Data and system ownership in the CISSP

https://resources.infosecinstitute.com/certification/data-and-system-ownership/

Data owner

The term ‘data owner’ may refer to those individuals within an organization who collect and define the metrics of the data.  

That is de facto the person who is responsible and accountable for a particular set of data. As far as the description is concerned, its structure is similar to what is outlined for the “term “information owner/steward” in the “Governance Structures” section of Domain Four when referring to information governance structures,” according to the Official (ISC)2 Guide to the HCISPP CBK.

Every set of data must have an owner. Ownerless data is not a subject of protection, and therefore the recommended step is dubbed information lifecycle management (ILM) – a process of assigning a data owner and set of controls to information.

A data owner is typically the president, the CEO, or a department head (DH). People in this role are liable for negligence provided that they fail to show due diligence with respect to enforcing security policies, which in turn will protect sensitive dat.

Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. 

It is important to remember that the data owner is ultimately responsible for the data, as he is the one that sets the security parameters and divides the corpus data into different class labels dependent on its sensitivity. So, the most significant duties that he has are classification and protection of all data sets. Although these duties are really important, they are delegable.

NIST SP 800-18 set outs several responsibilities for the information owner, as follows:

• Establish rules for data usage and protection
• Cooperate with information system owners on the security requirements and security controls for the systems on which the data exist
• It is within his discretion to whom to provide access rights and types of privileges – if the data owner use discretionary access control (DAC), he can permit or deny access to users or groups of users based on an access control list (ACL).
• Participate in identification, implementation, and assessment of security controls

Business owner

This person, along with the mission owner (i.e., senior management), designs the entire information security program. They also cover vital day-to-day corporate aspects related to the real implementation of the information security program, such as funding, staffing activities (for example, finding security experts or other qualified personnel) and organizational priority. Last but not least, these types of owners need to ensure that every organizational asset is protected.

NIST SP 800-18 sees an overlap in the responsibilities of the business/mission owner and those of the system owners.

System owner

This individual is in charge of one or more systems, each of which may contain and operate with data owned by various data owners. A system owner is in a position that predisposes him to participate in drafting security policies, supporting procedures, standard and baselines, and to disseminate them among the members of a division.

The system owner may also be a manager whose job is to supervise and attend to the actual computers that contain data (we are talking about the whole package – hardware and software, including patching and updates). Hence, in addition to physically securing the hardware infrastructure in an organization, the system owner should patch and update operating systems, and harden the system in a similar fashion as much as possible. Technical hands-on tasks, however, are usually delegated to data custodians.

The NIST SP 800-18 envisages the following responsibilities for the system owner:

• Create an information plan together with data owners, the system administrator, and end users
• Maintain the system security plan by the pre-agreed security requirements
• Organize training sessions for the system users and personnel on security and rules of behavior (also known as AUP)
• Bring the system security plan up-to-date as often as possible
• Participate in identification, implementation, and assessment of security controls

Also, a system owner has the responsibility to integrate security logic, considerations, and cautiousness into development projects and purchasing decisions regarding applications and system accessories in the same vein as the security-by-design principle. For instance, people working such a position are to provide interpretations of government regulations, as well as insight into industry trends and analysis of vendor solutions that may advance the cyber-security of the company as a whole.

Data custodian保管

A data custodian can deliver technical protection of information assets, such as data. Backing up data in line with the company’s backup policy., restoration of data, patching systems, and configuring antivirus software are some of the most common tasks within the scope of duties of data custodians.

It should be noted that most of the time they do not make critical decisions on data protection since this is one of the major responsibilities of the data owner. Instead, the former should diligently follow the orders of the latter. Consequently, a data custodian is responsible for the implementation and maintenance of the security controls in a way that will meet all requirements for security, inter alia, determined by the data owner.

All in all, the data custodian provides all the necessary protection in harmony with the CIA Triad (confidentiality, availability, and integrity). Also, data custodians are entitled to access control functions.

Administrator

This role is often fulfilled by the IT and/or security department. In essence, a data administrator grants appropriate access based on the principle of least privilege and need-to-know to authorized users to the extent they need to perform their job activities. As the 7th edition of CISSP Official Study Guide states, “[a]dministrators typically assign permissions using a role-based access control model. In other words, they add user accounts to groups and then grant permission to the groups. When users no longer need access to the data, administrators remove their account from the group.”

Other significant duties of administrators include: performing check-ups on the integrity of the data, restore data from backup sources (when necessary), retain data and records of activity, and execute all tasks and obligations specified in the organization’s security policy or/and guidelines on cyber-security and data protection.

        Security/Network/System Administrator

User

Any other person outside those enumerated so far who are legally allowed to access the system. Users usually have just enough access so as to perform the tasks necessary for their job position (again under the principle of least privilege).

Being merely a user does not exonerate someone from his/her obligations to acquaint himself/herself with the security policy of the organization and uphold it by following all security procedures. Generally speaking, each user must abide by the mandatory rules, policies, standards, procedures, etc. For instance, they must not share personal accounts given to them or divulge their passwords. In this regard, users should be made aware of the risks associated with breaching the abovementioned policies, procedures, etc., and they should also be notified about the consequences of non-compliance with these mandatory rules and procedures.

Data controller控制 and data processor处理

Under Article 2(d) of the EU Data Protection Directive (Directive 95/46/EC), a data controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data […].” Apparently, the figure of data controller holds a position of great responsibility in the EU data protection legislation.

It is a common mistake to confuse data processors with data controllers. A good illustration of the major difference between these two roles is the one provided by the Data Protection Commissioner of Ireland: “[…] if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a ‘data processor’“. A document by the Article 29 Data Protection Working Party, an EU institution that periodically issues interpretations on data protection norms, clarifies the concept(s) of data processor (and data controller): “…two basic conditions for qualifying as processor are on the one hand being a separate legal entity with respect to the controller and on the other hand processing personal data on his behalf.”

Real-life examples of data processors are market research firms, accounting agencies, and payroll companies. It would not be impossible for an entity to combine the both roles – “a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies,” states the Data Protection Commissioner of Ireland.

Often organizations from the United States process personal information of EU citizens, and these organizations become “data controllers” or “data processors” within the meaning the EU Data Protection Directive. By the EU “adequacy rule,” even organizations from outside the EU must comply with the EU Data Protection Directive when processing the personal data of EU citizens. As concerns the EU-U.S. data transfers, as of 12 July 2016, a decision by the European Commission entitled “EU-U.S. Privacy Shield” was adopted, which, in effect, replaces the Safe Harbor mechanism that was struck down by the European Court of Justice in October 2015, in the wake of Snowden revelations.

This new framework for Transatlantic exchanges of personal data of EU citizens promises, among other things, “regular reviews,” “effective supervision mechanisms,” “tightened conditions for onward transfers,” and “limitation of data retention.” Main principles of the current framework for data transfers between the EU and the U.S. are: 1. Notice, 2. Choice, 3. Accountability for onward transfers, 4. Security, 5. Data Integrity and Purpose Limitation, 6. Access, 7. Recourse, Enforcement, and Liability. More information you can read here.

U.S. companies need to apply for registration to be on the Privacy Shield list and self-certify that they meet the high data protection standards laid down by the arrangement. This is an annually renewable registration.

It should also be noted that the EU Data Protection Directive is to be replaced by the General Data Protection Regulation (GDPR), which is expected to enter in application 25 May 2018.