The document outlines a framework for developing an information security strategy and proposal for an organization. It recommends taking a top-down approach by first identifying the key sectors of people, processes, and technology and then drilling down to specific domains and technologies within each sector. It provides examples of domains such as identity and access management or network security. The framework is meant to help information security officers understand needs, prioritize investments, and develop a proposal to present to top management to obtain approval and funding for security initiatives.

1. George D. Delikouras
Head Information Security
Athens International Airport
Greece

2. Contents
 A tough question: How secure are we?
 What are the corporate information security needs?A top-
down approach
 How can we prioritize our needs? A risk-based approach
 How can we persuade top management to invest in
information security?
 How can we present analysis results to the top
management?
 From strategy to implementation: Project phases

3. Introduction
 Many Information Security Officers desire a strategic
approach on the information security issue for the
organization.
 In most cases executives lack time or the necessary tools
to map the organization’s needs and priorities in order to
schedule tasks or prepare an investment plan.
 A well documented proposal based on a plan that can be
easily understood is the first step. A successful presentation
to the top management is the most important step towards
the objective.

4. The top-down approach
 Information security applies to people, processes and
technology.
 These are the 3 sectors that we initially choose and then
we can split them in more specific domains.
 Many executives understand better these specific domains
in which we are going to propose investments. i.e. “we have
security issues in our databases infrastructure”
 The top-down approach offers a structured presentation of
the sectors and domains on which we are willing to invest.

5. Overall framework: Sectors
Security program
People Process Technology
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting

6. Overall framework: Domains
Process Technology
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting
People
Enforcement
Policydefinition
Monitoring&response
Measurement&reporting
Identity & access management
Information security mgmt.
Training, awareness, & personnel
Information risk management
Policy & compliance framework
Business continuity & DR
Incident & threat management
Information asset management
Physical and environment sec.
Systems dev. & ops mgmt.
Network
Database
Systems
Endpoints
Application infrastructure
Messaging & content
Data
Security program

7. The next step
 Even if we stay at this level of analysis it is sufficient for a
CEO or a CIO to assess and understand the sectors and
domains where investments will be needed.
 The next step is to proceed to an even lower level for the
domains that we have already define. This way we specify
the technologies necessary to be deployed in the
organization and the way these technologies can be used
in order first of all to protect information and systems but
also to create measurable results required for their
justification.

8. Monitoring, metrics, reporting
 Our investments’ effectiveness will be revealed from the
systematic measurement and reporting. This must be an
objective and its prerequisite is the correct framework for
data collection.
 We define 4 horizontal actions for the organization:
1. Information security policies with applicable and
achievable rules.
2. Obligatory enforcement of policies and rules
3. Monitoring of the policies compliance and
enforcement
4. Metrics and reporting that show policies
effectiveness

9. People
Policy definition Enforcement Monitoring &
response
Measurement
Information
security
organization
Training,
awareness,
& personnel
Identity and
access
management

10. People
Policy definition Enforcement Monitoring &
response
Measurement
Information
security
organization
Training,
awareness,
& personnel
Identity and
access
management
ITgovernancestructure
Business outreach
program
IT operations
security
Security advocacy &
marketing
Auditframework
Personnel identity &
eligibility checking
Security steering
committee
Information risk
management team
Business-level
security
Corporate-level
security
Security awareness
& education
Performancemanagement
Role definition
Performance
management
integration
Privilege
definition
Awareness testing
Access control
implementation
Activity monitoring
Privacy, compliance,
& ethics training
Business
controls monitoring

11. Process
Systems dev.
and operations
management
Physical and
environmental
security
Incident & threat
management
Information
asset
management
Policy and
compliance
framework
Information risk
management
Business
continuity &
disaster recovery
Policy definition Monitoring &
response
Enforcement Measurement

12. Contents
Systems dev.
and operations
management
Physical and
environmental
security
Incident & threat
management
Information
asset
management
Policy and
compliance
framework
Information risk
management
Business
continuity &
disaster recovery
Policy definition Monitoring &
response
Enforcement Measurement
Requirementsmanagement
QA & system
security review
Sourcingstrategy
ITacquisition
Event
analysis
App access
control
Change
management
System access controls
Log
retention
Auditframework
Architecturalreview
Threat research
Response planning
Post-
incident
review
Forensics
Incident
response
Security
testing
Facilities access control
Riskassessment
Contract
management
Businessimpact
analysis
Asset
life-cycle
management
Asset
ownership
Continuity
planning
Redundancy
management
BCP
testing
Plan
maintenance
Information
asset tracking
Records
retention
Information risk tracking
Information risk
classification
Policy
creation
Policy
maintenance
Compliance
research
Policy
distribution
Information risk
handling
BCP
training

13. Technology
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement

14. Technology
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
control
NBAD
Wireless
gateway
WLAN
monitoring
Audit&riskmanagementframework
IPS
Firewall
SSL VPN
Database
encryption
Vulnerabilitymanagement
Database
monitoring
Antivirus
Configuration mgmt.
Storage security
Firewall/Host IPS
Directory
Application
assessment
Antivirus
Antispam
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/Host IPS
Client encryption
XML gatewayWeb
SSO
IM filtering
Digitalinvestigation&forensics
SIM
App encryption
Information
leak protection
Enterprise encryption &
key management
Digital rights
management
Identity&accessmanagement
Strongauthentication
Database
config. mgmt.
Application FW

15. From theory to practice
 Very nice theory so far. What can I do in my company?
 How can Checkpoint technologies really help me;
 The answer in 3 steps:
1. Draw a map of the sectors and domains that we have
described so far noting which technologies add value
to the eterprise.
2. Draw the same map depicting the exisiting situation in
the organization.
3. Prioritize the needs and draw them on paper. Discuss
with Checkpoint technology experts how the
organization benefit in each sector and every domain.

16. Step 1: Value map
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
control
NBAD
Wireless
gateway
WLAN
monitoring
Audit&riskmanagementframework
IPS
Firewall
SSL VPN
Database
encryption
Vulnerabilitymanagement
Database
monitoring
Antivirus
Configuration
management
Storage security
Firewall/Host IPS
Directory
Application
assessment
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/host IPS
Client encryption
Application firewall
XML gatewayWeb
SSO
IM filtering
Digitalinvestigation&forensics
SIM
Information
leak protection
App encryption
Enterprise encryption &
key management
Digital rights
management
Identity&accessmanagement
Strongauthentication
Database
config. mgmt.
High
Medium
Low
Antispam
Antivirus

17. Step 2: Existing situation
Data
Network
Databases
Systems
Endpoints
Messaging
& content
Application
infrastructure
Policy definition Enforcement Monitoring &
response
Measurement
Network access
control
NBAD
Wireless
gateway
WLAN
monitoring
Audit&riskmanagementframework
IPS
Firewall
SSL VPN
Database
encryption
Vulnerabilitymanagement
Database
monitoring
Antivirus
Configuration mgmt.
Storage security
Firewall/Host IPS
Directory
Application
assessment
Email encryption &
filtering
Web filtering
Enterprise SSO
Antivirus/Antispyware
Endpoint control
Firewall/Host IPS
Client encryption
Application firewall
XML gatewayWeb
SSO
IM filtering
Digitalinvestigation&forensics
SIM
Information
leak protection
App encryption
Enterprise encryption &
key management
Digital rights
management
Identity&accessmanagement
Strongauthentication
Database
config. mgmt.
Not implemented
Needs attention
Satisfactorily implemented
Antivirus
Antispam

18. Step 3: Prioritization
Network
Databases
Systems Endpoints
Applications
infrastructure
Messaging &
content
Data
Policy &
risk management
Immediate
attention
Short-term
review
Long-term
review
SIM
Audit
framework
Strong
authenticati
on
IA
M
Forensics
Vulnerability
management
NA
C
IPS
WLAN
gateway
WLAN
monitoring
NBAD
Firewa
ll
VPN
Directory
App
assess
Application
firewall
Application
encryption
XML
gateway
Web SSO
Configuration
mgmt.Server AV
FW/IPS
FW/IPS
Antispyware
Client encryption
Endpoint
control
Enterprise
SSO
Storage
security
Database
encryption
Database
Monitoring
Database
config.
mgmt.
ILP
IM
filtering
Antivirus
Antispam
Email
encryption
Web filtering
Enterprise
encryption &
key management
DRM
Not implemented
Needs attention
Satisfactorily implemented

19. …some advice
 This framework might seem too generic but it is a solid start as it
gives a security x-ray image of the organization.Αυτό πλαίσιο είναι
πολύ γενικό αλλά αποτελεί μια καλή αρχή καθώς μας δίνει μια
ακτινογραφία του οργανισμού.
 It must be clear that each enterprise and each sector of the economy
or industry has its own special needs.
 For best results:
1. Modify the plan to best suit your needs
2. Repeat the exercise every 2 years
3. Build your strategy with annual intervals
 A comparative analysis between your company and its peers will
persuade even the most demanding CEO or Board.

20. Comparative presentation
Information risk mgmt.
Policy and compliance
framework
Information asset mgmt.
BC/DR
Incident and threat mgmt.
Physical and environmental
security
Systems dev. and ops mgmt.
Process Poor Average Good Exceptional
Company = 3-year target
Company = Current
Peer average

21. Athens International Airport
Thank you for your
attention!
George D. Delikouras
Athens International Airport S.A.
Head Information security
IT&T Business Unit
george.delikouras@aia.gr