Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Ticketing and Case Management

The SOC team is expected to track potential incidents reported by tools or people. A case must be created, assigned, and tracked until closure to ensure that the incident is properly managed. This activity should be backed up by both, having the right tools, authority, and integration with incident response and case management processes.

SIEM, vulnerability management, and other SOC tools should either support built-in local case management or preferably integrate with your existing IT ticketing system such as BMC Remedy or CA Service Desk Manager, for central management and reporting of trouble tickets. You should work with the help desk team to create new ticket categories with meaningful and relevant security incident ticket fields and attributers.

A key point to consider is that remediation for some events may require resources outside the SOC analysts for business or other technical support. This is why assigning responsibilities that are sponsored by the proper authority is critical for the success of case management. The Responsibility, Accountable, Consulted, and Informed (RACI) matrix can be used as a model for identifying roles and responsibilities during an organization change process. Table 2-4 represents an example RACI chart, where R = Responsible, A = Accountable, C = Consult, and I = Inform.

Table 2-4 RACI Matrix Example

Function

Project Sponsor

Business Analyst

Project Manager

Software Developer

Initiate project

C

AR

Establish project plan

I

C

AR

C

Gather user requirements

I

R

A

I

Develop technical requirements

I

R

A

I

Develop software tools

I

C

A

R

Test software

I

R

A

C

Deploy software

C

R

A

C

Typical steps to build a RACI matrix are as follows:

  • Step 1. Identify all the processes or activities known as functions on the left side of the matrix.
  • Step 2. List all the roles at the top of the matrix.
  • Step 3. Create values to reference, such as AR, C, I, and R, that will be assigned.
  • Step 4. Verify every process has an R and that there is only one R to avoid conflicts. If there must be more than one R, break up the function until there is only one R per function.

When multiple teams are involved, such as what could end up on your RACI matrix, collaboration between teams becomes mission critical. Let’s look at how the SOC can leverage collaboration technologies.

  • + Share This
  • 🔖 Save To Your Account