Just sharing my thoughts and experience here... hope that will help some folks.
Main missions of the SOC are in bold.
- Technology watch: new softwares, new OS, new languages, new protocol specs
- Security watch: new attacks, new threats, what to expect, new tools
- Legal watch: what no to do, how to do things, copyright/trademark cunterfeit issues, PII, jus soli issues, regulations
- Software & hardware inventories updates and improvements
- Security instructions: patch deployment requests (could be linked to RFC)
- Security trainings delivery, education.
- Detection: from stats, internal data capture (honeypot, netw trace, etc) , and directly from security administrators reports. Correlation
- Cases handling; investigation instruction supply (on the behalf of the internal control/police dept), analysis/forensics
- Confidentiality loop enforcement
- Court of law procedure / pure internal procedure specific due care (choice to be made)
- Feedbacks to management, business
- Alert VIP/management when an incident is either production critical, or concerns several internal entities (transverse)
- Secucity crisis management (operations, roles/missions dispatch, coordination, reportings)
- AV/proxies/NIPS detections stats
- Sec fixes deployment stats
- Global current trend of ongoing security incidents
- Major security incidents status/sum-up
- Users accounts activity report (passwords activity, provisionning sum-up)
- Inventories correlation/cross: IP (network), AD, park management, IAM, etc.
Operational security support to projects
- Assistance: help in understanding the current security policy, help in finding relevant solutions that are compliant with sec policy, help with risk assessment
- Make sure remaining risks are associated to relevant management.
- Supply of security best practices docs: procedures, admin guides, etc.
Security policy exemption management:
- Analyse the need and risk for a claimant not to be compliant with internal security policy
- Raise the case, then, to management, to have them make a decision
- Ask management about situations that are not covered by current internal security policy
Identity management support
- Check accounts are properly disabled then deleted
- Check traceability capability, according to needs and policy compliancy
- Monitor the deprovisioning of high privileges