BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 20_M-SOC_Self Service Portal
  2. Digital Contract Signing Process

RACI Matrix

Description of the RACI matrix in Annexure D

The RACI (Responsible, Accountable, Consulted, and Informed) matrix defines the roles and responsibilities between a Managed Security Services Provider (MSSP) and a Regulated Entity (RE) in a security operations context.

Understanding RACI Roles:

  • R (Responsible): The entity that performs the task.

  • A (Accountable): The entity that is ultimately answerable for the task and ensures it is completed.

  • C (Consulted): The entity that provides input, expertise, or recommendations before the task is completed.

  • I (Informed): The entity that receives updates on task progress or outcomes.

Sl.No

Capabilities / Activities

MSSP

RE

1

Service Delivery / Metrics/ SLA Review & Reporting

R,A

A

2

Adherence to SLA

R, A

R,A

3

Provide a List of Log sources to be integrated with MSOC/EDR

C,I

R, A

4

Log Baselining sharing

R,A

C, I

5

HLD document with details of the security solutions currently in place

C,I

R, A

6

Technical issues and Troubleshooting of MSOC

R,A

I

7

Implementation and management of SIEM/Ticketing Tool

R, A

I

8

Storage and hardware required for log retention (6 Months online & 18 Months offline)

R, A

R, A

9

Role Matrix and Escalation Matrix

R, A

R, A

10

Deploy necessary cybersecurity solutions as applicable to the RE environment as per SOW

C,I

R, A

11

Log Baseline implementation

C,I

R,A

12

Configuration Management, VAPT, Patch Management.

C,I

R, A

13

SIEM/EDR Platform Administration

R, A

C, I

14

Use Cases - Content Creation/Review/Modification

R, A

C, I

15

24x7 SOC Monitoring & Alert Analysis

R, A

C, I

16

Incident Detection

R, A

C, I

17

Incident severity & priority assignment

R, A

C, I

18

Incident Notification

R, A

C, I

19

Incident Escalation

R, A

C, I

20

Incident response/investigation

C, I

R, A

21

Incident Resolution

C, I

R, A

22

Forensics (If applicable)

C, I

R, A

23

Root Cause Analysis

C, I

R, A

24

Incident Review and Closure

A, C

R

25

Recovery of impacted Device/System/Process

C, I

R, A

26

Restoration from Archival/Backup

C, I

R, A

Detailed Explanation of Each Capability/Activity in the RACI Matrix:

  1. Service Delivery / Metrics/ SLA Review & Reporting

    • MSSP (R, A): The MSSP is responsible and accountable for preparing reports, tracking SLA adherence, and presenting service metrics.

    • RE (A): The RE acknowledges and acts based on these reports.

  2. Adherence to SLA

    • MSSP (R, A): Ensures SLAs are met in service delivery.

    • RE (R, A): Ensures SLAs are adhered to from their end (e.g., timely approvals, responses).

  3. Provide a List of Log Sources to be Integrated with MSOC/EDR

    • MSSP (C, I): Consulted for recommendations and informed about updates.

    • RE (R, A): Responsible and accountable for providing the list.

  4. Log Baselining Sharing

    • MSSP (R, A): Responsible and accountable for providing baseline logs.

    • RE (C, I): Consulted to confirm if the shared baselines align with their security needs and informed about changes.

  5. HLD Document with Security Solutions Details

    • MSSP (C, I): Consulted for feedback and informed about security design.

    • RE (R, A): Responsible for providing a High-Level Design (HLD) document listing security solutions in place.

  6. Technical Issues and Troubleshooting of MSOC

    • MSSP (R, A): Responsible for addressing SOC-related technical issues.

    • RE (I): Informed about technical troubleshooting progress.

  7. Implementation and Management of SIEM/Ticketing Tool

    • MSSP (R, A): Responsible for configuring and managing SIEM/ticketing tools.

    • RE (I): Informed about the implementation and management.

  8. Storage and Hardware for Log Retention (6 Months Online & 18 Months Offline)

    • MSSP (R, A): Responsible for ensuring proper storage and retention policies.

    • RE (R, A): Responsible for providing necessary storage and managing compliance.

  9. Role Matrix and Escalation Matrix

    • MSSP (R, A): Responsible for defining escalation procedures.

    • RE (R, A): Ensures the escalation framework aligns with organizational processes.

  10. Deploy Cybersecurity Solutions as per SOW

  • MSSP (C, I): Consulted to ensure best practices in deployment.

  • RE (R, A): Responsible for deploying and maintaining security tools.

  1. Log Baseline Implementation

  • MSSP (C, I): Provides recommendations.

  • RE (R, A): Implements and maintains log baselines.

  1. Configuration Management, VAPT, Patch Management

  • MSSP (C, I): Consulted for security configurations and informed about vulnerabilities.

  • RE (R, A): Responsible for applying updates, patches, and security configurations.

  1. SIEM/EDR Platform Administration

  • MSSP (R, A): Responsible for SIEM/EDR administration.

  • RE (C, I): Consulted on policies and informed about major changes.

  1. Use Cases – Content Creation/Review/Modification

  • MSSP (R, A): Develops and refines SIEM/EDR use cases.

  • RE (C, I): Consulted for specific requirements and informed about updates.

  1. 24x7 SOC Monitoring & Alert Analysis

  • MSSP (R, A): Monitors security logs and analyzes alerts continuously.

  • RE (C, I): Consulted on critical alerts and informed about security trends.

  1. Incident Detection

  • MSSP (R, A): Responsible for identifying security incidents.

  • RE (C, I): Consulted on detection parameters and informed about incidents.

  1. Incident Severity & Priority Assignment

  • MSSP (R, A): Assigns severity and prioritization of incidents.

  • RE (C, I): Consulted to validate criticality and informed about assigned severity.

  1. Incident Notification

  • MSSP (R, A): Notifies relevant stakeholders about incidents.

  • RE (C, I): Consulted on escalation needs and informed about ongoing incidents.

  1. Incident Escalation

  • MSSP (R, A): Ensures incidents are escalated as per protocol.

  • RE (C, I): Consulted on escalations and informed about incident progress.

  1. Incident Response/Investigation

  • MSSP (C, I): Consulted to assist in response activities.

  • RE (R, A): Responsible for managing and executing incident response.

  1. Incident Resolution

  • MSSP (C, I): Assists in remediation strategies.

  • RE (R, A): Ensures incidents are fully remediated.

  1. Forensics (If Applicable)

  • MSSP (C, I): Provides forensic expertise if required.

  • RE (R, A): Conducts forensic investigation where necessary.

  1. Root Cause Analysis (RCA)

  • MSSP (C, I): Consulted for insights into root causes.

  • RE (R, A): Responsible for conducting RCA and implementing corrective actions.

  1. Incident Review and Closure

  • MSSP (A, C): Accountable for documentation and consulted for closure verification.

  • RE (R): Final decision-maker for incident closure.

  1. Recovery of Impacted Device/System/Process

  • MSSP (C, I): Provides guidance on recovery strategies.

  • RE (R, A): Ensures systems are restored.

  1. Restoration from Archival/Backup

  • MSSP (C, I): Consulted for guidance.

  • RE (R, A): Responsible for restoring data from backups.

Key Takeaways:

  1. MSSP’s Primary Responsibilities:

    • SOC operations, including monitoring, alert analysis, and incident detection.

    • SIEM/EDR administration, use case management, and SLA reporting.

    • Supporting the RE in investigations, forensics, and incident response.

  2. RE’s Primary Responsibilities:

    • Security governance and compliance with internal/external policies.

    • Deployment of security solutions, log baseline implementation, and patch management.

    • Leading the incident response and resolution process.

  3. Shared Responsibilities:

    • SLA adherence, log retention, escalation matrices, and incident handling.

This RACI matrix ensures clear accountability between the MSSP and the RE, promoting efficient SOC operations, compliance, and faster incident response.

PreviousDigital Contract Signing ProcessNextUpdating Billing Information

Last updated 3 months ago