CISM Exam: Who should enforce access rights to application data?

D.

As custodians, security administrators are responsible for enforcing access rights to data.

Data owners are responsible for approving these access rights.

Business process owners are sometimes the data owners as well, and would not be responsible for enforcement.

The security steering committee would not be responsible for enforcement.

The responsibility for enforcing access rights to application data should ultimately lie with the data owners. Data owners are individuals or groups within an organization who are responsible for the creation, maintenance, and management of specific sets of data. They are best equipped to determine the appropriate level of access required for their data and to grant permissions accordingly.

While business process owners and security administrators may have a role in managing access to application data, they are not the ultimate decision-makers. Business process owners may have input into access requirements based on their knowledge of how the data is used within specific business processes. Security administrators may be responsible for implementing technical controls to enforce access rights, but they do not have the authority to make decisions regarding who should have access to specific data.

The security steering committee may be involved in setting overall policies and standards related to access management, but they are not typically involved in the day-to-day management of access to specific application data. Their role is to provide oversight and guidance to ensure that access controls are consistent with the organization's overall security strategy.

Therefore, while different individuals or groups may have a role to play in managing access to application data, the ultimate responsibility should lie with the data owners. They are best equipped to make decisions based on their knowledge of the data and its importance to the organization.