Who is mainly responsible for protecting information assets they have been entrusted with on a daily basis by defining who can access the data, it's sensitivity level, type of access, and adhering to corporate information security policies?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The Data Owner is the person who has been entrusted with a data set that belong to the company.
As such they are responsible to classify the data according to it's value and sensitivity.
The Data Owner decides who will get access to the data, what type of access would be granted.
The Data Owner will tell the Data Custodian or System Administrator what access to configure within the systems.
A business executive or manager is typically responsible for an information asset.
These are the individuals that assign the appropriate classification to information assets.
They ensure that the business information is protected with appropriate controls.
Periodically, the information asset owners need to review the classification and access rights associated with information assets.
The owners, or their delegates, may be required to approve access to the information.
Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information.
Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.
The following answers are incorrect: Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets.
The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization.
The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors.
The security officer and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines.
End User - The end user does not decide on classification of the data Reference: CISA review manual 2014 page number 108 Official ISC2 guide to CISSP CBK 3rd Edition Page number 342
The primary responsibility for protecting information assets lies with the data owner. The data owner is typically the business unit manager or department head who has the responsibility for the data and has been given the authority to make decisions about how the data is collected, processed, and used.
The data owner is responsible for defining the sensitivity level of the data, who should have access to it, and the type of access that is required. The owner must also adhere to the corporate information security policies that have been established to protect the data.
The security officer is responsible for enforcing the corporate information security policies and ensuring that the data is protected against unauthorized access, modification, or disclosure. The senior management is responsible for providing the resources and support required to implement and maintain an effective information security program.
Finally, the end user is responsible for using the data appropriately and following the established policies and procedures. The end user should be aware of the sensitivity of the data they are accessing and take appropriate measures to protect it from accidental or intentional disclosure or misuse.
In summary, while all four options play a role in protecting information assets, the primary responsibility lies with the data owner who is responsible for defining the access, sensitivity, and adherence to corporate policies.