Versions Compared

Old Version 10

changes.mady.by.user David Doret

Saved on

compared with

New Version 11

changes.mady.by.user David Doret

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Access to IT services must be controlled through a formal user registration and de-registration process. Ensure that:

- On appointment, personnel are allocated access rights that are acceptable to the Information owner.

(Wright, 2008, p. 365)

Information owner — Business executive or business manager who is responsible for a company business information asset. Responsibilities include, but are not limited to:
— Assign initial information classification and periodically review the classification to ensure it still meets the business needs
— Ensure security controls are in place commensurate with the classification
— Review and ensure currency of the access rights associated with information assets they own
— Determine security requirements, access criteria, and backup requirements for the information assets they own
— Perform or delegate, if desired, the following:
- Approval authority for access requests from other business units or assign a delegate in the same business unit as the executive or manager owner
- Backup and recovery duties or assign to the custodian
- Approval of the disclosure of information act on notifications received concerning security violations against their information assets

(Tipton and Krause, 2007, p. 228)

An information asset is an atomic piece of information that has meaning to the organization or the individual. Information assets have an owner. The information assets of a business organization are owned by a business owner, and those of an individual are owned by the actual individual. Organizations delegate the responsibility of protecting information assets to the IT department, the Information Security department, or the Information Risk Management department; individuals typically protect their own resources, but they may interact with other individuals and organizations, and may seek advice or transfer protection responsibilities to other individuals and organizations.
Whoever is managing protection is considered a custodian of the information asset; however, the owner is still responsible for valuating information, posing requirements for information protection, ensuring that information is protected by following defined procedures for information protection and auditing the protection mechanisms in place. The custodian is responsible for defining security protection mechanisms that meet the requirements of the information owner.

...