Now that the Olympics have come to an end, many gold medals are flying back home with their winners. A precious attribute that some will lock away for safety, and other will display proudly. Every athlete will look for the right balance between protection and exposure.
The most valuable assets in organization – their gold medals,
often referred to as the crown jewels –must also be protected but used at the
same time. That it is necessary and important to protect an organization’s most critical assets has been preached sufficiently. The question is: how to do it? And more prominently: how does it fit your overall cyber security strategy?
Recently, ISF published their report on “Protecting the Crown Jewels” . My colleague Stephan Wouterse and I had the opportunity to contribute to the report and embed elements from our Cyber in the Boardroom approach and industry experience in the ISF standard. In short, the standard explains how crown jewels are identified, how threats to these assets are derived in a structured way, how protection of each of the crown jewels can be achieved and how crown jewel analysis fits an organization’s cyber security management system. Let me give you a quick read.
In essence, an asset is marked as crown jewel due to the business impact of a compromise of C, I or A (e.g. competitively sensitive information), or the inherent value to the organization (e.g. company strategy). Typical threats to an asset can be identified through a kill-chain method, where threat actors and exposure levels are evaluated in a sequence of steps, ultimately leading to the potential compromise of the asset. Then, two directions can be chosen: targeting and reducing the threat, or protecting the asset. For example, investment in user awareness could reduce the threat of erroneous behavior, while cryptographic solutions will better protect data in transit without aiming for threat reduction. Based on the type of threat, the level of influence to it and the balance between risk and cost, a mixture of the two directions can be selected and implemented.
As practical implementation guideline, suggested controlsare categorized in three security levels: fundamental, enhanced andspecialized. In this way, potential controls can be selected based on the maturity of the organization and required level of protection, making sure that feasible solutions are chosen for strategic risk reduction.
In the KPMG Cyber in the Boardroom methodology , crown jewel analysis is the second of five steps – right after the initial step of assessing the cyber maturity of an organization. Hence, the most critical assets are at the core of an information security strategy. Furthermore, contemporary red, blue and purple teaming efforts are increasingly focused on the crown jewels by means of exploitation and defense through a kill chain model. Effective protection of the most valuable assets enables organizations to keep their business running while looking for successful endeavors – like an Olympic athlete.
Author: Thijs Timmerman, Senior Consultant KPMG Cyber Security