I’ve recently been participating in a project run by the Information Security Forum called “Protecting the Crown Jewels”. This is a project for organisations to:
- Identify their most valuable information assets (“Crown Jewels”) and identify the risks to those assets
- Apply the necessary level of protection to those assets
Two themes have struck me throughout the project. Firstly, each organisation has a different interpretation of their “Crown Jewels”. Secondly, once you have identified your Crown Jewels how does the organisation ensure that everyone is aware of those assets?
It is not surprising that disparate market sectors identify different assets as a Crown Jewel. Here at Boldon James, as a software vendor, we identify our source code as a Crown Jewel. If we lose our source code through, for example, an environmental issue, then this will be critical to the well-being of the company. Obviously, at a bank or pharmaceutical, their source code will be less important than mergers and acquisitions details or pre-patent information respectively. None of this is unexpected. However, whilst the type of Crown Jewels may change I believe the process for controlling access to those Crown Jewels should be the same for all industries.
This brings me to the second theme. An organisation could take the Queen’s approach to “Crown Jewels” and identify them clearly as Crown Jewels whilst providing a fortified tower in the centre of London as a protection mechanism. I agree with the first measure of clearly identifying your crown jewels with an obvious classification value. Some people prefer the approach of not identifying their key assets to make it harder for the attacker to find them. However, obfuscation has long been shown to be a poor security measure.
Building a Tower of London is not an option available to most organisations. Nor does it fit with the modern manner of distributing information assets over ever more inventive distribution mechanisms. However, if an information asset is classified as a “Crown Jewel” then it could be encrypted using techniques such as Azure rights-management – a mini Tower of London around each information asset.
The “Protecting the Crown Jewels” project is on-going and it will be interesting to see the recommendations. If you are members of ISF I commend you to look at the project as it is raising many fascinating comments.