Where are the crown jewels?

The “crown jewels” of your business are the most critical to the accomplishment of your organization’s mission.

Where do they reside? Who has access? Who reviews that access?

What impact would that have on your business if you lose control over this data?

Knowing where your critical data resides is important in establishing your business priorities within cyber security.

In an effort to protect your jewels, you first must make sure you know where they are located. You may have more than you are aware.

Locate them and know what they are. After that, you need to investigate the software and systems that directly or indirectly support those crown jewels.

Next, you need to consider that some types of data are liabilities on your systems. Depending on that data, it could be just as costly to your business as the jewels are profitable.

Some examples are employee personally identifiable information, or PII, customer credit card information, and medical information. These items should be locked up just as securely as the jewels, or even not stored if that is possible to reduce your overall risk.

Now that you have identified those crown jewels on your computers, servers, network locations and cloud apps, determine who has access to these locations? Does the access comply with the principle of least privilege, in which only people who need access have right the right amount of access to these jewels?

Is the access limited or is it wide open? Have you ever asked for a summary of a file or program access for the past month or x number of days?

Do you or someone in your business have access to create these types of reports? Would you know if these jewels were accessed fraudulently?

The best time to think about these questions are when you are not in a crisis situation.

To answer some of these questions, it may be beneficial to set up a meeting with department heads, managers and the I.T. folk to dig into your environment. Gather all the stakeholders that have a part to play with securing the organization into the room and start asking these important questions.

Make sure everyone is aware of what your specific crown jewels are and explore if there are some others of which you may not be aware. From there, you can start the process of securing those items, keeping in mind the principle of least privilege.

The final step in this whole process is never finished. Someone needs to be responsible for reviewing access to all of these jewels on a regular basis.

That person should create and submit regular reports on access and make sure they comply with business needs. These reports should include legitimate access and illegitimate attempted access.

The latter should be used for hardening of defenses around these jewels.

I.T. security teams need to have real time monitors that provide actionable intelligence before, during and after a security incident has happened. The business ideally can make it harder to break into the “vault” that will keep your “crown jewels” locked up securely.

Kolin Gage is security administrator at Folience, The Gazette’s parent company, and a founding member of SecMidwest. If you would like to talk more about this topic, visit secmidwest.org. Also, feel free to attend SecMidwest’s meetings on the second Thursday of the month.