In a recent episode of Weaver: Beyond the Numbers, Hunter Sundbeck and Trip Hillman highlighted risks and protections over the data companies should be most concerned about, or in other words, their crown jewel data.
From “Open to the Public” to “Top Secret,” the physical and electronic data within an organization falls into a range of categories. On the “Top Secret” end of the spectrum is an organization’s “Crown Jewel Data.” It could be a hedge fund’s algorithm, Nike’s next shoe release, or Coca-Cola’s famous recipe. In other words, intellectual property, trade secrets, patents, copyrights, trademarks, and any other protected information that is unique to the company and contributes to its competitive advantage.
In the face of ongoing risks and threats to data security, managing and protecting Crown Jewel Data can be difficult for executives and cybersecurity professionals. It takes only one successful attempt to steal an organization’s Crown Jewel Data, so organizations need to get it right every time just to prevent these external threats.
Even organizations with robust security programs that maintain compliance with a variety of regulatory bodies struggle with the identification and management of data. One way to stay ahead of the competition is to create a comprehensive Data Management Program that applies to the entire organization and its data.
Opening the Jewelry Drawer – Identifying Important Data
The first step is to identify and categorize the data you have.
Definitions of the types of data will vary by industry and regulatory body, but these are the key starting points for data identification within your organization.
Sensitive / Confidential / Private / Financially Impactful
- Do we maintain any information that we don’t want others to have?
- Why is it important? Where does it live? How bad would it be if this was breached/disclosed/accessed?
- What data do we have that would risk financial loss/impact if breached/disclosed/accessed?
- Do we have any material, non-public information that could affect the organization?
- Examples: M&A activity, Court/Agency Proceedings, Sales Data / Profitability, Strategic Plans, Designs / Blueprints / Schematics, Formulas, Executive Meeting Minutes
Personally Identifiable Information (PII) and Personal Information
- Do we have any information related to people (Employees, Customers, Contractors, Vendors, Prospects/Candidates) that could be classified as PII by different regulatory bodies?
- How would we classify the information?
- Do we know the geo-region of the individual?
- All PII is PI; not all PI is PII.
- Examples of PII: SSN, DL#, ID#, Biometrics, DoB, Mother’s Maiden Name
- Examples of PI: Name, Sexual Orientation, Health Info / Genetic, Political Opinion, Religious Belief, Location Info, IP Address, Employment Info, Photographs, Criminal Record, Union Membership
Personal Health Information (PHI)
- Do we have and label any data that is constituted as health information for employees, contractors, customers, vendors?
- Is this data in physical or digital form?
- Do we know the geo-region of the individual?
- Do we handle (in any way – store, process, transmit, support, access) regulated data?
- Payment Card Information (PCI)
- Defense (U.S. DoD – CMMC)
- PI/PII (GDPR, CCPA, CPRA, LGPD, NY SHIELD)
We’ve checked labeled information, but what about the information that is unlabeled?
What data do we store, process, or transmit?… Across all systems, entities, contractors, regions…
Do we rent or access any information from third parties or service providers?
Protecting the Jewels – Building a Data Management Program
On paper, developing a data management program may appear to be simple. But as they undertake this process, most organizations begin to uncover areas that aren’t as elegantly refined as they could be.
For executives, the challenge is knowing exactly what to consider as Jewel Data. This can cause disagreements and tension between executives representing different areas of the organization. Thankfully, Jewel Data encompasses all areas listed previously as information that should be protected with the utmost diligence.
Good data management programs should:
- Include the overall objective of the program that supports the strategic goals of the organization.
- Be comprehensive and apply to the entire organization, with each business unit having its own program as needed. The business unit’s program must not supersede any criteria outlines in the organization-wide program.
- Account for the data collected by the organization and any applicable regulations (Children’s Online Privacy Protection Rule, Health Insurance Portability and Accountability Act, California Consumer Privacy Act, Family Educational Rights and Privacy Act, etc.).
- Be based on a widely accepted framework, which are based on industry-accepted best-practices and applicable regulations. The National Institute of Standards and Technology (NIST) Privacy Framework and NIST Cybersecurity Framework are great models to help build the program. Additionally, certifications or accreditations would be beneficial to include
- Identify a program owner that is responsible for program management, as well as other key roles within the program (data owner, data processor, etc.)
- Outline data classification standards for data collected, processed, and stored by the organization, as well as retention requirements for each.
- Be reviewed annually to determine if any material updates are needed and if the program is effective. This review would involve sponsorship from senior management.
- The data lifecycle phases and how data is collected, processed, and protected in the various phases.
Securing the Jewels – Maintaining a Strong Data Management Program
If you are working to maintain a program that you have already developed, there is a continual need to stay ahead of external threats as well as changing regulations. Wherever your organization is in the process, these steps should be part of the process of maintaining a data management program:
- Verify that your data management program complements your organization’s strategic objectives. Doing so will guarantee that the data you collect, store, and process is consistent with how your organization conducts business. When you have an efficient data management program, you have an even more efficient business model.
- Reassess your incident response procedures and their application to your Jewel Data. It could be the case that these procedures should be further developed and refined to respond more aggressively and quickly to incidents involving Jewel Data rather than less-critical data. Implementing a semi-annual review and exercise of procedures related specifically to Jewel Data would help reduce the risk of exposure and risk realization by external threats.
- Identify key stakeholders who will be responsible for responding to incidents involving Jewel Data. Organizations should keep this list up to date with correct contact information and responsibilities. This process can be implemented in conjunction with the semi-annual review and exercise of the Jewel Data response procedures.
- Document “tribal knowledge” (knowledge possessed by individuals about the organization, but not written down) to clarify which federal and state laws apply to specific information. It is critically important to know which regulations require protections over proprietary information, but equally important to know what information the organization has that must be protected in a specific way that is detailed in the applicable regulation (Colorado’s Privacy Law, for example). When implementing the various procedures to develop and refine a data management program, organizations should develop these with key risks to Jewel Data in mind. Some of these risks are:
- Evolving technology environment and business ecosystem;
- Changing legal landscape at the state, federal and international level. With privacy laws becoming more prevalent, the risk of noncompliance is also growing;
- Collecting and storing data you are unaware of, or “dark data,” in your ecosystem;
- Accounting for increasing data volume and all data collection methods used by the organization; and
- The loss of critical data due to cyberattacks including social engineering (email phishing), unprotected networks (and possibly unknown data locations/services), or insider exfiltration and theft.
The process of examining these risks can serve as a springboard for a data discovery conversation, whether that happens as part of the process of updating briefing materials for the Board of Directors and Audit Committee or rounding out the annual audit plan.
Wondering where to get started? Leveraging MITRE’s Crown Jewel Analysis, Weaver helps organizations that are struggling to get started with data management by conducting Crown Jewel Assessments to help identify critical data assets that support with the mission, strategy, and compliance requirements of the organization. Contact us for information or questions.
Authored by Hunter Sundbeck, CDPSE, and Trip Hillman, CISSP, CISA, CEH, GPEN, GCFE, GSNA.