Loading content/handbook/security/gearing-ratios.md +39 −0 Original line number Diff line number Diff line Loading @@ -39,3 +39,42 @@ SIRT is the sole carrier of the Security On-Call (SEOC) rotation, which ensures - If number of total team members increases by +20% compared to previous year This gearing ratio is owned by the [Security Operations](/handbook/security/security-operations/) Sub-department. ## Security Compliance Team Staffing The weighted gearing ratio for Security Compliance team size accounts for certification complexity: **Certification Complexity Weighting:** - High Complexity (2.0 FTE): FedRAMP, DoD - Medium Complexity (1.0 FTE): ISO standards, PCI DSS, ISMAP, IRAP, CMMC - Standard Complexity (0.5 FTE): SOC 2, TISAX, Cyber Essentials **Formula**: Required FTE = Σ(Active Certifications × Complexity Weight) + 1 Core Operations Staff This ratio should be re-evaluated when: - Adding certifications that introduce new geographic or regulatory domains - Certification requirements significantly change - Automation capabilities reduce manual effort by >30% This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning. ## Security Compliance External Audit Budget Annual audit budget is tiered based on certification complexity and requirements: **Budget Tiers:** - Tier 1 ($200-300K): FedRAMP, DoD, ISMAP - Tier 2 ($100-150K): ISO 27001, IRAP, CMMC - Tier 3 ($50-75K): SOC 2, PCI SAQ, TISAX, ISO, Cyber Essentials Budget should include 10% contingency for scope changes and remediation validation audits. This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning. Loading
content/handbook/security/gearing-ratios.md +39 −0 Original line number Diff line number Diff line Loading @@ -39,3 +39,42 @@ SIRT is the sole carrier of the Security On-Call (SEOC) rotation, which ensures - If number of total team members increases by +20% compared to previous year This gearing ratio is owned by the [Security Operations](/handbook/security/security-operations/) Sub-department. ## Security Compliance Team Staffing The weighted gearing ratio for Security Compliance team size accounts for certification complexity: **Certification Complexity Weighting:** - High Complexity (2.0 FTE): FedRAMP, DoD - Medium Complexity (1.0 FTE): ISO standards, PCI DSS, ISMAP, IRAP, CMMC - Standard Complexity (0.5 FTE): SOC 2, TISAX, Cyber Essentials **Formula**: Required FTE = Σ(Active Certifications × Complexity Weight) + 1 Core Operations Staff This ratio should be re-evaluated when: - Adding certifications that introduce new geographic or regulatory domains - Certification requirements significantly change - Automation capabilities reduce manual effort by >30% This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning. ## Security Compliance External Audit Budget Annual audit budget is tiered based on certification complexity and requirements: **Budget Tiers:** - Tier 1 ($200-300K): FedRAMP, DoD, ISMAP - Tier 2 ($100-150K): ISO 27001, IRAP, CMMC - Tier 3 ($50-75K): SOC 2, PCI SAQ, TISAX, ISO, Cyber Essentials Budget should include 10% contingency for scope changes and remediation validation audits. This gearing ratio is owned by the Security Compliance team and should be re-evaluated annually during budget planning.
