When I hear the term crown jewels, it is usually a binary comparison of what data is important and what data is not important. We can't really think of an organization's data as either/or, because all data is important for an organization. Not only is all data important for an organization, understanding the value of the systems that process, store, and transmit this data is just as important. Just as the crown jewel information must be protected, so must the systems that interface with the data.

By understanding this concept, we can look at not just information, but the collective systems, as being classified as crown jewels.

Here are a few examples of information classifications:

• Military information classifications (https://fas.org/sgp/library/quist2/chap_7.html):
  •  Top secret: Disclosure of information that can cause exceptionally grave damage to national security
  • Secret: Disclosure of information that can cause serious damage to national security
  • Confidential: Disclosure of information that can be expected to cause damage to national security
• ISO 27001:
  • Confidential (top confidentiality level)
  • Restricted (medium confidentiality level)
  • Internal use (lowest level of confidentiality)
  • Public (everyone can see the information)

By labeling the value of the networks of systems, applications, and so on, we can prioritize the amount of time and effort that we need to ensure that they stay within an organization's risk tolerance thresholds.

We spend a lot of time trying to figure out how not to get breached. The question we need to ask ourselves is do we want the thieves to run out with a bag of platinum and golds bars or with a bag of copper coins?