Guidance

Security operations and management: introduction

Published 22 June 2015

This guidance was withdrawn on 11 July 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/security-operations-and-management-0

1. What is security operations and management?

‘Security operations and management’ is a collection of associated security activities that help to maintain the ongoing security posture of an organisation. It consists of the monitoring, maintenance and management of the security aspects of the IT estate, its people, and its processes.

It is also the home for two traditional aspects of security operations commonly known as ‘security monitoring’ and ‘security incident management’, as well as the relatively new aspect ‘situational awareness’.

It does not include the establishment of the security controls required during the building of the IT enterprise, although security operations and management aspects should be considered during the build process.

2. Centrally coordinating security operations

As organisations expand, security operations can split across IT systems, business services or support teams. This can lead to fragmented security operations and a localised approach to the consumption and dissemination of threat intelligence. For those organisations that are new to security operations and management (or who have a collection of isolated and uncoordinated services), centrally coordinating the people, processes and technology that make up the organisation’s security operations can realise business and security benefits.

However, centralisation should not be viewed as a panacea for all organisations (or for all services within an organisation). If there is a valid security operational business reason for decentralisation, then it should be accepted and designed into the overall solution. Where an organisation lacks the expertise, facilities, or is budget-constrained, then the procurement of a service from a Managed Security Service Provider (MSSP) may be a more cost effective option than building an in-house capability.

3. What services could be centrally coordinated?

Within a security operations and management framework, the following services could benefit from being centrally coordinated.

Service	Description
Security monitoring	The business processes and technologies that provide confidence that an organisation’s ICT systems are being used legitimately.This is achieved by: * collecting and storing data from ICT systems and security devices * analysing the data to identify unusual activity * passing this activity to security incident management for resolution
Security incident management	The set of business processes and tools that resolve security incidents and aim to minimise any adverse impacts on the organisation. This service would also include forensic investigation, recovery and lessons-learnt activities.
Situation awareness and threat intelligence	The set of business processes that collate and analyse information to help inform security decisions and shape cyber defences. The information can be a combination of threat intelligence, alerts, advisories and good IA practice, and come from a range of sources (such as the Internet, vendors, GovCertUK and CERT UK). Timely access to information is important to maintaining situation awareness, whilst the ability to make use of the available information requires specialist skills.
Transaction monitoring	The set of business processes and technologies that monitor online business transactions and generate alerts when unusual activity is identified. The timeliness of the unusual activity identification is usually important for these online business transactions.
Security management	The set of procedural and technical security services that an organisation decides must be managed in order to provide an overall security approach.
Operational management	The set of business processes, technologies and tools that make up ICT service management systems. Due to their central role and privileged access levels, effective management is critical.

4. Benefits of centrally coordinating security operations

Although there are certain limitations, centralising the detection, investigation and response to security events provides a range of business and security benefits. These benefits are summarised in this infographic.

5. Limitations of central coordination

A centrally coordinated security operation should not be established as a means to enforce security. The primary business and security drivers are to improve the visibility of the technical infrastructure, and to bring coherency to the organisation’s existing security operations. Creating centrally coordinated security operations within a poor information risk management culture will not solve the root problem, and will fail to deliver any tangible business benefits.

There are risks associated with centrally coordinating any service, and security operations is no different. A service may be overwhelmed, and has the potential to be a single point of failure. Ensuring clear, business-driven processes are in place, together with appropriate resourcing, will help to mitigate these risks.

6. Delivery of centrally coordinated security operations

Centrally coordinating security operations and management within your organisation is not trivial, and there may be significant business impact. A sound business case will need to be constructed that takes into account business needs and the organisation’s security strategy.

6.1 Questions the business case should answer

• What business problems do you expect to resolve? (Which security operations and management services will be covered).
• What is the most cost effective and appropriate service delivery model for your organisation?
• Do you have an understanding of the setup and ongoing costs?
• Will the service delivery model affect any existing third-party or partner relationships?
• Are staffing problems (such as recruitment, redeployment, training requirements and redundancy) understood?
• Are there any outsourcing issues?
• What are your key operational assurance objectives, and can their delivery be improved?
• Are there any sensitive aspects that would rule out a particular delivery model?
• Will the service delivery model be able to monitor already provisioned infrastructure or services?
• Are your requirements understood and can the service delivery model be tailored to meet those requirements?
• Is timescale important in delivering a mature service and what are the risks in the interim?
• How will you gain assurance in the service as a whole?
• How will success be measured?

Crucially, the management of security operations must: * address the problems it is trying to solve * integrate into the wider organisational structure

Without these, the result will be poor security and failure to deliver the required business outcomes.

6.2 Choosing a service delivery model

Selecting the service delivery model that fits your organisation and delivers the required business and security outcomes is critical. Use our SWOT (strengths, weaknesses, opportunities, threats) analysis to consider the advantages and disadvantages of the three most common models, which comprise:

• In-house service delivery, where the entire service is located within the boundaries of the business. The organisation retains total control of the infrastructure, data and resources.
• Procured service delivery, where the organisation relies on contractual agreements, including service level agreements for delivering a complete set of services.
• Hybrid service delivery, which is a combination of the in-house and procured. The organisation decides to retain some components of the service in-house, but contracts an MSSP to deliver the others.

Note that this analysis has focused on the security aspects of the models; as with any IT deployment, other aspects (such as cost, staffing and delivery) will need to be considered.