Domain 2: Asset Security; Ownership Flashcards

1
Q

What are the five primary information security roles?

A
Business or Mission Owners
Data Owners
System Owners
Custodians
Users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the responsibility of the Business or Mission Owner (Senior Management)?

A

Create the information security program and ensure it is properly staffed, funded, and has organizational priority. They are responsible for ensuring all organizational assets are protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the Data Owner?

A

Is a management employee. Data owners determine data sensitivity levels and the frequency of data backup. The data owner performs management duties. Custodians perform the hands-on protection of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between Data Owner and a user who “owns” data?

A

The Data Owner ensures the data is protected. The user who “owns” the data has read/write access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the responsibilities of a System Owner?

A

The System Owner is a manager responsible for the actual computers that house data. This includes the hardware and software configuration, including updates, patching, etc. They ensure the system is physically secure, operating systems are patched and up to date, the system is hardened, etc. The technical hands-on responsibilites are delegated to Custodians.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is responsible for securing the data within a database? The system owner or the data owner?

A

The data owner is responsible for securing the data within a database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the Custodian do?

A

The Custodian provides hands-on protection of data. They follow detailed orders from the system owner or data owner, they do not make critical decisions on how data is protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some things users must and must not do?

A

Users must follow the rules: they must comply with mandatory policies, procedures, standards, etc. Users must be made aware of risks and requirements via information security awareness. They must also be made aware of the penalty for failing to comply with mandatory directives such has policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Data Controller?

A

Data Controllers create and manage sensitive data. Human resource employees are often data controllers. (They create and manage data such as salary and benefit data).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a Data Processor?

A

Data Processors manage data on behalf of data controllers. An outsourced payroll company is an example of a data processor. They manage payroll data on behalf of the data controller, such as the HR department.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How much sensitive information should an organization collect?

A

Organizations should collect the minimum amount of sensitive information that is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly