Cybersecurity risk is an increasing focus area for board members, regulators, and business leaders across all industries. Executives are asking questions like: What are the cybersecurity threats that our company faces? What are our Crown Jewel Information Assets that we need to focus our resources on protecting? And just how well are we protecting our most critical or sensitive information assets? [Click here to discover if you’re protecting the right Crown Jewel Information Assets]
Information Security Officers and Risk leaders have a multitude of control frameworks to consider when prioritizing security activities. Each of them covers slightly different focus areas and many of them overlap. Some of the most widely reviewed security standards and frameworks are: ISO 27001/27002, PCI DSS, CIS Critical Controls, and the numerous NIST documents (e.g. NIST CSF, NIST RMF, NIST 800–53). It’s easy to get lost in the plethora of frameworks, recommendations, and best practices. CISOs and Risk leaders should remain focused on what Crown Jewel Information Assets they have, why they are considered critical or strategic and use that to inform and prioritize security controls.
Below are four principles to keep in mind when considering security protections for your Crown Jewel Information Assets.
1. Reduce The Potential For Unauthorized User Access
A basic tenet of information security is to reduce the likelihood that Crown Jewels are accessed by unauthorized parties. Business owners should consider who needs access to the information and what they will do with the information if they have access.
- Limit the ability for Crown Jewel Information to be shared outside of the company network. Afterall, these are the most critical or sensitive information assets. There are a number of ways to do this and methods should be evaluated based on the specific asset. For example, there may be some information that MUST be shared externally such as financial filings that may need to be shared with regulators, or litigation details that may need to be shared with outside counsel.
- Embed security controls in watermarks or metadata within the document to be able to track where the information is being shared. A visible footer with the document classification would caution users from sharing the information.
- Build security protocols around the format and use of the document. For example, is strategically sensitive or critical information stored in spreadsheet? Is there a standard format and layout? Does it always have the same header / footer? Does everyone need to be able to edit it? Does it need to be shared outside of a department? Will people outside of the company need access?
- Digital Rights Management solutions are rapidly maturing and highly configurable and may streamline these requirements.
2. Secure The Infrastructure Where The Information Is Stored
Information when not being accessed, edited or shared should be secured behind the equivalent of a vault.
- Consider whether you want to have a “doorman” at the entrance to your vault logging all the comings and goings of everyone who accesses their Crown Jewels.
- Encrypt the data both at rest and also as it moves around.
- Segmented networks, allow the most strategic and sensitive information to be stored in a separate network entirely. This reduces the risk of lateral movement and access.
3. Reduce Concentration Risk
Often times risk is magnified with scale. In the context of Crown Jewels this is a common principle. One financial record that includes a customer’s social security number and account number and holdings may be considered private information, but may not rise to the level of being considered a Crown Jewel Information asset of the firm. However, the spreadsheet that contains all customer social security numbers and all of their account numbers and holdings is likely to rise to the level of being a Crown Jewel.
It is common for business leaders to want to look at information in aggregate. With the rise of data science as a differentiator, it is increasingly common to create large data stores of information. One of the easiest ways to “de-risk” is to reduce the concentration of Crown Jewels. Does all of the information need to be joined into a consolidated table? Are there ways to save the data in smaller segments (e.g. accounts active during current quarter) to reduce the impact of accidental — or malicious — data manipulation or exposure?
4. Increase Awareness and Training
It has been said countless times, and is worth re-emphasizing, awareness and training of staff and partners remains one of the most valuable controls. Companies are challenged to fit a lot of important content in their annual security training or in their ‘cybersecurity awareness month’ agenda.
In the case of Crown Jewel, there is an opportunity for department leaders to take a front seat and lead awareness and training among their teams.
- Encourage team members to step outside of their daily routine to understand the different information classifications, and how Crown Jewels fit in to the hierarchy of information.
- Consider doing a role-play or a wargame / tabletop exercise to better understand the magnitude of the risk to Crown Jewels. Use that opportunity to also review the adequacy of security controls.
Inaction isn’t an option
When something as strategic and as mission critical as Crown Jewel Information isn’t secured with the most advanced controls and monitored persistently, it risks potentially exposing the company to violations and fines. Start reviewing your organization’s Crown Jewels today, using the the four ways presented above.
- Network Segmentation Isn’t a new concept and isn’t just a security strategy. This article on TechFunnel, lists the security benefits of segmentation.
- This SecureWorks blog article does a good job of putting a lot of information about the importance of cybersecurity awareness and training programs in one place. This piece includes steps to get started, providers, definitions and the case for more, not less, engagement.