 Has the solution been functionally described?
2.3 Personnel & support
2.3.1 Is there dedicated personnel for support?
2.3.2 Is the personnel for support formally trained?
2.3.3 Is the personnel for support certified?
2.3.4 Is there a support contract for the solution?
2.4 Availability & Integrity
2.4.1 Is there high availability (HA) in place for the solution?
2.4.2 Is there data backup / replication in place for the solution?
2.4.3 Is there configuration backup / replication in place for the solution?
2.4.4 Is there a Disaster Recovery plan in place for this solution?
2.4.5 Is the Disaster Recovery plan regularly tested?
2.4.6 Is there a separate development / test environment for this solution?
2.5 Confidentiality
2.5.1 Is access to the solution limited to authorized personnel?
2.5.2 Are access rights regularly reviewed and revoked if required?
2.6 Specify which technological capabilities and artefacts are present:
2.6.1 Network-based intrusion detection
2.6.2 Host-based intrusion detection
2.6.3 File integrity checking
2.6.4 Application whitelisting
2.6.5 Honeypots
2.6.6 Custom signatures
2.6.7 Anomaly detection
2.6.8 Automated alerting
2.6.9 Central Management Console
2.6.10 Full Packet Capture for inbound / outbound internet traffic
2.6.11 Full Packet Capture for high-value internal network segments
2.6.12 Full Packet Capture for other internal networks
2.6.13 Granular access control
2.6.14 Controlled and monitored maintenance / support
2.6.15 SIEM integration
2.6.16 API integration
2.6.17 Threat Intelligence integration
Completeness (%)
Dedicated personnel should be in place to ensure that support is always available. Can also be staff with outsourced provid
Training helps to jump start new hires, and to learn a proper way of working with the tool
Certification demonstrates ability to handle the tooling properly
A support contract may cover on-site support, support availability, response times, escalation and full access to resources
A separate test environment allows for testing of new configurations before deployment in production
The IDPS system will contain confidential information and possibly information that impacts employee privacy
Revocation is part of normal employee termination. Special emergency revocation should be in place for suspected misuse
3.1 Accountability
3.1.1 Has functional ownership of the solution been formally assigned?
3.1.2 Has technical ownership of the solution been formally assigned?
3.2 Documentation
3.2.1 Has the solution been technically described?
3.2.2 Has the solution been functionally described?
3.3 Personnel & support
3.3.1 Is there dedicated personnel for support?
3.3.2 Is the personnel for support formally trained?
3.3.3 Is the personnel for support certified?
3.3.4 Is there a support contract for the solution?
3.4 Availability & Integrity
3.4.1 Is there high availability (HA) in place for the solution?
3.4.2 Is there data backup / replication in place for the solution?
3.4.3 Is there configuration backup / replication in place for the solution?
3.4.4 Is there a Disaster Recovery plan in place for this solution?
3.4.5 Is the Disaster Recovery plan regularly tested?
3.4.6 Is there a separate development / test environment for this solution?
3.5 Confidentiality
3.5.1 Is access to the solution limited to authorized personnel?
3.5.2 Are access rights regularly reviewed and revoked if required?
3.6 Specify which technological capabilities and artefacts are present:
3.6.1 Scalable analytics engine
3.6.2 Automated data normalization
3.6.3 Pattern-based analysis
3.6.4 Integration of security incident management
3.6.5 Integration of security monitoring
3.6.6 External threat intelligence integration
3.6.7 Advanced searching and querying
3.6.8 Data visualization techniques
3.6.9 Data drilldowns
3.6.10 Detailed audit trail of analyst activities
3.6.11 Historical activity detection
3.6.12 Structured data collection
3.6.13 Unstructured data collection
3.6.14 User baselines
3.6.15 Application baselines
3.6.16 Infrastructure baselines
3.6.17 Network baselines
3.6.18 System baselines
3.6.19 Central analysis console
3.6.20 Security data warehouse
3.6.21 Flexible data architecture
3.6.22 Granular access control
3.6.23 Controlled and monitored maintenance / support
3.6.24 API Integration
Completeness (%)
3.7 Specify any comments or remarks you feel are important to this part of the assessment
Answer Guidance
0
Remarks
Dedicated personnel should be in place to ensure that support is always available. Can also be staff with outsourced provid
Training helps to jump start new hires, and to learn a proper way of working with the tool
Certification demonstrates ability to handle the tooling properly
A support contract may cover on-site support, support availability, response times, escalation and full access to resources
A separate test environment allows for testing of new configurations before deployment in production
The analytics system will contain confidential information and information that possibly impacts employee privacy
Revocation is part of normal employee termination. Special emergency revocation should be in place for suspected misuse
4.1 Accountability
4.1.1 Has functional ownership of the solution been formally assigned?
4.1.2 Has technical ownership of the solution been formally assigned?
4.2 Documentation
4.2.1 Has the solution been technically described?
4.2.2 Has the solution been functionally described?
4.3 Personnel & support
4.3.1 Is there dedicated personnel for support?
4.3.2 Is the personnel for support formally trained?
4.3.3 Is the personnel for support certified?
4.3.4 Is there a support contract for the solution?
4.4 Availability & Integrity
4.4.1 Is there high availability (HA) in place for the solution?
4.4.2 Is there data backup / replication in place for the solution?
4.4.3 Is there configuration backup / replication in place for the solution?
4.4.4 Is there a Disaster Recovery plan in place for this solution?
4.4.5 Is the Disaster Recovery plan regularly tested?
4.4.6 Is there a separate development / test environment for this solution?
4.5 Confidentiality
4.5.1 Is access to the solution limited to authorized personnel?
4.5.2 Are access rights regularly reviewed and revoked if required?
4.6 Specify which technological capabilities and artefacts are present:
4.6.1 SIEM Integration
4.6.2 Threat intelligence integration
4.6.3 Asset management integration
4.6.4 User management integration
4.6.5 Vulnerability management integration
4.6.6 Historical event matching
4.6.7 Knowledge base integration
4.7 Specify any comments or remarks you feel are important to this part of the assessment
Answer Guidance
0
Remarks
A technical description of the automation & orchestration system components and configuration
A description of the automation & orchestration system functional configuration (workflows, integrations, etc.)
Dedicated personnel should be in place to ensure that support is always available. Can also be staff with outsourced provid
Training helps to jump start new hires, and to learn a proper way of working with the tool
Certification demonstrates ability to handle the tooling properly
A support contract may cover on-site support, support availability, response times, escalation and full access to resources
A separate test environment allows for testing of new configurations before deployment in production
The automation system may have automated actions that can impact the usage of systems and should be restricted
Revocation is part of normal employee termination. Special emergency revocation should be in place for suspected misuse
The automation & orchestration tool receives events from the SIEM system
Contextualize potential incidents using threat intelligence
Contextualize potential incidents using asset information
Contextualize potential incidents using user information
Contextualize potential incidents using vulnerability management information
Contextualize potential incidents using similar historical events
Automatically update the knowledge base using event information
Risk-based prioritization of security events using contextualized information
Automated remediation by blocking attackers on the firewall
Automated remediation by blocking attackers in the network
Automated remediation by blocking email senders
Automated remediation by quarantining malware and scanning end-points for malware threats
Automated delivery of malware samples to sandbox environments for extensive analysis
Automated locking and suspension of user accounts or revocation of access rights based on event outcome
Automated ticket creation and workflow support
Allows to apply the principle of least privilege to configuration of user accounts
Only trusted tools used for maintenance, remote maintenance / support monitored and controlled
Application of KPIs and metrics to ticket workflow
Support for runbooks that allow for automated decision making based on predefined parameters
Services
1. Security Monitoring 5. Threat Hunting
2. Security Incident Management 6. Vulnerability Management
3. Security Analysis & Forensics 7. Log Management
4. Threat Intelligence
1 Security Monitoring
Maturity
1.1 Have you formally described the security monitoring service?
1.2 Please specify elements of the security monitoring service document:
1.2.1 Key performance indicators
1.2.2 Quality indicators
1.2.3 Service dependencies
1.2.4 Service levels
1.2.5 Hours of operation
1.2.6 Service customers and stakeholders
1.2.7 Purpose
1.2.8 Service input / triggers
1.2.9 Service output / deliverables
1.2.10 Service activities
1.2.11 Service roles & responsibilities
Completeness
1.3 Is the service measured for quality?
1.4 Is the service measured for service delivery in accordance with service levels?
1.5 Are customers and/or stakeholders regularly updated about the service?
1.6 Is there a contractual agreement between the SOC and the customers?
1.7 Is sufficient personnel allocated to the process to ensure required service delivery?
1.8 Is the service aligned with other relevant processes?
1.9 Is there a incident resolution / service continuity process in place for this service?
1.10 Has a set of procedures been created for this service?
1.11 Are best practices applied to the service?
1.12 Are use cases used in the security monitoring service?
1.13 Is process data gathered for prediction of service performance?
1.14 Is the service continuously being improved based on improvement goals?
Capability
1.15 Please specify capabilities of the security monitoring service:
1.15.1 Early detection
1.15.2 Intrusion detection
1.15.3 Exfiltration detection
1.15.4 Subtle event detection
1.15.5 Malware detection
1.15.6 Anomaly detection
1.15.7 Real-time detection
1.15.8 Alerting & notification
1.15.9 Status monitoring
1.15.10 Perimeter monitoring
1.15.11 Host monitoring
1.15.12 Network & traffic monitoring
1.15.13 Access & usage monitoring
1.15.14 User monitoring
1.15.15 Application & service monitoring
1.15.16 Behavior monitoring
1.15.17 Database monitoring
1.15.18 Data loss monitoring
1.15.19 Device loss / theft monitoring
1.15.20 Third-party monitoring
1.16 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
Maturity
2.1 Have you adopted a maturity assessment methodology for Security Incident Management?
2.1.1 If yes, please specify the methodology
2.1.2 If yes, please specify the maturity level (can have up to 2 digits)
If yes, skip directly to 2.7
2.2 Have you adopted a standard for the Security Incident Management process?
2.3 Have you formally described the security incident management process?
2.4 Please specify elements of the security incident management document:
2.4.1 Security incident definition
2.4.2 Service levels
2.4.3 Workflow
2.4.4 Decision tree
2.4.5 Hours of operation
2.4.6 Service customers and stakeholders
2.4.7 Purpose
2.4.8 Service input / triggers
2.4.9 Service output / deliverables
2.4.10 Service activities
2.4.11 Service roles & responsibilities
Completeness
2.5 Is the service measured for quality?
2.6 Is the service measured for service delivery in accordance with service levels?
2.7 Are customers and/or stakeholders regularly updated about the service?
2.8 Is there a contractual agreement between the SOC and the customers?
2.9 Is sufficient personnel allocated to the process to ensure required service delivery?
2.10 Is the service aligned with other relevant processes?
2.11 Is the incident response team authorized to perform (invasive) actions when required?
2.12 Are best practices applied to the service?
2.13 Is the service supported by predefined workflows or scenarios?
2.14 Is process data gathered for prediction of service performance?
2.15 Is the service continuously being improved based on improvement goals?
Capability
2.16 Please specify capabilities and artefacts of the security incident management service:
2.16.1 Incident logging procedure
2.16.2 Incident resolution procedure
2.16.3 Incident investigation procedure
2.16.4 Escalation procedure
2.16.5 Evidence collection procedure
2.16.6 Password change procedure
2.16.7 IR Training
2.16.8 Table-top exercises
2.16.9 Red team / blue team exercises
2.16.10 RACI matrix
2.16.11 Response authorization
2.16.12 Incident template
2.16.13 Incident tracking system
2.16.14 False-positive reduction
2.16.15 Priority assignment
2.16.16 Severity assignment
2.16.17 Categorization
2.16.18 Critical bridge
2.16.19 War room
2.16.20 Communication plan & email templates
2.16.21 Backup communication technology
2.16.22 Secure communication channels
2.16.23 (dedicated) information sharing platform
2.16.24 Change management integration
2.16.25 Malware extraction & analysis
2.16.26 On-site incident response
2.16.27 Remote incident response
2.16.28 Third-party escalation
2.16.29 Evaluation template
2.16.30 Reporting template
2.16.31 Incident closure
2.16.32 Lessons learned extraction for process improvement
Completeness (%)
2.17 Specify any comments or remarks you feel are important to this part of the assessment
ent
anagement?
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
Maturity
3.1 Have you formally described the security analysis & forensics service?
3.2 Please specify elements of the security analysis service document:
3.2.1 Key performance indicators
3.2.2 Quality indicators
3.2.3 Service dependencies
3.2.4 Service levels
3.2.5 Hours of operation
3.2.6 Service customers and stakeholders
3.2.7 Purpose
3.2.8 Service input / triggers
3.2.9 Service output / deliverables
3.2.10 Service activities
3.2.11 Service roles & responsibilities
Completeness
3.3 Is the service measured for quality?
3.4 Is the service measured for service delivery in accordance with service levels?
3.5 Are customers and/or stakeholders regularly updated about the service?
3.6 Is there a contractual agreement between the SOC and the customers?
3.7 Is sufficient personnel allocated to the process to ensure required service delivery?
3.8 Is the service aligned with other relevant processes?
3.9 Is there a incident resolution / service continuity process in place for this service?
3.10 Has a set of procedures been created for this service?
3.11 Are best practices applied to the service?
3.12 Is the service supported by predefined workflows or scenarios?
3.13 Is process data gathered for prediction of service performance?
3.14 Is the service continuously being improved based on improvement goals?
Capability
3.15 Please specify capabilities and artefacts of the security analysis process:
3.15.1 Event analysis
3.15.2 Event analysis toolkit
3.15.3 Trend analysis
3.15.4 Incident analysis
3.15.5 Visual analysis
3.15.6 Static malware analysis
3.15.7 Dynamic malware analysis
3.15.8 Tradecraft analysis
3.15.9 Historic analysis
3.15.10 Network analysis
3.15.11 Memory analysis
3.15.12 Mobile device analysis
3.15.13 Volatile information collection
3.15.14 Remote evidence collection
3.15.15 Forensic hardware toolkit
3.15.16 Forensic analysis software toolkit
3.15.17 Dedicated analysis workstations
3.15.18 Security analysis & forensics handbook
3.15.19 Security analysis & forensics workflows
3.15.20 Case management system
3.15.21 Report templates
3.15.22 Evidence seizure procedure
3.15.23 Evidence transport procedure
3.15.24 Chain of custody preservation procedure
Completeness (%)
3.16 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
4 Threat Intelligence
Maturity
4.1 Have you formally described the threat intelligence service?
4.2 Please specify elements of the threat intelligence service document:
4.2.1 Key performance indicators
4.2.2 Quality indicators
4.2.3 Service dependencies
4.2.4 Service levels
4.2.5 Hours of operation
4.2.6 Service customers and stakeholders
4.2.7 Purpose
4.2.8 Service input / triggers
4.2.9 Service output / deliverables
4.2.10 Service activities
4.2.11 Service roles & responsibilities
Completeness
4.3 Is the service measured for quality?
4.4 Is the service measured for service delivery in accordance with service levels?
4.5 Are customers and/or stakeholders regularly updated about the service?
4.6 Is there a contractual agreement between the SOC and the customers?
4.7 Is sufficient personnel allocated to the process to ensure required service delivery?
4.8 Is the service aligned with other relevant processes?
4.9 Is there a incident resolution / service continuity process in place for this service?
4.10 Has a set of procedures been created for this service?
4.11 Are best practices applied to the service?
4.12 Is process data gathered for prediction of service performance?
4.13 Is the service continuously being improved based on improvement goals?
Capability
4.14 Please specify capabilities and artefacts of the threat intelligence process:
4.14.1 Continuous intelligence gathering
4.14.2 Automated intelligence gathering & processing
4.14.3 Centralized collection & distribution
4.14.4 Intelligence collection from open / public sources
4.14.5 Intelligence collection from closed communities
4.14.6 Intelligence collection from intelligence provider
4.14.7 Intelligence collection from business partners
4.14.8 Intelligence collection from mailing lists
4.14.9 Intelligence collection from internal sources
4.14.10 Structured data analysis
4.14.11 Unstructured data analysis
4.14.12 Past incident analysis
4.14.13 Trend analysis
4.14.14 Automated alerting
4.14.15 Adversary movement tracking
4.14.16 Attacker identification
4.14.17 Threat identification
4.14.18 Threat prediction
4.14.19 TTP extraction
4.14.20 Deduplication
4.14.21 Enrichment
4.14.22 Contextualization
4.14.23 Prioritization
4.14.24 Threat intelligence reporting
4.14.25 Forecasting
4.14.26 Sharing within the company
4.14.27 Sharing with the industry
4.14.28 Sharing outside the industry
4.14.29 Sharing in standardized format (e.g. STIX)
Completeness (%)
4.15 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
5 Threat Hunting
Maturity
5.1 Do you use a standardized threat hunting approach?
5.2 Have you formally described the threat hunting service?
5.3 Please specify elements of the threat intelligence service document:
5.3.1 Key performance indicators
5.3.2 Quality indicators
5.3.3 Service dependencies
5.3.4 Service levels
5.3.5 Hours of operation
5.3.6 Service customers and stakeholders
5.3.7 Purpose
5.3.8 Service input / triggers
5.3.9 Service output / deliverables
5.3.10 Service activities
5.3.11 Service roles & responsibilities
Completeness
5.4 Is the service measured for quality?
5.5 Is the service measured for service delivery in accordance with service levels?
5.6 Are customers and/or stakeholders regularly updated about the service?
5.7 Is there a contractual agreement between the SOC and the customers?
5.8 Is sufficient personnel allocated to the process to ensure required service delivery?
5.9 Is the service aligned with other relevant processes?
5.10 Is there a incident resolution / service continuity process in place for this service?
5.11 Has a set of procedures been created for this service?
5.12 Are best practices applied to the service?
5.13 Is process data gathered for prediction of service performance?
5.14 Is the service continuously being improved based on improvement goals?
Capability
5.15 Please specify capabilities and artefacts of the threat hunting process:
5.15.1 Hash value hunting
5.15.2 IP address hunting
5.15.3 Domain name hunting
5.15.4 Network artefact hunting
5.15.5 Host-based artefact hunting
5.15.6 Adversary tools hunting
5.15.7 Adversary TTP hunting
5.15.8 Inbound threat hunting
5.15.9 Outbound threat hunting
5.15.10 Internal threat hunting
5.15.11 Outlier detection
5.15.12 Hunting coverage
5.15.13 Leveraging of existing tooling
5.15.14 Custom hunting scripts and tools
5.15.15 Dedicated hunting platform
5.15.16 Continuous hunting data collection
5.15.17 Historic hunting
5.15.18 Automated hunting
5.15.19 Hunt alerting
5.15.20 Vulnerability information integration
5.15.21 Threat intelligence integration
Completeness (%)
5.16 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
Given the fact that little public information is available, this can also be an internally developed approach
A service description should be in place
6 Vulnerability Management
Maturity
6.1 Have you formally described the vulnerability management service?
6.2 Please specify elements of the vulnerability management service document:
6.2.1 Key performance indicators
6.2.2 Quality indicators
6.2.3 Service dependencies
6.2.4 Service levels
6.2.5 Hours of operation
6.2.6 Service customers and stakeholders
6.2.7 Purpose
6.2.8 Service input / triggers
6.2.9 Service output / deliverables
6.2.10 Service activities
6.2.11 Service roles & responsibilities
Completeness
6.3 Is the service measured for quality?
6.4 Is the service measured for service delivery in accordance with service levels?
6.5 Are customers and/or stakeholders regularly updated about the service?
6.6 Is there a contractual agreement between the SOC and the customers?
6.7 Is sufficient personnel allocated to the process to ensure required service delivery?
6.8 Is the service aligned with other relevant processes?
6.9 Is there a incident resolution / service continuity process in place for this service?
6.10 Has a set of procedures been created for this service?
6.11 Are best practices applied to the service?
6.12 Is process data gathered for prediction of service performance?
6.13 Is the service continuously being improved based on improvement goals?
Capability
6.14 Please specify capabilities and artefacts of the vulnerability management process:
6.14.1 Network mapping
6.14.2 Vulnerability identification
6.14.3 Risk identification
6.14.4 Risk acceptance
6.14.5 Security baseline scanning
6.14.6 Authenticated scanning
6.14.7 Incident management integration
6.14.8 Asset management integration
6.14.9 Configuration management integration
6.14.10 Patch management integration
6.14.11 Trend identification
6.14.12 Enterprise vulnerability repository
6.14.13 Enterprise application inventory
6.14.14 Vulnerability Management procedures
6.14.15 Scanning policy tuning
6.14.16 Detailed Vulnerability Reporting
6.14.17 Management Reporting
6.14.18 Scheduled scanning
6.14.19 Ad-hoc specific scanning
Completeness (%)
6.15 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Guidance
Remarks
7 Log Management
Maturity
7.1 Have you formally described the log management service?
7.2 Please specify elements of the log management service document:
7.2.1 Key performance indicators
7.2.2 Quality indicators
7.2.3 Service dependencies
7.2.4 Service levels
7.2.5 Hours of operation
7.2.6 Service customers and stakeholders
7.2.7 Purpose
7.2.8 Service input / triggers
7.2.9 Service output / deliverables
7.2.10 Service activities
7.2.11 Service roles & responsibilities
Completeness
7.3 Is the service measured for quality?
7.4 Is the service measured for service delivery in accordance with service levels?
7.5 Are customers and/or stakeholders regularly updated about the service?
7.6 Is there a contractual agreement between the SOC and the customers?
7.7 Is sufficient personnel allocated to the process to ensure required service delivery?
7.8 Is the service aligned with other relevant processes?
7.9 Is there a incident resolution / service continuity process in place for this service?
7.10 Has a set of procedures been created for this service?
7.11 Are best practices applied to the service?
7.12 Is process data gathered for prediction of service performance?
7.13 Is the service continuously being improved based on improvement goals?
Capability
7.14 Please specify capabilities and artefacts of the log management process:
7.14.1 End-point log collection
7.14.2 Application log collection
7.14.3 Database log collection
7.14.4 Network flow data collection
7.14.5 Network device log collection
7.14.6 Security device log collection
7.14.7 Centralized aggregation and storage
7.14.8 Multiple retention periods
7.14.9 Secure log transfer
7.14.10 Support for multiple log formats
7.14.11 Support for multiple transfer techniques
7.14.12 Data normalization
7.14.13 Log searching and filtering
7.14.14 Alerting
7.14.15 Reporting and dashboards
7.14.16 Log tampering detection
7.14.17 Log collection policy
7.14.18 Logging policy
7.14.19 Data retention policy
7.14.20 Privacy and Sensitive data handling policy
Completeness (%)
7.15 Specify any comments or remarks you feel are important to this part of the assessment
ent
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
Incomplete
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 2
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 3
CMMI level 4
CMMI level 5
0
Remarks
1 N/A N/A
1 N/A N/A
1 N/A N/A
0 Yes
0 Yes
0 Yes
0 Yes
1 0 1
0 Yes
0 Yes
0 Yes
0 Yes
0 Yes
0 Yes
0 Yes
1 0 1
1. Business Drivers
7. Log Management 2. Custom
Services
6. Vulnerability Management
5
4.5
5. Threat Hunting
4
3.5
4. Threat Intelligence
3
2.5
2
3. Security Analysis & Forensics
1.5
0.5
2. Security Incident Management
0
1. Security Monitoring
1. SIEM tooling 2.
4. Use Case Management 3. Reporting
Technology 2. IDPS tooling
1. SIEM tooling 2.
4. Use Case Management 3. Reporting
Business
Services 2 People
Technology Process
4.5
4. Governance
4
3.5
5. Privacy
3
2.5
2
1. Employees
1.5
0.5
2. Roles and Hierarchy
M
0
C
3. People Management
4. Knowledge Management
People
5. Training and Education
g 1. Management
2.5
2
People
1.5
0.5
0
Process Technology Services
0 0
0 0
0 0
0 0 Analysis (RS.AN)
0 0
0 0
0 0
Communications (RS.CO)
0 0
0 0
Respond
0 0
Response Planning (RS.R
0 0
N/A N/A
Detection P
N/A N/A
N/A N/A
Detect Security
N/A N/A
Recover Communications (RC.CO)
Asset Management (ID.AM)
Business Environment (ID.B
4.5
3.5
1.5
Mitigation (RS.MI) 1
0.5
Analysis (RS.AN)
Communications (RS.CO)
Respond
Response Planning (RS.RP)
Recover 2 Protect
Respond Detect
Maturity score
(RC.CO)
Asset Management (ID.AM)
Business Environment (ID.BE) Identify
5 Governance (ID.GV)
4.5
1.5 Ma
Cap
1 Access Control (PR.AC)
0.5
Maintenance (PR.MA)
(DE.CM)
Anomalies and Events (DE.AE)
Protective Technology (PR.PT) Protect
3
2.5
2
Protect
1.5
0.5
0
Detect Identify Protect Detect Respond Recov
e Capability score
Next steps
1. Next steps for improvement
Maturity improvement
With the SOC-CMM assessment completed, the next steps are to determine the areas to improve. This requires som
analysed top-down. First, determine which domains are scoring less than the target maturity level. Then, drill down
maturity level was not used, then the domains should be chosen that underperform in comparison to the other dom
of those domains yield the lowest scores.
When the domains and the respective aspects that require improvement have been identified, detailed information
that need to be made. The sheets for those domains provide the detailed information that is required for improvem
the 'Usage' sheet to determine which of the individual elements is negatively contributing to the overall score. Those
Improvement can as simple as creating and maintaining the appropriate documentation or as complex as introducin
SOC-CMM does not provide guidance on how to execute the improvement. This should be determined by internal ex
Capability improvement
Capabilities apply to services and technologies and indicate how capable a service or technology is to reach it's goal
be improved, the first question to ask is: which service or technology is negatively impacted the most by lack of capa
candidate for improvement.
Similar to maturity improvement, the detailed information is provided in the sheets for those domains. The element
to be addressed. It is recommended to search for groups of elements that perhaps have the same underlying reason
improvement of capabilities can be optimised. A common root cause is lack of documentation and formalisation.
Comparison
When a second assessment is performed, the results should be compared to the previous assessment to determine t
both the high-level and the detailed information about the improvement. Use the result tables to determine the diff
of the assessment to see where actual improvement was made, and if this is in line with goals set for improvement.
prove. This requires some analysis of the results. The results should be
ty level. Then, drill down into those domains using the graphs. If a target
parison to the other domains. The next step is to determine which aspects
se domains. The elements that score the lowest are the elements that need
e same underlying reason (root cause) for underscoring. This way,
on and formalisation.
ssessment to determine the growth and evolution of the SOC. This includes
bles to determine the differences and then drill down to those specific parts
als set for improvement.
SOC-CMM - Business Domain
B1 - Business Drivers answer
B 1.1 0
1
2
3
4
5
B 1.2 0
1
2
3
4
5
B 1.3 0
1
2
3
4
5
B 1.4 0
1
2
3
4
5
B 1.5 0
1
2
3
4
5
B2 - Customers answer
B 2.1 0
1
2
3
4
5
B 2.3 0
1
2
3
4
5
B 2.4 0
1
2
3
4
5
B 2.5 0
1
2
3
4
5
B 2.6 0
1
2
3
4
5
B 2.7 0
1
2
3
4
5
B3 - SOC Charter answer
B 3.1 0
1
2
3
4
5
B 3.3 0
1
2
3
4
5
B 3.4 0
1
2
3
4
5
B 3.5 0
1
2
3
4
5
B4 - Governance answer
B 4.1 0
1
2
3
4
5
B 4.2 0
1
2
3
4
5
B 4.4 0
1
2
3
4
5
B 4.5 0
1
2
3
4
5
B 4.7 0
1
2
3
4
5
B 4.8 0
1
2
3
4
5
B 4.9 0
1
2
3
4
5
B5 - Privacy answer
B 5.1 0
1
2
3
4
5
B 5.2 0
1
2
3
4
5
B 5.3 0
1
2
3
4
5
B 5.4 0
1
2
3
4
5
B 5.5 0
1
2
3
4
5
B 5.6 0
1
2
3
4
5
S5 - Hunting answer
S 5.1 0
1
2
3
4
5
S 5.2 0
1
2
3
4
5
S 5.4 0
1
2
3
4
5
S 5.5 0
1
2
3
4
5
S 5.6 0
1
2
3
4
5
S 5.7 0
1
2
3
4
5
S 5.8 0
1
2
3
4
5
S 5.9 0
1
2
3
4
5
S 5.10 0
1
2
3
4
5
S 5.11 0
1
2
3
4
5
S 5.12 0
1
2
3
4
5
S 5.13 0
1
2
3
4
5
S 5.14 0
1
2
3
4
5
S 5.15
S 5.15.1
S 5.15.2
S 5.15.3
S 5.15.4
S 5.15.5
S 5.15.6
S 5.15.7
S 5.15.8
S 5.15.9
S 5.15.10
S 5.15.11
S 5.15.12
S 5.15.13
S 5.15.14
S 5.15.15
S 5.15.16
S 5.15.17
S 5.15.18
S 5.15.19
S 5.15.20
S 7.14 0
S 7.14.1 0
S 7.14.2 0
S 7.14.3 0
S 7.14.4 0
S 7.14.5 0
S 7.14.6 0
S 7.14.7 0
S 7.14.8 0
S 7.14.9 0
S 7.14.10 0
S 7.14.11 0
S 7.14.12 0
S 7.14.13 0
S 7.14.14 0
S 7.14.15 0
S 7.14.16 0
S 7.14.17 0
S 7.14.18 0
S 7.14.19 0
S 7.14.20 0
For backwards compatibility, add any guidance implemented after version 1.0 hereafter
SOC-CMM - Business Domain
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of business drivers
Single document, full description of business drivers
Document completed, approved and formally published
No documentation in place
Some ad-hoc information across documents
Basic documentation of SOC customers
Single document, full description of SOC customers
Document completed, approved and formally published
No policy is in place
Information regarding privacy is scattered across documents
A policy exists, but has not been accepted formally
A formal policy exists, its contents are known to all employees
A formal policy exists, its contents are accepted by all employees
There are either way too few or too many external employees
There are too few or too many external employees
The SOC has somewhat too many or too few external employees
The SOC mostly meets requirements for external employee FTE count
The external employee ratio meets all requirements
There are too many skills only present within the external employees
Some required skills are not present internally, and not transferred
Some required skills are not present internally, but being transferred
Most skills are covered with internal employees
All required skills are covered with internal employees as well
guidance
No hierarchy exists
A basic hierarchy exists, but is not fully operational
A basic hierarchy is in place and fully operational
A full hierarchy is in place, but not formalized
A full hierarchy is in place and formalized
No documentation in place
Some ad-hoc information across documents
Basic documentation of SOC roles
Single document, full description of SOC roles
Document completed, approved and formally published
No documentation in place
Some ad-hoc information across documents
Basic documentation of career progression for roles
Single document, full description of career progression for roles
Document completed, approved and formally published
guidance
No hierarchy exists
A plan covering some roles is in place, but not operational
A plan covering some roles is in place and operational
A plan covering all roles is in place, but not formalized
A plan covering all roles is in place and formalized
guidance
guidance
No time is allocated
Insufficient time is allocated for the team as a whole
Sufficient time is allocated for the team as a whole
Employees have sufficient time, but not encouraged to attend training
Employees have sufficient time, and encouraged to attend training
No documentation in place
Some ad-hoc information across documents
Basic documentation of business drivers
Single document, full description of business drivers
Document completed, approved and formally published
guidance
No dedicated network
Critical SOC components placed in separate network
Most SOC equipment in separate network, basic access controls in place
All SOC equipment in separate network, full access control in place
Dedicated SOC network in place, fully protected and monitored
No DMS in place
Documentation centralized on file shares
DMS in place, documentation updates not enforced
DMS in place, documentation updates and versions enforced
DMS in place, fully supporting SOC documentation requirements
No agreements exist
Informal agreements made, not applied structurally
Informal agreements made, applied structurally
Formal agreements exists, not measured
Formal agreements exists, metrics applied to reporting
importance
No documentation in place
Some ad-hoc information across documents
Basic documentation of business drivers
Single document, full description of business drivers
Document completed, approved and formally published
No traceability exists
Traceability is possible for some use cases, but requires manual effort
Traceability is possible for all use cases, but requires manual effort
Full traceability exists in documentation, not validated by stakeholders
Full traceability exists in documentation, validated by stakeholders
No traceability exists
Traceability is possible for some use cases, but requires manual effort
Traceability is possible for all use cases, but requires manual effort
Full traceability exists in documentation, not validated by stakeholders
Full traceability exists in documentation, validated by stakeholders
No documentation in place
Some ad-hoc information across documents
Basic documentation of the SIEM system in place
Single document, full technical description of SIEM system
Document completed, approved and formally published
No documentation in place
Some ad-hoc information across documents
Basic documentation of the SIEM system in place
Single document, full functional description of SIEM system
Document completed, approved and formally published
HA not in place
HA requirements identified, not implemented
Manual actions required for achieving redundancy
Fully automated HA in place, nog aligned with business continuity plans
Fully automated HA in place, aligned with business continuity plans
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of the IDPS system in place
Single document, full technical description of IDPS system
Document completed, approved and formally published
No documentation in place
Some ad-hoc information across documents
Basic documentation of the IDPS system in place
Single document, full functional description of IDPS system
Document completed, approved and formally published
HA not in place
HA requirements identified, not implemented
Manual actions required for achieving redundancy
Fully automated HA in place, nog aligned with business continuity plans
Fully automated HA in place, aligned with business continuity plans
No documentation in place
Some ad-hoc information across documents
Basic documentation of the analytics system in place
Single document, full technical description of analytics system
Document completed, approved and formally published
No documentation in place
Some ad-hoc information across documents
Basic documentation of the analytics system in place
Single document, full functional description of analytics system
Document completed, approved and formally published
HA not in place
HA requirements identified, not implemented
Manual actions required for achieving redundancy
Fully automated HA in place, nog aligned with business continuity plans
Fully automated HA in place, aligned with business continuity plans
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of the analytics system in place
Single document, full functional description of analytics system
Document completed, approved and formally published
HA not in place
HA requirements identified, not implemented
Manual actions required for achieving redundancy
Fully automated HA in place, nog aligned with business continuity plans
Fully automated HA in place, aligned with business continuity plans
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No mandate
Mandate requested in ad-hoc fashion during incident response
Mandate informally given, not supported by all stakeholders
Mandate given and supported by all stakeholders, not formalized
Full mandate, formally documented, approved and published
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
guidance
No documentation in place
Some ad-hoc information across documents
Basic documentation of service in place
Single document, full description of service
Document completed, approved and formally published
Service not measured for quality
Metrics defined, applied in an ad-hoc fashion
Metrics defined, applied in a structured but informal fashion
Metrics formalized and used in regular reports
Formal and approved metrics in place, feedback used for improvement
No personnel allocated
Personnel allocated, but not sufficient for required service delivery
Personnel allocated, not dedicated for this service
Sufficient dedicated personnel available, not fully trained and capable
Sufficient dedicated personnel available, trained and fully capable
No procedures in place
Basic procedures in place, used in an ad-hoc fashion
All procedures in place, operational but not used structurally
Procedures in place, operational and used structurally
Procedures in place, formally published and fully operationalized
Best practices not applied
Best practices identified, but not applied
Best practices applied, but not structurally
Best practices applied to service architecture and service delivery
Best practices applied and adherence checked regularly
1
1
0
0
0
0
0 1 SUM
0
0
0
0
0
0 1 SUM
0
0
3
0
0 1 SUM
5
13
8
0
3
0
0 1 SUM
0
0
0
0 1 SUM
0 5 0 Total
0
0
0
4
0
0 1 SUM
0
0
0
0
1
0 1 SUM
1
2
0
2
2
1
0
0 1 SUM
0
0
0
0
0
1
0
0
0
0
0
8
0 1 SUM
4
4
0 1 SUM
2
0
0
0
0 1 SUM
0 6 0 Total
6
17
24
2
2
0 1 SUM
22
1
0
1
1
1
2
7
0 1 SUM
0
44
1
0
0
0 1 SUM
0 3 0 Total
1
0 1 SUM
2
7
0
4
0
0 1 SUM
2
3
9
1
0 1 SUM
3
5
2
0 1 SUM
2
1
0 1 SUM
0 5 0 Total
0
0 0 SUM
0
0
0 0 SUM
0
0
0
0 0 SUM
0 0 0 Total
Capability
Subcategory Subcategory Subcategory Category
capability MIN capability TOTAL capability MAX capability
1 0 5
1 0 5
0 0 0
0 0 0
0 0 0
0 0 0
2 0 10 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0 0
0 0 0
0 0 0
3 0 15
0 0 0
3 0 15 0
5 0 25
13 0 65
8 0 40
0 0 0
3 0 15
0 0 0
29 0 145 0
0 0 0
0 0 0
0 0 0
0 0 0 0
0
0 0 0
0 0 0
0 0 0
4 0 20
0 0 0
4 0 20 0
0 0 0
0 0 0
0 0 0
0 0 0
1 0 5
1 0 5 0
1 0 5
2 0 10
0 0 0
2 0 10
2 0 10
1 0 5
0 0 0
8 0 40 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
1 0 5
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
8 0 40
9 0 45 0
4 0 20
4 0 20
8 0 40 0
2 0 10
0 0 0
0 0 0
0 0 0
2 0 10 0
0
6 0 30
17 0 85
24 0 120
2 0 10
2 0 10
51 0 255 0
22 0 110
1 0 5
0 0 0
1 0 5
1 0 5
1 0 5
2 0 10
7 0 35
35 0 175 0
0 0 0
44 0 220
1 0 5
0 0 0
0 0 0
45 0 225 0
0
1 0 5
1 0 5 0
2 0 10
7 0 35
0 0 0
4 0 20
0 0 0
13 0 65 0
2 0 10
3 0 15
9 0 45
1 0 5
15 0 75 0
3 0 15
5 0 25
2 0 10
10 0 50 0
2 0 10
1 0 5
3 0 15 0
0
0 0 0
0 0 0 0
0 0 0
0 0 0
0 0 0 0
0 0 0
0 0 0
0 0 0
0 0 0 0
0
Category applicability Function capability
0
3 0
1
1
1
6 0
1
3 0
1
5 0
0
0 0
question type answer options
Yes/No 1 No
2 Yes
optional 3 Not required
Detailed 1 No
2 Partially
3 Averagely
4 Mostly
5 Fully
Optional 6 Not required
Completeness 1 Incomplete
2 Partially complete
3 Averagely complete
4 Mostly complete
5 Fully complete
Importance 1 None
2 Low
3 Normal
4 High
5 Critical
Weighing 1 x1
2 x2
3 x3
4 x4
5 x5
Occurrence 1 Never
2 Sometimes
3 Averagely
4 Mostly
5 Always
Satisfaction 1 No
2 Somewhat
3 Averagely
4 Mostly
5 Fully
Charter document completeness
11 Incomplete
12 Partially complete
13 Partially complete
14 Partially complete
15 Averagely complete
16 Averagely complete
17 Averagely complete
18 Averagely complete
19 Mostly complete
20 Mostly complete
21 Mostly complete
22 Fully complete