2.3 Provision Resources Securely Flashcards
Who creates or procures an asset?
The Data Owner
What happens if no Data Owner is assigned to an Asset?
No one is accountable for the asset and there’s no drive to make sure these assets are protected by security controls. As such, Security Breaches become more likely to occur.
Are CEOs and The Board considered owners of each organization’s asset?
No. CEOs and The Board are owners of the organzation, but do not own all the assets. Though they are in the best position to promote the need for asset classification and empower the governance committee to set this mandate organization wide.
Who is considered an Asset Owner?
The person who directly interacts with the Asset the most. Due to this intimacy, they best understand the assets value. | For example, the HR Director would likely be the owner of the HR database, even though IT manages the underlying system.
Why wouldn’t IT be considered the HR database owner?
Because IT is considered the Data Custodian as they manage the underlying data systems, but the database content would be best understood by the Director of HR department.
What accountabilities should be clearly Defined for Data Owners?
Classifying and Categorizing Assets, Managing access to assets, and Ensuring appropriate controls are in palce based on asset classification.
Name multiple types of Owners.
Data Owners | Process Owners | System Owners | Product Owners | Service Owners | Hardware Owners | Application Owners | Intellectual Property Owners | etc.
When multiple owners exist for an asset, who is ultimately accountable for the protecting the asset and approving access to it?
All owners belonging to the asset.
Ultimately, what is the goal of any asset owner?
To understtand an assets value to an organization and classify them properly and ensure appropriate protection as they progress through their life-cycle.
Who holds legal rights and defines policies for an asset?
The Data Owner.
What is the role of a Data Processor?
To handle responsibilities, related to processing, on behalf of the data owner.
What is the role of a Data Custodian?
To handle technical responsibilities on behalf of the data owner. This includes custody of system/databases for any period of time. As well, they handle network administration and operations, and for protecting assets in their custody.
What is a Data Steward responsible for?
Ensuring the data adheres to compliance and governance, as well as quality. Essentially, responsible for the business responsibilities passed on by the Data Owner.
What is a Data Subject?
Individual whom the data pertains to.
What is the purpose of an Asset Classification Policy?
To formalize the Asset Classification Process so everyone can follow the set of standards, procedures, baselines, and guidelines necessary for protecting assets.
