George D. Delikouras

Head Information Security

Athens International Airport

Greece

Contents

A tough question: How secure are we?

What are the corporate information security needs?A top-

down approach

How can we prioritize our needs? A risk-based approach

How can we persuade top management to invest in

information security?

How can we present analysis results to the top

management?

From strategy to implementation: Project phases

Introduction

Many Information Security Officers desire a strategic approach on the information security issue for the organization.

In most cases executives lack time or the necessary tools to map the organization’s needs and priorities in order to schedule tasks or prepare an investment plan.

A well documented proposal based on a plan that can be easily understood is the first step. A successful presentation to the top management is the most important step towards the objective.

The top-down approach

Information security applies to people, processes and technology.

These are the 3 sectors that we initially choose and then we can split them in more specific domains.

Many executives understand better these specific domains in which we are going to propose investments. i.e. “we have security issues in our databases infrastructure”

The top-down approach offers a structured presentation of the sectors and domains on which we are willing to invest.

Overall framework: Sectors

Security program

People Process Technology

Enfo

rcem

ent

Polic

y d

efin

ition

Monito

ring &

response

Measure

ment &

reportin

g

Enfo

rcem

ent

Polic

y d

efin

ition

Monito

ring &

response

Measure

ment &

reportin

g

Enfo

rcem

ent

Polic

y d

efin

ition

Monito

ring &

response

Measure

ment &

reportin

g

Overall framework: Domains

Process Technology

Enfo

rcem

ent

Polic

y d

efin

ition

Mo

nito

ring

& re

sp

on

se

Measure

ment &

reportin

g

Enfo

rcem

ent

Polic

y d

efin

ition

Monito

ring &

respon

se

Measure

ment &

reportin

g

People

Enfo

rcem

ent

Polic

y d

efin

ition

Monito

ring &

respon

se

Measure

ment &

reportin

g

Identity & access management

Information security mgmt.

Training, awareness, & personnel

Information risk management

Policy & compliance framework

Business continuity & DR

Incident & threat management

Information asset management

Physical and environment sec.

Systems dev. & ops mgmt.

Network

Database

Systems

Endpoints

Application infrastructure

Messaging & content

Data

Security program

The next step

Even if we stay at this level of analysis it is sufficient for a CEO or a CIO to assess and understand the sectors and domains where investments will be needed.

The next step is to proceed to an even lower level for the domains that we have already define. This way we specify the technologies necessary to be deployed in the organization and the way these technologies can be used in order first of all to protect information and systems but also to create measurable results required for their justification.

Monitoring, metrics, reporting

Our investments’ effectiveness will be revealed from the systematic measurement and reporting. This must be an objective and its prerequisite is the correct framework for data collection.

We define 4 horizontal actions for the organization:

1. Information security policies with applicable and achievable rules.

2. Obligatory enforcement of policies and rules3. Monitoring of the policies compliance and

enforcement4. Metrics and reporting that show policies

effectiveness

People

9

Policy definition Enforcement Monitoring &

response

Measurement

Information

security

organization

Training,

awareness,

& personnel

Identity and

access

management

PeoplePolicy definition Enforcement Monitoring &

response

Measurement

Information

security

organization

Training,

awareness,

& personnel

Identity and

access

management

IT g

overn

ance s

tructu

re

Business outreach

program

IT operations

security

Security advocacy &

marketing

Audit fra

mew

ork

Personnel identity &

eligibility checking

Security steering

committeeInformation risk

management team

Business-level

security

Corporate-level

security

Security awareness

& education

Perf

orm

ance m

anag

em

ent

Role definition

Performance

management

integration

Privilege

definition

Awareness testing

Access control

implementationActivity monitoring

Privacy, compliance,

& ethics training

Business

controls monitoring

Process

Systems dev.

and operations

management

Physical and

environmental

security

Incident & threat

management

Information

asset

management

Policy and

compliance

framework

Information risk

management

Business

continuity &

disaster recovery

Policy definition Monitoring &

response

Enforcement Measurement

Contents

Systems dev.

and operations

management

Physical and

environmental

security

Incident & threat

management

Information

asset

management

Policy and

compliance

framework

Information risk

management

Business

continuity &

disaster recovery

Policy definition Monitoring &

response

Enforcement Measurement

Requir

em

ents

manag

em

ent

QA & system

security review

Sou

rcin

g s

trate

gy

IT a

cqu

isitio

n

Event

analysis

App access

control

Change

management

System access controls

Log

retention

Aud

it fra

mew

ork

Arc

hitectu

ral re

vie

w

Threat research

Response planning

Post-

incident

review

Fo

ren

sic

s

Incid

en

t

resp

on

se

Security

testing

Facilities access control

Ris

k a

ssessm

en

t

Contr

act

manage

ment

Bu

sin

ess im

pa

ct

an

aly

sis

Asset

life-cycle

management

Asse

t

ow

ne

rsh

ip

Con

tin

uity

pla

nn

ing

Red

un

da

ncy

ma

na

ge

me

nt

BC

P

testin

g

Pla

n

ma

inte

na

nce

Information

asset tracking

Records

retention

Information risk trackingInformation risk

classification

Policy

creation

Policy

maintenance

Compliance

research

Policy

distribution

Information risk

handling

BC

P

tra

inin

g

Technology

Data

Network

Databases

Systems

Endpoints

Messaging

& content

Application

infrastructure

Policy definition Enforcement Monitoring &

response

Measurement

Technology

Data

Network

Databases

Systems

Endpoints

Messaging

& content

Application

infrastructure

Policy definition Enforcement Monitoring &

response

Measurement

Network access

controlNBAD

Wireless

gateway

WLAN

monitoring

Au

dit &

ris

k m

an

age

ment fr

am

ew

ork

IPS

Firewall

SSL VPN

Database

encryption

Vu

lne

rabili

ty m

an

agem

ent

Database

monitoring

Antivirus

Configuration mgmt.

Storage security

Firewall/Host IPS

Directory

Applic

ation

assessm

ent

Antivirus

Antispam

Email encryption &

filtering

Web filtering

Enterprise SSO

Antivirus/Antispyware

Endpoint control

Firewall/Host IPS

Client encryption

XML gatewayWeb

SSO

IM filtering

Dig

ita

l in

ve

stiga

tio

n &

fo

ren

sic

s

SIM

App encryption

Information

leak protectionEnterprise encryption &

key management

Digital rights

management

Ide

ntity

& a

cce

ss m

an

age

ment

Str

on

g a

uth

entication

Database

config. mgmt.

Application FW

From theory to practice

Very nice theory so far. What can I do in my company? How can Checkpoint technologies really help me; The answer in 3 steps:

1. Draw a map of the sectors and domains that we have described so far noting which technologies add value to the eterprise.

2. Draw the same map depicting the exisiting situation in the organization.

3. Prioritize the needs and draw them on paper. Discuss with Checkpoint technology experts how the organization benefit in each sector and every domain.

Step 1: Value map

Data

Network

Databases

Systems

Endpoints

Messaging

& content

Application

infrastructure

Policy definition Enforcement Monitoring &

response

Measurement

Network access

controlNBAD

Wireless

gateway

WLAN

monitoring

Au

dit &

ris

k m

an

age

ment fr

am

ew

ork

IPS

Firewall

SSL VPN

Database

encryption

Vu

lne

rabili

ty m

an

agem

ent

Database

monitoring

Antivirus

Configuration

management

Storage security

Firewall/Host IPS

Directory

Applic

ation

assessm

ent

Email encryption &

filtering

Web filtering

Enterprise SSO

Antivirus/Antispyware

Endpoint control

Firewall/host IPS

Client encryption

Application firewallXML gatewayWeb

SSO

IM filtering

Dig

ita

l in

ve

stiga

tio

n &

fo

ren

sic

s

SIM

Information

leak protection

App encryption

Enterprise encryption &

key management

Digital rights

management

Ide

ntity

& a

cce

ss m

an

age

ment

Str

on

g a

uth

entication

Database

config. mgmt.

HighMediumLow

Antispam

Antivirus

Step 2: Existing situation

Data

Network

Databases

Systems

Endpoints

Messaging

& content

Application

infrastructure

Policy definition Enforcement Monitoring &

response

Measurement

Network access

controlNBAD

Wireless

gateway

WLAN

monitoring

Au

dit &

ris

k m

an

age

ment fr

am

ew

ork

IPS

Firewall

SSL VPN

Database

encryption

Vu

lne

rabili

ty m

an

agem

ent

Database

monitoring

Antivirus

Configuration mgmt.

Storage security

Firewall/Host IPS

Directory

Applic

ation

assessm

ent

Email encryption &

filtering

Web filtering

Enterprise SSO

Antivirus/Antispyware

Endpoint control

Firewall/Host IPS

Client encryption

Application firewallXML gatewayWeb

SSO

IM filtering

Dig

ita

l in

ve

stiga

tio

n &

fo

ren

sic

s

SIM

Information

leak protection

App encryption

Enterprise encryption &

key management

Digital rights

management

Ide

ntity

& a

cce

ss m

an

age

ment

Str

on

g a

uth

entication

Database

config. mgmt.

Not implemented

Needs attention

Satisfactorily implemented

Antivirus

Antispam

Step 3: Prioritization

Network

Databases

Systems Endpoints

Applications

infrastructure

Messaging &

content

DataPolicy &

risk management

Immediate

attention

Short-term

review

Long-term

review

SIM

Audit

framework

Strong

authenticati

on

IA

M

Forensics

Vulnerability

management

NA

C

IPS

WLAN

gateway

WLAN

monitoring

NBAD

Firewa

ll

VPN

Directory

App

assess

Application

firewall

Application

encryption

XML

gatewayWeb SSO

Configuration

mgmt.Server AV

FW/IPS

FW/IPS

Antispyware

Client encryption

Endpoint

control

Enterprise

SSO

Storage

security

Database

encryption

Database

MonitoringDatabase

config.

mgmt.

ILP

IM

filtering

Antivirus

Antispam

Email

encryptionWeb filtering

Enterprise

encryption &

key management

DRM

Not implementedNeeds attentionSatisfactorily implemented

…some advice

This framework might seem too generic but it is a solid start as it gives a security x-ray image of the organization.Αυτό πλαίσιο είναι πολύ γενικό αλλά αποτελεί μια καλή αρχή καθώς μας δίνει μια ακτινογραφία του οργανισμού.

It must be clear that each enterprise and each sector of the economy or industry has its own special needs.

For best results:1. Modify the plan to best suit your needs2. Repeat the exercise every 2 years3. Build your strategy with annual intervals

A comparative analysis between your company and its peers will persuade even the most demanding CEO or Board.

Comparative presentation

Information risk mgmt.

Policy and compliance

framework

Information asset mgmt.

BC/DR

Incident and threat mgmt.

Physical and environmental

security

Systems dev. and ops mgmt.

Process Poor Average Good Exceptional

Company = 3-year target

Company = Current

Peer average

Athens International Airport

Thank you for your

attention!

George D. Delikouras

Athens International Airport S.A.

Head Information security

IT&T Business Unit

george.delikouras@aia.gr