Page 337 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 337
Determining Ownership
Many people within an organization manage, handle, and use data,
and they have different requirements based on their roles. Different
documentation refers to these roles a little differently. Some of the
terms you may see match the terminology used in some NIST
documents, and other terms match some of the terminology used in
the European Union (EU) General Data Protection Regulation
(GDPR). When appropriate, we’ve listed the source so that you can dig
into these terms a little deeper if desired.
One of the most important concepts here is ensuring that personnel
know who owns information and assets. The owners have a primary
responsibility of protecting the data and assets.
Data Owners
The data owner is the person who has ultimate organizational
responsibility for data. The owner is typically the chief operating
officer (CEO), president, or a department head (DH). Data owners
identify the classification of data and ensure that it is labeled properly.
They also ensure that it has adequate security controls based on the
classification and the organization’s security policy requirements.
Owners may be liable for negligence if they fail to perform due
diligence in establishing and enforcing security policies to protect and
sustain sensitive data.
NIST SP 800-18 outlines the following responsibilities for the
information owner, which can be interpreted the same as the data
owner.
Establishes the rules for appropriate use and protection of the
subject data/information (rules of behavior)
Provides input to information system owners regarding the
security requirements and security controls for the information
system(s) where the information resides
Decides who has access to the information system and with what
