CISSP Information and Asset Ownership – Bk2D2T3

CISSP Information and Asset Ownership in this topic explain asset protection and classification terminology, data ownership, information owner etc.

Module Objectives

  1. Understand the importance of establishing accountability and responsibilities for asset and information ownership and custodianship.
  2. Explain accountabilities and responsibilities for protection of assets by owners, custodians, stewards, controllers, and processors.
  3. Explain key terms associated with asset protection.

Asset Protection and Classification Terminology

In organizations, responsibilities for asset management, including data, have become increasingly divided among several roles. Asset management and data management need to include accountabilities and responsibilities for protection of assets based on classification.

There are key roles that are identified in many laws and regulations that dictate certain accountabilities and responsibilities that organizations need to assign. This is especially true of privacy laws that exist around the world, especially in very privacy-aware areas such as Europe.

Laws for the protection of privacy have been enacted worldwide. Regardless of the jurisdiction, privacy laws tend to converge around the principle of allowing the individual to have control over their personal information, including how it is protected while it is being collected, processed, and stored by organizations. For organizations to protect the individual’s personal information according to compliance requirements, they must assign accountability and responsibility properly. Compliance requirements will treat personal information as data that requires protection at every step of its lifecycle, from collection, to processing, to storage, to archiving, and to destruction.

Related Product : EC-Council Certified Incident Handler | ECIH v2

Protection of data requires the clear distinction of roles, accountabilities, and responsibilities to be clearly identified and defined:

  • Data subject: The individual who is the subject of personal data.
  • Data owner: Accountable for determining the value of the data that they own and, therefore, also accountable for the protection of the data. Information ownership and asset also are accountable for defining policies for access of the data and clearly defining and communicating the responsibilities for such protection to other entities including stewards, custodians, and processors.
  • Data controller: In the absence of a “true” owner, especially for personal information that has been collected by organizations belonging to clients and customers, the data controller is assigned the accountability for protecting the value of the information based on proper implementation of controls. The controller, either alone or jointly with others, determines the purposes for which and the manner in which any personal data is to be processed and, therefore, protected.
  • Data steward: Data stewards are commonly responsible for data content, context, and associated business rules within the organization.
  • Data processor: Data processors are the entities that process the data on behalf of the data controller, therefore, they may be given the responsibility to protect the data, although the accountability would always remain with the controller.
  • Data custodian: Data custodians are responsible for the protection of the data while in their custody. That would mean safe custody, transport, storage, and processing of the data and the understanding and compliance to policies in regards to the protection of the data.

Data Ownership

Information ownership in this data management and protection involves many aspects of technology, but it also requires involved parties to clearly understand their roles and responsibilities.

The objectives of delineating data management roles and responsibilities are to:

  • Clearly define roles associated with functions.
  • Establish data ownership throughout all phases of a project.
  • Instill data accountability.
  • Ensure that adequate, agreed-upon data quality and metadata metrics are maintained on a continuous basis.

As we have seen, information goes through a lifecycle that consists of phases that include creation, use, archiving, and destruction.

Information security controls and activities need to be embedded into the lifecycle phases to protect it. Protection, as we know, includes not only confidentiality, but also integrity and availability. But security activities should also be involved in the last phase of the lifecycle, which is destruction. Defensible destruction is what should happen when the information is no longer needed.

Information Owner

When information is collected or created, someone in the organization needs to be clearly made accountable for it. We refer to this entity as the “owner.” Often, this is the individual or group that created, purchased, or acquired the information to allow the organization to achieve its mission and goals. This individual or group is considered and referred to as the “information owner.”

The information owner, therefore, is in the best position to clearly understand the value, either quantitative or qualitative, of the information. The owner is also accountable for protecting the information based on that value. To determine the correct value, the owner, therefore, has the following accountabilities:

  • Determine the impact the information has on the mission of the organization.
  • Understand the replacement cost of the information (if it can be replaced).
  • Determine which laws and regulations, including privacy laws, may dictate liabilities and accountabilities related to the information.
  • Determine who in the organization or outside of it has a need for the information and under what circumstances the information should be released.
  • Know when the information is inaccurate or no longer needed and should be destroyed.

The organization, as part of good data management, needs to be able to identify the owners of the data. Those data owners then need to be made accountable for the protection of the value of that data.

Data owners generally may have legal rights over the data, along with copyright and intellectual property rights. Data ownership includes the right to use the data to drive corporate decisions, and in situations where the continued maintenance becomes unnecessary or uneconomical, the right to destroy it.

Documentation

It is very important for data owners to establish and document certain expectations that need to be passed on to others, such as custodians, as they relate to the data that is owned by the owners. For instance, these may be examples of documentation:

  • The information and asset ownership, intellectual property rights, and copyright of their data.
  • The obligations relevant to ensure the data is compliant with compliance requirements.
  • The policies for protection of the data, including baselines and access control.
  • The expectations for protection and responsibilities delegated to custodians and others accessing the data.

Data Custodianship

Data custodians, as the word implies, have custody of assets that don’t belong to them, usually for a certain period of time. Those assets belong to owners somewhere else, but the custodians have “custody” of those assets as they may be required for access, decisions, supporting goals, and objectives, etc.

Custodians have the very important responsibility to protect the information while it’s in their custody, according to expectations by the owners as set out in policies, standards, procedures, baselines, and guidelines. It will be up to the security function to ensure that the custodians are supported and advised and have the proper skills, tools, and architectures, etc. to be able to properly protect assets, such as information, while in their custody.

How these aspects are addressed and managed should be in accordance with the defined data policies applicable to the data, as well as any other applicable data stewardship specifications. Typical responsibilities of a data custodian may include the following:

  • Adherence to appropriate and relevant data policies, standards, procedures, baselines, and guidelines as set out by owners and supported by the security function.
  • Ensuring accessibility to appropriate users, maintaining appropriate levels of data security.
  • Fundamental data maintenance, including but not limited to data storage and archiving.
  • Data documentation, including updates to documentation.
  • Assurance of quality and validation of any additions to data, including supporting periodic audits to assure ongoing data integrity.

Difference Between Data Owner/ Controller and Data Custodian/Processor

Based on the definitions that we have seen above, the difference between the data owner and the data custodian is that the owner is accountable for the protection of what they own based on the value of that asset to the organization. In an environment where a controller is required as part of compliance needs, the controller will act as the owner and, therefore, becomes accountable for the protection based on expectations related to legislation and regulations and enforced through policy and the implementation of those policies as standards, procedures, baselines, and guidelines.

In a similar fashion, we have learned that the custodian of data is responsible for the protection of the data while in their custody.    The “processor,” therefore, acts as the custodian and is required to adhere to policies, standards, procedures, baselines, and guidelines as described above.

So, we can summarize as follows:

Owners/Controllers:

  • Accountable for the protection of data based on relevant national or community laws or The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or community law.
Custodians/Processors:
  • The processor processes data on behalf of the owners (example cloud provider). Therefore, responsible for the adherence of policies, standards, procedures, baselines, and guidelines to ensure protection while in their custody.
Follow Us

https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/