02-21-2022, 06:16 AM
Additionally, one can think of SOC's Charter as a Mandate from "above", which is represented by a Responsibility (what they are tasked to take care of/ to do/to be accounted for), and an Authority (what they are allowed/authorised to do).
Sometimes there might be a mismatch: accountability is bigger than the authority required to fulfill the responsibilities, or resources provided are insufficient, thus there might be a conflict. Such situations happen from my experience most often due to lack of precise definitions/clarity in mandate / charter - or strategy/roadmap, how to get to the fulfilment/full coverage of Mandate/Charter (when resources are lacking).
I see objective of this part the SOC-CMM : to identify if this area is clear - that the Charter/Mandate is defined, understood, responsibilities - manageable - i.e. SOC is enabled.
Additional reading might be helpful - https://www.enisa.europa.eu/publications/how-to-set-up-csirt-and-soc (disclosure: I was part of the development team).
Regards,
Vilius Benetis
Sometimes there might be a mismatch: accountability is bigger than the authority required to fulfill the responsibilities, or resources provided are insufficient, thus there might be a conflict. Such situations happen from my experience most often due to lack of precise definitions/clarity in mandate / charter - or strategy/roadmap, how to get to the fulfilment/full coverage of Mandate/Charter (when resources are lacking).
I see objective of this part the SOC-CMM : to identify if this area is clear - that the Charter/Mandate is defined, understood, responsibilities - manageable - i.e. SOC is enabled.
Additional reading might be helpful - https://www.enisa.europa.eu/publications/how-to-set-up-csirt-and-soc (disclosure: I was part of the development team).
Regards,
Vilius Benetis