How to assess the quality of a SOC? The SLA agreement

The implementation of the NIS2 Directive requirements into the Polish legal system is fast approaching. This is driving a surge in interest in Security Operations Center (SOC) services, with more companies considering outsourcing experts instead of building their own internal structures.

As with any form of external support, a well-known challenge arises: how to assess the quality of the services provided?

A SOC focuses on protecting a company’s network and its collected data. When partnering with an external service provider, the Service Level Agreement (SLA) becomens a crucial element. It ensures that the collaboration is effective, transparent and successful. The SLA defines the standards and expectations for the services provided by the SOC, giving clients confidence and security.

For companies and institutions utilizing an external SOC, the SLA is an essential tool for monitoring and evaluating service quality. It allows for the establishment of Key Performance Indificators (KPIs) that are mesurable, verifiable and achievable. This gives clients the certainty that their digital security is in good hands.

The importance of the SLA for a SOC Operator

Companies providing SOC services also require documents like the SLA. They help systematize client expectations and give them an official form, ensuring both parties know which areas are covered by protection and to what extent, and which remain the client’s responsibility. The document specifies the severity levels of individual events and the circumstances under which SOC operators are not liable for outages or performance issues. These agreements describe service performance characteristics and define problem-solving methods, thus serving as the actual foundation of the partnership.

An effective SLA should include the following elements:

• response time and level – a detailed specification of how quickly the SOC will take action for various types of security incidents;

• service availability and reliability – ensuring the constant availability and reliability of SOC services;

• escalation and communication procedures – clear rules regarding escalation processes and communication with clients during incidents;

• regular reporting and performance evaluation – a commitment to providing regular reports on SOC activities and achieved results.

In the case of its SOC service, Perceptus guarantees compliance with SLA parameters, where “incident pickup time” is defined as the duration from the moment a SIEM system generates an alarm (or a client reports an incident) to the moment a Level 1 (L1) support analyst begins verification.

Challenges in meeting SLA obligations

Managing a SOC service with guaranteed SLA parameters requires continuous monitoring and adaptation to changing client needs and security threats. Collaboration, clear communication, and regular reviews, configuration, and refinement of security tools are key to maintaining effectiveness. These are essential if the operator wishes to avoid liability for non-performance or improper performance of the service as defined in the contract.

Another challenge is mutual communication and information exchange between Perceptus L1 analysts and the client’s employees. In this context, appropriate procedures are invaluable.

Cybersecurity framework

For measures and actions taken to reduce the impact, hinder, or stop an incident to be effective, they must follow proper procedures or a set of cybersecurity recommendations. This is defined by a Cybersecurity Framework, with the most popular being the NIST Cybersecurity Framework and ISO 27001.

ISO27001

The ISO 27001 standard is internationally recognized as one of the most effective ways to maintain information security. It contains detailed requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system.

Following an audit completed at the Perceptus headquarters a certificate was granted confirming that our information security management system complies with the requirements of the PN-EN ISO/IEC 27001:2023 standard. This certification applies to the process of providing IT data security services within the Security Operations Center (SOC).

As the cyber-threat landscape evolves, SLAs must remain flexible and adapt to new challenges. Partnering with an external SOC is an effective strategy for companies aiming to bolster their digital security. The SLA forms the bedrock of this collaboration, guaranteeing high service standards, clarity of expectations, and continuous optimization of security processes. With a well-constructed Service Level Agreement, organizations can focus on their core business, confident that their digital security is in expert hands.