Domain 2: Asset Security; Ownership Flashcards
What are the five primary information security roles?
Business or Mission Owners Data Owners System Owners Custodians Users
What is the responsibility of the Business or Mission Owner (Senior Management)?
Create the information security program and ensure it is properly staffed, funded, and has organizational priority. They are responsible for ensuring all organizational assets are protected.
What is the Data Owner?
Is a management employee. Data owners determine data sensitivity levels and the frequency of data backup. The data owner performs management duties. Custodians perform the hands-on protection of data.
What is the difference between Data Owner and a user who “owns” data?
The Data Owner ensures the data is protected. The user who “owns” the data has read/write access to objects.
What are the responsibilities of a System Owner?
The System Owner is a manager responsible for the actual computers that house data. This includes the hardware and software configuration, including updates, patching, etc. They ensure the system is physically secure, operating systems are patched and up to date, the system is hardened, etc. The technical hands-on responsibilites are delegated to Custodians.
Who is responsible for securing the data within a database? The system owner or the data owner?
The data owner is responsible for securing the data within a database.
What does the Custodian do?
The Custodian provides hands-on protection of data. They follow detailed orders from the system owner or data owner, they do not make critical decisions on how data is protected.
What are some things users must and must not do?
Users must follow the rules: they must comply with mandatory policies, procedures, standards, etc. Users must be made aware of risks and requirements via information security awareness. They must also be made aware of the penalty for failing to comply with mandatory directives such has policies.
What is a Data Controller?
Data Controllers create and manage sensitive data. Human resource employees are often data controllers. (They create and manage data such as salary and benefit data).
What is a Data Processor?
Data Processors manage data on behalf of data controllers. An outsourced payroll company is an example of a data processor. They manage payroll data on behalf of the data controller, such as the HR department.
How much sensitive information should an organization collect?
Organizations should collect the minimum amount of sensitive information that is required.