PTX12_Presentation_George Delikouras AIA
-
Upload
george-delikouras -
Category
Documents
-
view
20 -
download
0
Transcript of PTX12_Presentation_George Delikouras AIA
Contents
A tough question: How secure are we?
What are the corporate information security needs?A top-
down approach
How can we prioritize our needs? A risk-based approach
How can we persuade top management to invest in
information security?
How can we present analysis results to the top
management?
From strategy to implementation: Project phases
Introduction
Many Information Security Officers desire a strategic approach on the information security issue for the organization.
In most cases executives lack time or the necessary tools to map the organization’s needs and priorities in order to schedule tasks or prepare an investment plan.
A well documented proposal based on a plan that can be easily understood is the first step. A successful presentation to the top management is the most important step towards the objective.
The top-down approach
Information security applies to people, processes and technology.
These are the 3 sectors that we initially choose and then we can split them in more specific domains.
Many executives understand better these specific domains in which we are going to propose investments. i.e. “we have security issues in our databases infrastructure”
The top-down approach offers a structured presentation of the sectors and domains on which we are willing to invest.
Overall framework: Sectors
Security program
People Process Technology
Enfo
rcem
ent
Polic
y d
efin
ition
Monito
ring &
response
Measure
ment &
reportin
g
Enfo
rcem
ent
Polic
y d
efin
ition
Monito
ring &
response
Measure
ment &
reportin
g
Enfo
rcem
ent
Polic
y d
efin
ition
Monito
ring &
response
Measure
ment &
reportin
g
Overall framework: Domains
Process Technology
Enfo
rcem
ent
Polic
y d
efin
ition
Mo
nito
ring
& re
sp
on
se
Measure
ment &
reportin
g
Enfo
rcem
ent
Polic
y d
efin
ition
Monito
ring &
respon
se
Measure
ment &
reportin
g
People
Enfo
rcem
ent
Polic
y d
efin
ition
Monito
ring &
respon
se
Measure
ment &
reportin
g
Identity & access management
Information security mgmt.
Training, awareness, & personnel
Information risk management
Policy & compliance framework
Business continuity & DR
Incident & threat management
Information asset management
Physical and environment sec.
Systems dev. & ops mgmt.
Network
Database
Systems
Endpoints
Application infrastructure
Messaging & content
Data
Security program
The next step
Even if we stay at this level of analysis it is sufficient for a CEO or a CIO to assess and understand the sectors and domains where investments will be needed.
The next step is to proceed to an even lower level for the domains that we have already define. This way we specify the technologies necessary to be deployed in the organization and the way these technologies can be used in order first of all to protect information and systems but also to create measurable results required for their justification.
Monitoring, metrics, reporting
Our investments’ effectiveness will be revealed from the systematic measurement and reporting. This must be an objective and its prerequisite is the correct framework for data collection.
We define 4 horizontal actions for the organization:
1. Information security policies with applicable and achievable rules.
2. Obligatory enforcement of policies and rules3. Monitoring of the policies compliance and
enforcement4. Metrics and reporting that show policies
effectiveness
People
9
Policy definition Enforcement Monitoring &
response
Measurement
Information
security
organization
Training,
awareness,
& personnel
Identity and
access
management
PeoplePolicy definition Enforcement Monitoring &
response
Measurement
Information
security
organization
Training,
awareness,
& personnel
Identity and
access
management
IT g
overn
ance s
tructu
re
Business outreach
program
IT operations
security
Security advocacy &
marketing
Audit fra
mew
ork
Personnel identity &
eligibility checking
Security steering
committeeInformation risk
management team
Business-level
security
Corporate-level
security
Security awareness
& education
Perf
orm
ance m
anag
em
ent
Role definition
Performance
management
integration
Privilege
definition
Awareness testing
Access control
implementationActivity monitoring
Privacy, compliance,
& ethics training
Business
controls monitoring
Process
Systems dev.
and operations
management
Physical and
environmental
security
Incident & threat
management
Information
asset
management
Policy and
compliance
framework
Information risk
management
Business
continuity &
disaster recovery
Policy definition Monitoring &
response
Enforcement Measurement
Contents
Systems dev.
and operations
management
Physical and
environmental
security
Incident & threat
management
Information
asset
management
Policy and
compliance
framework
Information risk
management
Business
continuity &
disaster recovery
Policy definition Monitoring &
response
Enforcement Measurement
Requir
em
ents
manag
em
ent
QA & system
security review
Sou
rcin
g s
trate
gy
IT a
cqu
isitio
n
Event
analysis
App access
control
Change
management
System access controls
Log
retention
Aud
it fra
mew
ork
Arc
hitectu
ral re
vie
w
Threat research
Response planning
Post-
incident
review
Fo
ren
sic
s
Incid
en
t
resp
on
se
Security
testing
Facilities access control
Ris
k a
ssessm
en
t
Contr
act
manage
ment
Bu
sin
ess im
pa
ct
an
aly
sis
Asset
life-cycle
management
Asse
t
ow
ne
rsh
ip
Con
tin
uity
pla
nn
ing
Red
un
da
ncy
ma
na
ge
me
nt
BC
P
testin
g
Pla
n
ma
inte
na
nce
Information
asset tracking
Records
retention
Information risk trackingInformation risk
classification
Policy
creation
Policy
maintenance
Compliance
research
Policy
distribution
Information risk
handling
BC
P
tra
inin
g
Technology
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Technology
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
controlNBAD
Wireless
gateway
WLAN
monitoring
Au
dit &
ris
k m
an
age
ment fr
am
ew
ork
IPS
Firewall
SSL VPN
Database
encryption
Vu
lne
rabili
ty m
an
agem
ent
Database
monitoring
Antivirus
Configuration mgmt.
Storage security
Firewall/Host IPS
Directory
Applic
ation
assessm
ent
Antivirus
Antispam
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/Host IPS
Client encryption
XML gatewayWeb
SSO
IM filtering
Dig
ita
l in
ve
stiga
tio
n &
fo
ren
sic
s
SIM
App encryption
Information
leak protectionEnterprise encryption &
key management
Digital rights
management
Ide
ntity
& a
cce
ss m
an
age
ment
Str
on
g a
uth
entication
Database
config. mgmt.
Application FW
From theory to practice
Very nice theory so far. What can I do in my company? How can Checkpoint technologies really help me; The answer in 3 steps:
1. Draw a map of the sectors and domains that we have described so far noting which technologies add value to the eterprise.
2. Draw the same map depicting the exisiting situation in the organization.
3. Prioritize the needs and draw them on paper. Discuss with Checkpoint technology experts how the organization benefit in each sector and every domain.
Step 1: Value map
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
controlNBAD
Wireless
gateway
WLAN
monitoring
Au
dit &
ris
k m
an
age
ment fr
am
ew
ork
IPS
Firewall
SSL VPN
Database
encryption
Vu
lne
rabili
ty m
an
agem
ent
Database
monitoring
Antivirus
Configuration
management
Storage security
Firewall/Host IPS
Directory
Applic
ation
assessm
ent
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/host IPS
Client encryption
Application firewallXML gatewayWeb
SSO
IM filtering
Dig
ita
l in
ve
stiga
tio
n &
fo
ren
sic
s
SIM
Information
leak protection
App encryption
Enterprise encryption &
key management
Digital rights
management
Ide
ntity
& a
cce
ss m
an
age
ment
Str
on
g a
uth
entication
Database
config. mgmt.
HighMediumLow
Antispam
Antivirus
Step 2: Existing situation
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
controlNBAD
Wireless
gateway
WLAN
monitoring
Au
dit &
ris
k m
an
age
ment fr
am
ew
ork
IPS
Firewall
SSL VPN
Database
encryption
Vu
lne
rabili
ty m
an
agem
ent
Database
monitoring
Antivirus
Configuration mgmt.
Storage security
Firewall/Host IPS
Directory
Applic
ation
assessm
ent
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/Host IPS
Client encryption
Application firewallXML gatewayWeb
SSO
IM filtering
Dig
ita
l in
ve
stiga
tio
n &
fo
ren
sic
s
SIM
Information
leak protection
App encryption
Enterprise encryption &
key management
Digital rights
management
Ide
ntity
& a
cce
ss m
an
age
ment
Str
on
g a
uth
entication
Database
config. mgmt.
Not implemented
Needs attention
Satisfactorily implemented
Antivirus
Antispam
Step 3: Prioritization
Network
Databases
Systems Endpoints
Applications
infrastructure
Messaging &
content
DataPolicy &
risk management
Immediate
attention
Short-term
review
Long-term
review
SIM
Audit
framework
Strong
authenticati
on
IA
M
Forensics
Vulnerability
management
NA
C
IPS
WLAN
gateway
WLAN
monitoring
NBAD
Firewa
ll
VPN
Directory
App
assess
Application
firewall
Application
encryption
XML
gatewayWeb SSO
Configuration
mgmt.Server AV
FW/IPS
FW/IPS
Antispyware
Client encryption
Endpoint
control
Enterprise
SSO
Storage
security
Database
encryption
Database
MonitoringDatabase
config.
mgmt.
ILP
IM
filtering
Antivirus
Antispam
encryptionWeb filtering
Enterprise
encryption &
key management
DRM
Not implementedNeeds attentionSatisfactorily implemented
…some advice
This framework might seem too generic but it is a solid start as it gives a security x-ray image of the organization.Αυτό πλαίσιο είναι πολύ γενικό αλλά αποτελεί μια καλή αρχή καθώς μας δίνει μια ακτινογραφία του οργανισμού.
It must be clear that each enterprise and each sector of the economy or industry has its own special needs.
For best results:1. Modify the plan to best suit your needs2. Repeat the exercise every 2 years3. Build your strategy with annual intervals
A comparative analysis between your company and its peers will persuade even the most demanding CEO or Board.
Comparative presentation
Information risk mgmt.
Policy and compliance
framework
Information asset mgmt.
BC/DR
Incident and threat mgmt.
Physical and environmental
security
Systems dev. and ops mgmt.
Process Poor Average Good Exceptional
Company = 3-year target
Company = Current
Peer average
Athens International Airport
Thank you for your
attention!
George D. Delikouras
Athens International Airport S.A.
Head Information security
IT&T Business Unit