These questions are designed to help you assess and protect your crown jewels.
The crown jewels approach to cybersecurity has you asses your most critical data assets that are of most value to the company. What data creates intrinsic value, a competitive advantage and intellectual property.
1. Which digital assets underpin the strategic mission and core competencies, or differentiate the enterprise from its competitors?
For high-tech and pharmaceutical companies, for example, this includes systems holding high-value intellectual property. Law firms this would include client communications and case file information. It’s important to note how you receive this information and where it is stored. If a company is storing this data within their email inbox you have bigger problems.
2. How many sensitive or personally identifiable customer records does the application hold, transmit or process?
Systems that hold millions of sensitive customer records, medical information or credit card information demand higher levels of protection. A breach of any of these platforms could also, aside from a breach of privacy, result in significant reputational damage or customer backlash.
Compliance requirements should also be understood, as this determines how long this information needs to be stored after a client transaction.
3. Does the system process high-value transactions or does it just hold static data?
Understanding the type of data that is stored is important. For example people will store mixed data within their email inbox, yet on the server its very specific data fields. Knowing what type of data is stored helps you to determine data value, and protection requirements.
Is the data thats stored related to financial transactions, and the processing of these transactions. Are the transaction high value, or do they have a certain frequency. Does the data facilitate access to PII or other assets?
4. What would be the impact to employee productivity if the system was compromised and taken offline?
For example, a cyber breach on core banking platforms or call centre systems would result in significant employee downtime for a bank, while a breach of a point-of-sale system would have a major impact on a retailer’s employees.
What are the systems within the business that impact employee productivity? Being able to answer this question will help you determine crown jewel assets.
5. Does the enterprise have any external obligations to implement higher levels of protection around specific digital platforms?
If you were getting audited who would be auditing and for what reasons. Understanding this question will help you determine your protection standards and priorities.
For example, some institutional investors mandate investment firms managing their portfolios to implement an agreed minimum level of controls around systems that host, process or transmit their sensitive data. Also, publicly listed companies should ensure systems that feed into their audited financial statements are adequately protected. SWIFT has issued its own minimum level of security standards that all users are expected to implement on their local SWIFT infrastructure. Financial institutions that rely on similar payment platforms to process time-critical trades cannot afford to ignore such obligations.
Comment below other questions that you should be asking when designing your cybersecurity program.