The central bank wants to set up an internal SOC and this project aims to

establish a Security Operations Center (SOC) to improve the security monitoring,

threat detection and incident response capabilities of the Central Bank of Tunisia,
leveraging the SIEM solution already deployed as well as the security
technologies already deployed.
The BCT aims for the SOC to be the nerve centre for intelligence, surveillance and
response activities, and to ensure the right balance of people, processes and
technologies to effectively and efficiently monitor and respond to threats with
collaboration with a provider for 24x7 supervision.
The key objective of this project is to prohibit/prevent any cybersecurity threats.

The aim is to:

- Create a scalable and efficient SOC infrastructure that can adapt to

future security needs for 24x7 monitoring
o Design and develop comprehensive documentation for the entire
SOC process and incident response plan for the BCT, including
the main areas of the SOC as follows:
 SOC architecture and technology
 SOC Processes and Procedures
 SOC Organization and Staff
 SOC metrics and reporting
 SOC Strategy and Governance
- Integrate and optimize existing SIEM to improve real-time monitoring
and alerting

- Automate and streamline incident response workflows

- Monitoring of external attack surfaces and Darkweb

- Framework for collaboration with the specialist service provider for 24x7
supervision
 Functional and Technical Requirements Tables

Reference Complian Bidder's Comments

ce proposal
SOC Target Operating Model

Develop a dedicated SOC Required

governance and operating
model
Create a detailed roadmap for Required
the development and
implementation of the SOC
Define milestones, timelines, Required
and resource requirements
Align the roadmap with Required
business priorities and risk
appetite
Identify the list of major Required
subprocesses of SOC
operations
Develop foundational sub- Required
processes for continuous
monitoring, incident
response, digital forensics,
threat hunting, and threat
intelligence
Ensure sub-processes are Required
scalable and adaptable to
changing threats
Identify the list of key sub- Required
processes for cyber
assurance operations
Develop foundational sub- Required
processes for vulnerability
assessment, penetration
testing, red teaming, source
code reviews, vulnerability
management, and more.
Ensure sub-processes are Required
scalable and adaptable to
changing threats
24x7 SOC Monitoring
Provide 24/7 security Required
monitoring and incident
management following the
collaboration matrix
Ensure that all confidential Required
BCT data must not leave the
BCT environment
Reference Complian Bidder's Comments
ce proposal
The service provider should Required
have well-defined and mature
processes and procedures in
place for SOC operations and
incident management
The service provider should Required
provide alerts and support for
24/7 incident management
The service provider must Required
provide the human and
procedural components of the
SOC
The Service Provider is Required
required to conduct
vulnerability assessments on
a periodic basis by notifying
BCT to assess BCT's security
states and provide BCT with
recommendations to address
any gaps
The service provider should Required
have Threat Intelligence
feeds and should use them to
proactively monitor for
threats
The service provider must Required
create BCT-specific business
use cases and implement
them in the SOC offered to
the BCT
The service provider should Required
conduct proactive threat
hunting specific to the BCT
entity and its associated
domains
The service provider must Required
provide scheduled reports on
BCT-related security postures
In the event of an incident Required
occurring within BCT, provide
incident response, forensics,
and incident management
capabilities on demand and
on an ad hoc basis
Commit to SLA-based alert Required
triage with defined timelines:
 P1 (Critical) severity
Reference Complian Bidder's Comments
ce proposal
alerts assigned within
30 minutes.
 P2 (High) severity
alerts assigned within 2
hours.
 P3 (Average) severity
alerts assigned within 8
hours."

Organize training for the BCT Required

SOC team to ensure that it is
aligned with the Workforce
Framework for cybersecurity
Conduct exercises and what-if Required
scenarios for the SOC team to
provide hands-on training on
different areas of the SOC,
including vulnerability
management, security
monitoring, incident
response, threat hunting, and
threat intelligence

Improvement of SIEM-level use cases

SIEM Use Cases Required
Align existing use cases with
MITRE and BCT threat
registries and address any
gaps
Creation of conformance use Required
cases (IS27001 and other
standard).

After all new use cases have Required

been created, a check and
comparison with the old use
case improvement areas is
essential to ensure the
quality of the new coverage

Build new dashboards to Required

cover different areas,
including remote access,
network, etc
Refine correlation rules to Required
reduce false positives and
improve detection of
legitimate threats.

Optimize log ingestion,

storage, and retention
Reference Complian Bidder's Comments
ce proposal
settings for efficiency and
cost-effectiveness.

Set up advanced analytics,

such as machine learning-
based anomaly detection
(where applicable).

Implement new rules and

policies tailored to the CBT-
specific security landscape
and business requirements.

Configure GLPR rules so that

CPU usage and the event
database is full and
dashboards are slow.
Troubleshoot silent log
sources that stop sending
Implement reports to improve Required
visibility as needed
Design dashboards to detect Required
anomalies
Review LogRhythm- Required
connected data sources
Identify irrelevant logs to Required
improve SIEM storage.
Identify missing logs to Required
improve visibility
Identify parsing problems and Required
create all required parsers
Map events to LogRhythm's Required
use case methodology
Provide recommendations Required
and suggestions to improve
the overall design and
architecture of the SIEM.
Document every use case Required
created on the SIEM.
Document all configuration Required
changes to all security
solutions involved
Document every dashboard Required
and report created
Custom use cases and Smart Required
Response (SRP) plugins:
- Develop and
implement specialized
SRPs (Smart Response
plugins) suitable to
integrate seamlessly
with Our existing
Reference Complian Bidder's Comments
ce proposal
systems.
- These plugins will be
optimized to meet the
specific requirements
of the banking
industry, ensuring
smooth and efficient
deployment of
solutions while
improving
functionality.
- Ensures that every
aspect of custom use
cases and SRP plug-ins
is designed with our
specific business
processes in mind,
from conceptualization
to execution.
- This ensures that the
solutions are not only
relevant, but also
scalable and adaptable
to the future needs of
the BCT and banking
sector.

Example of a custom
automated response (SRP)
related to the BCT
- External IP Threat
Detection
- Ransomware detection
- Data exfiltration
detection
- Insider threat detection
- Compromised user
credentials
- Elevation or abuse of
privilege
- Blacklisted IPs and
Blocked Locations
- Suspicious traffic based
on IP reputation
Etc
End-to-end customization: Required

- Ensures that every

aspect of custom use
cases and SRP plug-ins
is designed with our
specific business
Reference Complian Bidder's Comments
ce proposal
processes in mind,
from conceptualization
to execution.
- This ensures that the
solutions are not only
relevant, but also
scalable and adaptable
to the future needs of
the banking industry.

Continuous improvement and

support:
- Provide ongoing
support and updates to
ensure custom use
cases and SRP plugins
continue to meet the
changing demands of
the banking industry.
- Continuous
improvement that
allows our organization
to stay at the forefront
of industry trends.
Organize knowledge transfer Required
sessions with the BCT team
covering all phases
Attack Surface Management (ASM) Solution
Brand Monitoring: Required
Monitoring of online channels,
social media platforms, and
websites for brand
impersonation, reputational
threats, and unauthorized use
of intellectual property.
Surveillance Required
d'infrastructure :
Continuous analysis and
monitoring of IP assets and
web applications.
Discovery of all public assets
exposed to the Internet.
Security Assessment: Required
Regular security assessments
to identify weaknesses in the
organization's digital assets,
detect vulnerabilities,
misconfigurations, and
provide recommendations to
address them
Email Health: Required
Reference Complian Bidder's Comments
ce proposal
Monitoring domains and
email accounts for signs of
compromise, phishing
attacks, spam activity, and
email authentication issues,
including checking for DNS
and SMTP configuration
issues.
Dark Web Threats: Required
Proactive monitoring of dark
web marketplaces, forums,
and chat rooms for mentions
of the organization, leaked
credentials, and potential
cyber threats
Robust asset discovery Required
mechanisms to identify digital
assets across various
platforms and environments
Advanced vulnerability Required
detection capabilities,
including support for CVE
databases, common
misconfigurations, and
emerging threats
Integration with threat Required
intelligence feeds to enrich
surveillance data and identify
emerging threats relevant to
the organization
Continuous monitoring with Required
real-time alerting capabilities
to detect changes in attack
surface and security posture
Comprehensive reporting Required
capabilities, including
executive summaries,
detailed vulnerability reports,
trend analysis, and actionable
recommendations.
Scalability to accommodate Required
increasing attack surface and
organizational performance
requirements
Data privacy and security are Required
placed with a strong focus,
including compliance with
applicable regulations and
industry best practices
Framework for collaboration with the specialist service provider for 24x7
supervision

CBT Partenaire Service Level Remarks

CBT
Annual
leave
&
Resour Dedicat Sick
ces ed Leave
SOC propos Cover Cover Resour covera
Service es age age ces ge SLA
SOC 1
Manage resourc
r/L3 e
 CBT
during
Workin
g
Hours Le partenaire
Le cover Out of
4 parten Working Hours,
3 Resour aire CBT cover
resour ces Covere Out of Working Hours
ces 16:00 (SLA d by Workin and internal
L1 (8:00 - 8:00 - - include CBT g Annual Leave/Sick
(24x7) 17:00) 17:00 09:00 d) team Hours Leave of L1
CBT
during
Workin
g
Hours
Le
parten
Covere aire Le partenaire
d by Le Out of cover Out of
1 16:00 3 parten Workin Working Hours +
resour 8:00 - - resourc aire g CBT L2 Annual
L2 ce 17:00 09:00 es Team Hours Leave/Sick Leave
Covere
d by
CBT
Covere
d by Le
Covere parten Le partenaire
Covere d by aire cover in case of
d by Retaine Retain during
r (80 request with a
SOC er in CBT retainer service
Manag hours) case of Annual that can be
L3 er needs Leave consumed by
TH N/A N/A L3/IR within the
Covere year.
d by Le Remaining hours
parten will be consumed
DFIR N/A aire as TH service