Page 339 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 339

The system owner is typically the same person as the data owner, but
               it can sometimes be someone different, such as a different department

               head (DH). As an example, consider a web server used for e-commerce
               that interacts with a back-end database server. A software
               development department might perform database development and
               database administration for the database and the database server, but
               the IT department maintains the web server. In this case, the software
               development DH is the system owner for the database server, and the
               IT DH is the system owner for the web server. However, it’s more

               common for one person (such as a single department head) to control
               both servers, and this one person would be the system owner for both
               systems.

               The system owner is responsible for ensuring that data processed on
               the system remains secure. This includes identifying the highest level
               of data that the system processes. The system owner then ensures that
               the system is labeled accurately and that appropriate security controls

               are in place to protect the data. System owners interact with data
               owners to ensure that the data is protected while at rest on the system,
               in transit between systems, and in use by applications operating on the
               system.


               Business/Mission Owners


               The business/mission owner role is viewed differently in different
               organizations. NIST SP 800-18 refers to the business/mission owner
               as a program manager or an information system owner. As such, the
               responsibilities of the business/mission owner can overlap with the
               responsibilities of the system owner or be the same role.

               Business owners might own processes that use systems managed by
               other entities. As an example, the sales department could be the

               business owner but the IT department and the software development
               department could be the system owners for systems used in sales
               processes. Imagine that the sales department focuses on online sales
               using an e-commerce website and the website accesses a back-end
               database server. As in the previous example, the IT department

               manages the web server as its system owner, and the software
               development department manages the database server as its system
   334   335   336   337   338   339   340   341   342   343   344