Cybersecurity Operations Centre

Rationale: MTTD of 15 minutes for high-severity incidents derives from MITRE ATT&CK dwell-time analysis: adversaries completing lateral movement within 30-60 minutes of initial compromise means detection must occur in the first half of that window to enable effective containment. Exceeding 15 minutes significantly increases the probability of privilege escalation and data exfiltration.

Rationale: Containment timelines of 60 minutes (critical) and 4 hours (high) are derived from the NIST SP 800-61 incident response lifecycle and align with insurance underwriter expectations. Critical incidents (ransomware, active intrusion) require sub-hour containment to prevent encryption propagation or data exfiltration at scale.

Rationale: Regulatory compliance is a non-negotiable operational requirement. NIST CSF provides the detection and response framework, ISO 27001 the management system baseline, and sector-specific regulations (e.g., NIS2 for critical infrastructure, PCI-DSS for payment processing) impose additional controls with legal penalties for non-compliance.

Rationale: Cyber attacks are not bounded by business hours; adversaries deliberately operate during off-peak periods when monitoring attention is lowest. The 30-minute quarterly maintenance window constrains planned downtime to what can be achieved with rolling upgrades and hot-standby failover, maintaining continuous threat detection coverage.

Rationale: Unmonitored assets are the primary vector for undetected compromise. The 7-day onboarding window balances operational reality (new asset provisioning, network registration, agent deployment) against the risk window. Complete asset visibility is foundational — detection rules and vulnerability scans are ineffective against assets the SOC cannot see.

Rationale: Requiring 10+ independent intelligence sources ensures coverage diversity across commercial threat feeds (e.g., Recorded Future, Mandiant), open-source feeds (e.g., MISP communities, abuse.ch), government advisories (CISA, NCSC), and sector-specific ISACs. Single-source reliance creates blind spots for threats outside that vendor's collection aperture.

Rationale: GDPR Article 33 mandates 72-hour notification to supervisory authorities; NIS2 Article 23 requires 24-hour early warning. Failure to meet these timelines carries statutory penalties (up to 2% of global turnover under NIS2). The 4-hour executive summary enables incident commander decision-making during the critical early phase of response.

Rationale: 100,000 endpoints and 500 network segments represent a large enterprise baseline. The 25% annual growth accommodation prevents architectural redesign cycles that would introduce detection coverage gaps during migration. Without this headroom, SOC infrastructure becomes the bottleneck during acquisitions, cloud migrations, or rapid expansion.

Rationale: The 120-second rule-based and 300-second behavioural detection windows derive from the 15-minute MTTD stakeholder requirement (STK-NEEDS-001). Correlation must complete well within the MTTD budget to leave time for alert triage, enrichment, and analyst notification. Behavioural analytics require longer windows due to baseline comparison computation.

Rationale: 150K EPS steady-state derives from 100K endpoints generating an average of 1.5 events/sec each across OS telemetry, EDR, network flow, and authentication logs. The 500K EPS burst capacity accommodates incident-triggered log surges (e.g., mass scanning, worm propagation) when event volumes spike 3-4x. Event loss during these bursts would create detection blind spots precisely when they are most dangerous.

Rationale: 30-second containment execution derives from the 60-minute critical incident containment target (STK-NEEDS-002). Automated containment actions (network isolation, process kill) must execute near-instantly once the decision is made, as each second of delay allows additional lateral movement, data staging, or encryption. The 30-second ceiling accounts for agent communication latency across WAN-connected endpoints.

Rationale: 60-second automated playbook execution for known alert types reduces analyst cognitive load and ensures consistent response for high-volume, well-understood threats (phishing, malware beaconing, brute-force). The 120-second routing SLA for human-judgement alerts ensures tier-appropriate analyst engagement before the MTTD budget is consumed.

Rationale: 20 feeds exceeds the 10-source stakeholder minimum (STK-NEEDS-006) to provide the TIP with sufficient indicator volume for cross-correlation. STIX/TAXII 2.1 is the OASIS standard for structured threat intelligence exchange, ensuring interoperability across commercial and government feeds. The 4-hour/1-hour update intervals balance API rate limits against indicator freshness for critical advisories (e.g., zero-day IOCs).

Rationale: 90-day hot storage enables immediate forensic investigation of incidents discovered during routine threat hunting or retrospective IOC matching. 365-day warm storage satisfies regulatory retention requirements (ISO 27001 A.12.4, PCI-DSS Requirement 10.7). The 4-hour retrieval SLA for archived logs supports investigation timelines without requiring cost-prohibitive all-hot architectures.

Rationale: 7-day IT scan cycle aligns with common vulnerability disclosure timelines and patch management SLAs. 30-day OT cycle reflects operational constraints — OT systems often cannot tolerate active scanning during production windows. 98% asset inventory accuracy ensures vulnerability coverage aligns with actual deployed infrastructure, preventing false confidence from scanning stale asset lists.

Rationale: 99.95% monthly availability allows approximately 22 minutes of unplanned downtime per month, consistent with Tier 3+ data centre SLAs and the 30-minute quarterly planned maintenance window (STK-NEEDS-004). The no-single-point-of-failure requirement ensures that component failure in the detection pipeline does not create an unmonitored window exploitable by adversaries.

Rationale: 30-minute notification document generation directly supports the GDPR 72-hour and NIS2 24-hour regulatory timelines (STK-NEEDS-007). Pre-populated templates eliminate the risk of incomplete mandatory fields under time pressure. GDPR Article 33, NIS2 Article 23, and sector templates must be maintained as living documents reflecting current regulatory interpretations.

Rationale: Full packet capture at 10 Gbps aggregate provides forensic evidence for incident investigation that metadata-only approaches cannot — payload inspection, protocol anomaly analysis, and malware sample extraction. 72-hour retention covers the typical investigation initiation window. 4-hour IDS rule update latency ensures signature coverage for newly disclosed vulnerabilities within the same operational cycle as vendor advisory publication.

Rationale: Identity is the primary attack surface in modern enterprise environments — over 80% of breaches involve credential compromise (Verizon DBIR). UEBA across AD, Azure AD, and PAM covers the full authentication surface. The 5% false positive ceiling ensures analyst trust in identity alerts; higher rates lead to alert fatigue and missed true positives in the identity domain.

Rationale: 72-hour UPS/generator runtime covers extended utility outages during severe weather events or grid failures, maintaining SOC operations during the period when cyber threats may increase (adversaries exploit infrastructure disruptions). Two-factor physical access prevents unauthorised facility entry that could enable physical tampering with SOC infrastructure, keyboard loggers, or insider threat scenarios.

Rationale: Threat hunting addresses the detection gap between known-bad indicators (covered by detection rules) and novel adversary TTPs. The 30-second query response time over 7-day windows ensures analysts can iterate on hunt hypotheses without workflow disruption. The 50-hypothesis library mapped to ATT&CK ensures coverage of common adversary technique chains even with analyst turnover.

Rationale: Without alert tuning, SOC analysts face alert fatigue that degrades detection effectiveness. The 25-alert/hour/analyst ceiling is derived from cognitive load research showing analyst accuracy drops below 80% above this threshold. Rolling 30-day false-positive metrics per rule category enable evidence-based tuning decisions and prevent regression when new detection rules are deployed.

Rationale: Security event data contains PII (usernames, IP addresses), threat intelligence under TLP restrictions, and forensic evidence with legal chain-of-custody requirements. TLS 1.3 is mandated over TLS 1.2 to eliminate known downgrade attacks against inter-subsystem channels that carry high-value telemetry. AES-256 at-rest encryption is required by ISO 27001 control A.10.1.1 and by GDPR Article 32 for processing security-relevant personal data.

Rationale: A SOC must remain operational during regional infrastructure failures (power outages, natural disasters, physical security incidents) because adversaries actively exploit degraded defensive posture. The 4-hour RTO ensures detection pipeline restoration before typical adversary dwell times allow lateral movement. The 1-hour RPO limits telemetry data loss to a window recoverable via endpoint log replay. Geographic failover is required because single-site SOCs are a single point of failure for the entire organisation's security posture.

Rationale: The SIEM-centric hub-and-spoke architecture creates a single point of failure in the detection pipeline, contradicting the no-SPOF requirement (SYS-INFRA-008). Cross-domain analogs from nuclear reactor protection and naval combat management implement diverse detection paths to maintain safety-critical alerting during primary system failure. The 60% detection floor and 30-minute MTTD represent minimum acceptable degraded performance during SIEM outage.

Rationale: STK-NEEDS-004 mandates 24/7 continuous operation but no system-level requirement defines the staffing model. Industry standards (NIST SP 800-61, FIRST CSIRT frameworks) recommend minimum dual-analyst coverage for Tier-1 triage to avoid single-analyst fatigue-induced detection gaps during overnight shifts. The shift handover requirement prevents context loss between shifts, which is a known root cause of delayed incident escalation in SOC operations.