Page 346 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 346
Administrators typically assign permissions using a Role Based Access
Control model. In other words, they add user accounts to groups and
then grant permissions to the groups. When users no longer need
access to the data, administrators remove their account from the
group. Chapter 13, “Managing Identity and Authentication,” covers the
Role Based Access Control model in more depth.
Custodians
Data owners often delegate day-to-day tasks to a custodian. A
custodian helps protect the integrity and security of data by ensuring
that it is properly stored and protected. For example, custodians
would ensure that the data is backed up in accordance with a backup
policy. If administrators have configured auditing on the data,
custodians would also maintain these logs.
In practice, personnel within an IT department or system security
administrators would typically be the custodians. They might be the
same administrators responsible for assigning permissions to data.
Users
A user is any person who accesses data via a computing system to
accomplish work tasks. Users have access to only the data they need to
perform their work tasks. You can also think of users as employees or
end users.
Protecting Privacy
Organizations have an obligation to protect data that they collect and
maintain. This is especially true for both PII and PHI data (described
earlier in this chapter). Many laws and regulations mandate the
protection of privacy data, and organizations have an obligation to
learn which laws and regulations apply to them. Additionally,
organizations need to ensure that their practices comply with these
laws and regulations.
Many laws require organizations to disclose what data they collect,
why they collect it, and how they plan to use the information.
Additionally, these laws prohibit organizations from using the
