Does your company have a clear list of the most critical or sensitive information that exists within your corporate estate? These “monuments” of information, or Crown Jewels as CISOs may refer to them, should be a key focus area for risk review, security protections, and resilience planning. Business executives in Risk, Security, Legal, Compliance, and Operational departments should unite in uncovering, understanding, and securing the company’s high-value information assets.

It won’t matter that a company may have deployed advanced security defenses if those defenses aren’t fine-tuned to secure the company’s critical or sensitive information “monuments.” Instead, the guardians may have deployed to protect the garden in the backyard and left the front door of the estate woefully unguarded.

The Three Main Types of Crown Jewels Systems

Crown Jewels are most commonly thought of as critical technology systems. By definition, they are important systems to either the infrastructure or the process of a business. A system labeled as a “Crown Jewel” generally involves the burden of additional review, augmented security controls, as well as resilience and redundancy measures to protect against outage, corruption, or unauthorized access. These systems generally fall into 3 categories:

1. Revenue production — If they become unavailable, we don’t make money.
2. Operational criticality — If they go down, we cannot do our core business.
3. Store extremely private information — If they contain employee records, banking information, and other personally identifiable information (PII) we will incur fines.

Often the responsibility of identifying and protecting Crown Jewels technology systems belongs to technology leaders, the CIO, or the CISO. Just what is or isn’t a Crown Jewel isn’t an easy determination to make from an IT perspective. Let’s explore that concept in more detail.

What Makes Something a Crown Jewel Information Asset?

First, not all Crown Jewel systems necessarily contain critical or sensitive business information, and not all critical or sensitive information is necessarily resident in a Crown Jewel system. And that’s OK. But there should be a process to identify and plug this gap. For example, ask a finance professional who uses a spreadsheet to create a financial model. Is the spreadsheet application considered a Crown Jewel? Isn’t it entirely possible that the information contained in that spreadsheet is considered sensitive or critical to the business?

Ultimately, each company will define its Crown Jewels differently. Some things to consider when building or reviewing your Crown Jewel program:

1. Crown Jewels are a small subset of the most important business information that a company has.
2. Crown Jewels are often the type of information that defines a company’s “secret sauce.”
   1. For a software business, the source code may be a Crown Jewel.
   2. For an investment manager, the models used to make investment decisions may be a Crown Jewel.
   3. For a pharmaceutical company the drug formulary may be a Crown Jewel.
3. Crown Jewels should come with a significant impact (financial, regulatory, or reputational) if they are made public or manipulated without authorization.
   1. If the information is accessed by unauthorized parties, does it make the front page of the newspaper, or result in a regulatory fine?
   2. If the information is manipulated does it have a financial or operational impact, or result in legal liability?
4. Crown Jewels are indisputably critical or sensitive to the business.

Whose Problem Is It?

Essentially, the responsibility for identifying and protecting Crown Jewel information assets is shared among many stakeholders. Identifying your Crown Jewel Information assets matters to the operational business functions that create and use the information. Understanding the impact of a data loss or a breach matters to the risk and compliance functions that are thinking about the potential impacts of a loss or a breach. And designing and enabling security controls matter to the IT and Security teams.

Many companies have established cross-functional Information Governance and Advisory groups to coordinate on things such as Crown Jewel governance, risk, and control. CISOs are well poised to play a key role in a Crown Jewel information protection program. They already think in terms of risk assessment, and control prioritization, and have the tools to secure information, but they need support from across the business to effectively lead a Crown Jewel information protection program.

An Effective Crown Jewel Program Doesn’t Have to be Hard

To launch a Crown Jewel program, leverage the resources and processes that are already in place.

1. Inventory: Create an inventory of Crown Jewel systems
   1. Consider adding additional context to include the information and business purpose for qualifying as a protected Crown Jewel.
2. Assess: Establish a process for reviewing risks and controls
   1. Consider including “Crown Jewels” into the existing framework to ensure that we also assess risks and controls related to protecting Crown Jewel information.
3. Secure: Define a menu of security controls
   1. Consider adding a section of controls that can be deployed for “Crown Jewel” information.
4. Test: Develop a process for testing security controls
   1. Make sure to include testing the potential for data manipulation and access to Crown Jewel information.
5. Educate: Leverage existing cybersecurity training and risk awareness training to include additional guidance around the importance of protecting Crown Jewel information.

Don’t Wait To Get Started!

The most important thing when considering protecting Crown Jewel’s information assets should start without delay. Perfection is the enemy of ‘good’ in terms of security enhancement.

Risk Leaders: Expand current business risk engagement activities to include a definition of Crown Jewel Information Assets. Include a resource to identify and inventory Crown Jewel information. And ensure there are corresponding controls deployed. Caution: the list of a company’s Crown Jewels becomes a Crown Jewel in and of itself!

Business Leaders: Think about what information your department creates or depends on that could be the “secret sauce” for the company. Consider using one of the regular monthly or quarterly all-hands meetings to talk about high-value information assets and remind team members of available controls and resources (such as contacting Information Security) if they want assistance with deploying controls or if they suspect a potential data breach / loss.

Compliance: Consider linking records management, regulatory compliance, and privacy teams into the overall discussion around a company’s Crown Jewel information assets. Chances are your company already has a ‘committee’ that’s well poised to energize this initiative, and if not, consider organizing one.

CISOs: Consider offering a “menu” of available controls that business and risk leaders may consider deploying to their crown jewel assets. Get to know the business! Security professionals are experts at identifying risks and deploying security controls. But they cannot do their best work if they don’t know what they need to protect or to what extent. Get to know each business area and understand what they care most about.

Business leaders are accustomed to prioritizing resources, budget dollars, and time to maximize benefit and impact. Having a clear understanding of the company’s Crown Jewel Information assets enables management to similarly apply a risk-based prioritization to security.

💡 Resources

Mitre Crown Jewel Analysis Approach: Mitre lays out an approach and process steps for identifying the mission-critical business systems so that security controls can be prioritized and dependencies can be established.

ISF Securing Mission Critical Assets: The Information Security Forum presents a process to identify the mission-critical systems and considers the potential adversaries when determining and applying protections.

Forbes Tech Council: Protecting the Crown Jewels: In this piece written for the Forbes Technology Council, the author lays out the arguments for identifying and protecting Crown Jewels. Of note, he points out the challenge of relying on information classification and the importance of making this part of a continual program.