Lesson 2 of 9
In Progress

Reporting Process

Overview

This document is a process guide and aims to serve as a reference for KPMG GSOC and Member Firms for the Reporting process. The scope of the Reporting process embraces all sources utilised by the KPMG GSOC (GSOC) for internal and external information dissemination, including but not limited to the operational Key Performance Indicators (KPIs), Threat Intelligence Reports, etc. This document provides examples of reports that are generated by the GSOC for internal consumption and also for circulation to the Global CISO and the designated personnel of Members Firms including but not limited to corresponding CISOs, NITSOs and SMEs.

This GSOC Reporting Process works within the boundaries of the GSOC Communications Process and adheres to the KPMG Information Classification Policy. All information produced by the GSOC is classified as “KPMG Confidential” by default.

The report samples provided within this document are focused on the data elements. The actual presentation (visual elements) of these reports are developed through the wireframing exercise.

Reporting Categorization

Each of the report samples listed within this document identifies the following factors which govern their production:

  • Distribution Scope (GSOC / Member Firm)
  • Audience (Global CISO / Member Firm CISOs / GSOC Manager / NITSO / Authorised Personnel)
  • Mode of Generation (Automated / Manual)
  • Distribution Channel (Email / RSA Archer SecOps / SharePoint)
  • Production Format (PDF / CSV / HTML)
  • Schedule (Near Real-time / Periodic)
  • Classification (KPMG Confidential / KPMG Highly Confidential)

Sources of Data

The following systems have been identified within the KPMG GSOC space that will serve as sources of data for the measurement of KPIs and/or generation of reports and dashboards.

  • Security Analytics (SIEM)
  • RSA Archer SecOps (Incident Management)
  • CRITs (Threat Intelligence Portal)

Audience Requirements

Following is a brief (non-exhaustive) account of requirements for the different groups of audience for the reports and dashboards generated by the KPMG GSOC:

Global CISO / Member Firm CISOs

  • Awareness of hotspots
  • Relevant Threat information / advisories
  • Understand impact on business for a particular threat
  • Effectiveness of the GSOC Operations
  • Global Threat Landscape
  • Risks

GSOC Manager

  • Awareness of hotspots
  • Relevant Threat information / advisories
  • Understand impact on business for a particular threat
  • Effectiveness of the GSOC Operations
  • Global Threat Landscape
  • Operational Metrics
  • Capacity Management
  • Staff Upskilling/Training
  • Enhancement of GSOC Maturity
  • Risks

Member Firms (NITSO / SMEs)

  • Overview of corresponding Threat Situation
  • Understand which part(s) of their business are affected
  • Report and update on specific security incidents
  • Common attack vectors of concern
  • Cluster of incidents of common origin
  • Common Weaknesses in Member Firm Defense-in-depth
  • Threat Intelligence

Priority Classification

The standard KPMG GSOC Priority/Urgency levels are used throughout this report. Reference below:

Security Incident Priority Classification
Priority 1Highest Priority incidents spanning multiple Member Firms and/or public awareness of data breach
Priority 2Multiple systems affected or high impact exploits and compromises
Priority 3Localised or low impact exploits and compromises
Priority 4Lowest priority includes scans and blocked attacks

Constraints and Assumptions

The Reporting Process will continuously evolve overtime to ensure its relevance and currency as the GSOC builds out its capability to respond to the ever changing threat landscape, e.g. the ability to capture and record measurable metrics. The Reporting Process will also be updated in line with the evolving requirements and needs of the Member Firms especially as they upscale their data sharing capabilities, e.g. log provision, assets information, etc.

KPMG GSOC personnel are expected to maintain, regularly build and rely on their knowledge and experience to guide their execution of this process. They are expected to use their best judgment when minor adaptations are needed for execution. Any significant exceptions to this process should follow the instructions in Section 2.5 (Exceptions) of this document.

The limitations recorded below persist at the time of writing this document and should be reviewed as the KPMG GSOC matures and certain constraints change or assumptions are disproven:

  • Limited classification and categorization information will be assigned to the Incidents by the L1/L2 Analysts as they have a wide number of incidents to handle initially and also their familiarity with the incident context and the corresponding VERIS matrix.
  • The number of log sources requested from the Member Firms is limited (5 at the time of writing this document) which impacts the reporting capability and the level of the depth of metrics available. This will improve when the number of data sources (logs, assets, etc.) is increased.