Information Security Operations Center
Encyclopedia
An information security operations center (or ISOC, pronounced "eye-sock") is a location where enterprise information systems (web sites, applications
, databases, data centers and servers
, networks
, desktops and other endpoints) are monitored, assessed, and defended. Large organizations may operate more than one ISOC to manage different groups of information and communication technology or to provide redundancy
in the event one site is unavailable. The term ISOC is normally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers.
ISOC staff monitor information systems for alarms and conditions to prevent, detect and manage cyber-attacks and other IT security incidents. They normally follow processes and procedures based on information security management
and computer security incident management
. They often employ tools such as network discovery and vulnerability assessment
systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration test
ing tools; Intrusion Detection Systems (IDS); Intrusion Prevention System (IPS); log management systems and Security Information and Event Management
(SIEM); network behavior analysis and Denial of Service monitoring; wireless intrusion prevention system; firewalls, enterprise antivirus and Unified Threat Management (UTM).
For example, the ISOC scans applications and identifies security vulnerabilities and their potential business impact. The ISOC works with the application business owners and IT staff to ensure understanding and help them appropriately correct weaknesses before they are exploited. The ISOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have business impact. The ISOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported.
ISOC engineers and watch officers are seasoned information and communication systems professionals. They are usually trained in computer engineering
, cryptography
, network engineering
, or computer science
and are credentialed (e.g. Certified Information Systems Security Professional
(CISSP) from (ISC)², GIAC
from SANS
, or Certified Information Security Manager
(CISM) from ISACA).
ISOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall
, which displays significant status, events and alarms; ongoing incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the ISOC staff aware of current events which may have an impact on information systems. The back wall of the ISOC is often transparent, with a room attached to this wall which is used by team members to meet while able to watch events unfolding in the ISOC. Individual desks are generally assigned to a specific group of systems, technology or geographic area. A security engineer or security technician may have several computer monitors on their desk, with the extra monitors used for monitoring the systems covered from that desk.
The ISOC and the Network Operations Center
(NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service. The ISOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies.
Likewise, the ISOC and the physical Security Operations Center
(SOC) coordinate and work together. The SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc.
In some cases the ISOC, NOC or SOC may be housed in the same facility or organizationally combined. Typically, larger organizations maintain a separate ISOC to ensure focus and expertise. The ISOC then collaborates closely with network operations and physical security operations.
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
, databases, data centers and servers
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
, networks
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, desktops and other endpoints) are monitored, assessed, and defended. Large organizations may operate more than one ISOC to manage different groups of information and communication technology or to provide redundancy
Redundancy
Redundancy may refer to:* Redundancy * Redundancy * Redundancy * Redundancy * Redundancy * Data redundancy* Gene redundancy* Logic redundancy...
in the event one site is unavailable. The term ISOC is normally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers.
ISOC staff monitor information systems for alarms and conditions to prevent, detect and manage cyber-attacks and other IT security incidents. They normally follow processes and procedures based on information security management
Information Security Management
Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage...
and computer security incident management
Computer security incident management
In the fields of computer security and information technology, computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events...
. They often employ tools such as network discovery and vulnerability assessment
Vulnerability assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply...
systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration test
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
ing tools; Intrusion Detection Systems (IDS); Intrusion Prevention System (IPS); log management systems and Security Information and Event Management
Security Information and Event Management
Security Information and Event Management solutions are a combination of the formerly disparate product categories of SIM and SEM...
(SIEM); network behavior analysis and Denial of Service monitoring; wireless intrusion prevention system; firewalls, enterprise antivirus and Unified Threat Management (UTM).
For example, the ISOC scans applications and identifies security vulnerabilities and their potential business impact. The ISOC works with the application business owners and IT staff to ensure understanding and help them appropriately correct weaknesses before they are exploited. The ISOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have business impact. The ISOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported.
ISOC engineers and watch officers are seasoned information and communication systems professionals. They are usually trained in computer engineering
Computer engineering
Computer engineering, also called computer systems engineering, is a discipline that integrates several fields of electrical engineering and computer science required to develop computer systems. Computer engineers usually have training in electronic engineering, software design, and...
, cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, network engineering
Network engineering
In telecommunications, network engineering may refer to:*The field concerned with internetworking service requirements for switched telephone networks and developing the required hardware and software...
, or computer science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
and are credentialed (e.g. Certified Information Systems Security Professional
Certified Information Systems Security Professional
Certified Information Systems Security Professional is an independent information security certification governed by International Information Systems Security Certification Consortium ²...
(CISSP) from (ISC)², GIAC
Giac
Giac can refer to:* Global Information Assurance Certification, an information security certification entity.* Xcas/Giac, a C++ library that is part of a computer algebra system....
from SANS
SANS
SANS can refer to*Small-angle neutron scattering*SANS Institute *Sympathetic Autonomic Nervous SystemSee also* Sans...
, or Certified Information Security Manager
Certified Information Security Manager
Certified Information Security Manager is a certification for information security managers awarded by ISACA...
(CISM) from ISACA).
ISOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall
Video wall
A video wall consists of multiple computer monitors, video projectors, or television sets tiled together contiguously or overlapped in order to form one large screen...
, which displays significant status, events and alarms; ongoing incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the ISOC staff aware of current events which may have an impact on information systems. The back wall of the ISOC is often transparent, with a room attached to this wall which is used by team members to meet while able to watch events unfolding in the ISOC. Individual desks are generally assigned to a specific group of systems, technology or geographic area. A security engineer or security technician may have several computer monitors on their desk, with the extra monitors used for monitoring the systems covered from that desk.
The ISOC and the Network Operations Center
Network Operations Center
A network operations center is one or more locations from which control is exercised over a computer, television broadcast, or telecommunications network....
(NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service. The ISOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies.
Likewise, the ISOC and the physical Security Operations Center
Security Operations Center
A Security Operations Center is a centralized unit in an organization that deals with security issues, on an organizational and technical level. An SOC within a building or facility is a central location from where staff supervises the site, using data processing technology...
(SOC) coordinate and work together. The SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc.
In some cases the ISOC, NOC or SOC may be housed in the same facility or organizationally combined. Typically, larger organizations maintain a separate ISOC to ensure focus and expertise. The ISOC then collaborates closely with network operations and physical security operations.
See also
- Central apparatus roomCentral Apparatus RoomIn broadcast facilities, a central apparatus room , central machine room, or central equipment room , or central technical area , or rack room is where shared equipment common to all technical areas is located. Some broadcast facilities have several of these rooms...
- Data centerData centerA data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems...
- Network Operations CenterNetwork Operations CenterA network operations center is one or more locations from which control is exercised over a computer, television broadcast, or telecommunications network....
or NOC - Security Operations CenterSecurity Operations CenterA Security Operations Center is a centralized unit in an organization that deals with security issues, on an organizational and technical level. An SOC within a building or facility is a central location from where staff supervises the site, using data processing technology...
or SOC - Master controlMaster controlMaster control is the technical hub of a broadcast operation common among most over-the-air television stations and television networks. It is distinct from a production control room in television studios where the activities such as switching from camera to camera are coordinated...