iso27001 – How an information security help desk looks

What you are asking is generally known as a Security Operations Center (SOC is pronounced as "sock"). In this place, Level 1 security analysts review the security incidents as they enter to determine if they are false positives or if they should be scaled to Level 2 analysts / engineers. If it is not a false positive, they will usually write a summary of the incident and they will scale it to level 2. Level 2 will investigate and determine if the event is a false positive and if it should be escalated to Incident Response (see below) or Level 3 for further analysis. The exact breakdown of work between levels varies by organization, but there are usually 3 levels. Part of this can be provided locally and part of it to a Managed Security Services Provider (MSSP).

The size of the organization and the maturity of your security team determine the appearance of the SOC (if they have one). In some smaller / less mature organizations, security tasks are handled in the IT help / service desk. The SOC is the preferred model and must include a lot of overlap with the Network and IT / Administration teams, since the proper configuration of these equipment is the backbone of security.

In addition, mature organizations must have a separate incident response (IR) team that has a business context and an administrative vision / access to look for and remedy any problems that the SOC has escalated.

In addition, or as part of the IR team, there must be a digital forensic analysis team to scale up investigations that appear to be of a serious nature.

Finally, there is a lot of information on the web about this topic, so look around and read a lot. You only have one opportunity to create a SOC, so do it right.