There is an imbalance between technical issues and process aspects related to security information and event management (SIEM). This gap is the root cause of some skepticism with and disappointment in SIEM.
Be aware that before implementing SIEM, it is necessary to establish the basis of the information security management system (ISMS), which includes considering the global management commitment, asset inventory and categorization, and risk assessment.
The SIEM process consists of following 5-step cycle:
- SIEM policy establishment
- SIEM infrastructure provision
- Event treatment
This SIEM approach is based on the plan-do-check-act (PDCA) cycle. Consider the first step, “SIEM Policy Establishment.” Upper management should demonstrate a commitment to the ISMS, including SIEM, by ensuring the SIEM policy is established and is compatible with the business direction, context and risk approach. Usually, the chief information security officer (CISO) prepares this internal policy and obtains the approval of all stakeholders. This policy should be mapped with existing internal policies, such as defining detailed event lists into standard and baselines for servers and network tools.
The SIEM policy should contain these basic components:
- Purpose of the policy
- Scope of the SIEM infrastructure
- Responsibilities of involved individuals
The SIEM has become the core of an ISMS and security operation centers (SOC), but it is unwise to rely on just the technical aspects of SIEM. The SIEM policy is essential for ensuring effective SIEM within an ISMS. The time used for SIEM policy development is worthwhile; it will save effort in future steps.
Read Aleksandr Kuznetcov’s recent Journal article:
“Security Information and Event Management Policy,” ISACA Journal, volume 3, 2016.
Aleksandr Kuznetcov, CISM
[ISACA Journal Author Blog]