Governance frameworks and policy implementation for SOC operations
Security policies form the foundation of an organization's security posture. They define what is allowed, what is prohibited, and how security controls should be implemented. SOC analysts must understand these policies to accurately identify violations and respond appropriately.
High-level statements of management intent. Example: "All systems must be protected from unauthorized access."
Specific, mandatory requirements. Example: "Passwords must be at least 12 characters."
Step-by-step instructions. Example: "To reset a password, follow these steps..."
Recommended best practices. Example: "Consider using a password manager."
SOC analysts must understand which regulations apply to their organization because violations trigger mandatory incident reporting:
| Regulation | Applies To | Key SOC Impact | Breach Notification |
|---|---|---|---|
| GDPR | Any org processing EU citizen data | Data breach = mandatory reporting, right to erasure affects evidence | 72 hours to supervisory authority |
| HIPAA | Healthcare providers, insurers, associates | PHI breaches require specific investigation procedures | 60 days for breaches >500 individuals |
| PCI DSS | Anyone handling credit card data | FIM required (Req 11.5), log monitoring (Req 10), IDS (Req 11.4) | Immediately to card brands + acquiring bank |
| SOX | Public companies (financial reporting) | Audit trail integrity, access control monitoring | Material weakness disclosure |
| FERPA | Educational institutions | Student record access monitoring | Varies by state |
As a SOC analyst, you are the policy enforcement point. When you see an alert, your first question should be: "Does this violate a policy?" Your escalation depends on the answer:
Acceptable Use Policy violation (unauthorized software, inappropriate content, personal device on corporate network). Escalate to HR, not IR team. Document but don't treat as security incident unless malicious.
Password sharing, unencrypted data transfer, unauthorized remote access. Escalate to security team + user's manager. May require remediation actions (password reset, access revocation).
PII/PHI exposure, PCI scope breach, audit log tampering. Immediate escalation to CISO + Legal. Clock starts ticking on mandatory notification. Preserve ALL evidence.
This topic extends the Security Governance Dashboard from Shield House, adding SOC-specific policy monitoring perspectives.
| Policy Type | Purpose | SOC Relevance |
|---|---|---|
| Acceptable Use Policy (AUP) | Defines appropriate use of IT resources | Alerts on policy violations (gambling, streaming, etc.) |
| Data Classification Policy | Categorizes data by sensitivity level | DLP alerts for sensitive data movement |
| Access Control Policy | Defines who can access what | Privilege escalation, unauthorized access alerts |
| Incident Response Policy | Procedures for handling security incidents | Defines SOC responsibilities and escalation paths |
| Change Management Policy | Controls modifications to systems | Unauthorized change detection |
| Password Policy | Requirements for authentication credentials | Weak password detection, policy enforcement |
Payment Card Industry Data Security Standard. Applies to anyone processing credit cards.
Health Insurance Portability and Accountability Act. Protects medical information.
General Data Protection Regulation. EU data privacy requirements.
Sarbanes-Oxley Act. Financial reporting controls for public companies.
Compliance is not security! An organization can be fully compliant yet still vulnerable. Policies set minimums - SOC analysts should detect threats beyond what policies define.
| Alert Type | Policy Violated | Response |
|---|---|---|
| USB storage connected | Removable media policy | Verify if authorized, escalate if not |
| VPN from unusual location | Remote access policy | Verify user, check for compromise indicators |
| Off-hours access to sensitive data | Data access policy | Context check - legitimate or suspicious? |
| Software installation | Change management policy | Check if approved, investigate if not |
| Large email attachment | Data handling policy | Check content classification, verify recipient |
Some users/systems have approved policy exceptions. SOC must maintain an exception list to avoid false positives.
Policy violations without approval should be investigated and escalated to policy owners.
Know Your Policies: Before your first shift, read the organization's key security policies. Understanding what's "normal" helps you identify what's abnormal. Ask for a list of documented exceptions for your monitoring scope.
SIEM alert triggers based on policy rule violation.
Analyst checks if behavior matches known exception list.
If not excepted, investigate context and impact.
Report confirmed violations to appropriate team (HR, Legal, Security).
Test your understanding of security policy management. Score 80% or higher to pass.
1. What is the correct order of the policy hierarchy from highest to lowest?
2. Which policy type would a DLP alert for emailing a spreadsheet of customer data violate?
3. Why should SOC analysts maintain a policy exception list?
4. What does the statement "Compliance is not security" mean?
5. Which regulation specifically protects EU citizen data privacy?