Page 340 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 340
owner. Even though the sales department doesn’t own these systems,
it does own the business processes that generate sales using these
systems.
In businesses, business owners are responsible for ensuring that
systems provide value to the organization. This sounds obvious.
However, IT departments sometimes become overzealous and
implement security controls without considering the impact on the
business or its mission.
A potential area of conflict in many businesses is the comparison
between cost centers and profit centers. The IT department doesn’t
generate revenue. Instead, it is a cost center generating costs. In
contrast, the business side generates revenue as a profit center. Costs
generated by the IT department eat up profits generated by the
business side. Additionally, many of the security controls implemented
by the IT department reduce usability of systems in the interest of
security. If you put these together, you can see that the business side
sometimes views the IT department as spending money, reducing
profits, and making it more difficult for the business to generate
profits.
Organizations often implement IT governance methods such as
Control Objectives for Information and Related Technology (COBIT).
These methods help business owners and mission owners balance
security control requirements with business or mission needs.
Data Processors
Generically, a data processor is any system used to process data.
However, in the context of the GDPR, data processor has a more
specific meaning. The GDPR defines a data processor as “a natural or
legal person, public authority, agency, or other body, which processes
personal data solely on behalf of the data controller.” In this context,
the data controller is the person or entity that controls processing of
the data.
U.S. organizations previously complied with the U.S.
