Skip to content

Page068

Business or Mission Owners

Business Owners and Mission Owners (senior management) create the information security program and ensure that it is properly staffed, funded, and has organizational priority. They are responsible for ensuring that all organizational assets are protected.

Data Owners

The Data Owner (also called information owner) is a management employee responsible for ensuring that specific data is protected. Data owners determine data sensitivity labels and the frequency of data backup. They focus on the data itself, whether in electronic or paper form. A company with multiple lines of business may have multiple data owners. The data owner performs management duties; custodians perform the hands-on protection of data.

Exam Warning
Do not confuse the Data Owner with a user who “owns” his/her data on a discretionary access control system (see Chapter 6, Domain 5: Identity and Access Management, for more information on DAC, or discretionary access control systems).
The Data Owner (capital “O”) is responsible for ensuring that data is protected. A user who “owns” data (lower case “o”) has read/write access to objects.

System Owner

The System Owner is a manager responsible for the actual computers that house data. This includes the hardware and software configuration, including updates, patching, etc. They ensure the hardware is physically secure, operating systems are patched and up to date, the system is hardened, etc. Technical hands-on responsibilities are delegated to Custodians, discussed next.

Note
The difference between a System Owner and a Data Owner is straightforward. The System Owner is responsible for securing the computer hardware and software. The Data Owner is responsible for protecting the data contained within the computer.

For example: for a database server, the system owner would secure the hardware and software, including patching the Database Management System (such as MySQL or Oracle). The data owner would secure the data itself: sensitive data contained within database tables, such as Personally Identifiable Information (PII).

Custodian

A Custodian provides hands-on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc. The Custodians follow detailed orders; they do not make critical decisions on how data is protected. The Data Owner may dictate, “All data must be backed up every 24 hours.” The Custodians would then deploy and operate a backup solution that meets the Data Owner’s requirements.

Users

Users must follow the rules: they must comply with mandatory policies, procedures, standards, etc. They must not write their passwords down or share accounts, for example. Users must be made aware of these risks and requirements. You cannot assume they will know what to do, nor assume they are already doing the right thing: they must be told, via information security awareness. They must also be made aware of the penalty for failing to comply with mandatory directives such as policies.